		Official Journal
		No	page	date
►M1	COMMISSION DECISION of 29 November 2001	L 317	1	3.12.2001
►M5	COMMISSION DECISION of 5 December 2001	L 345	94	29.12.2001
►M6	COMMISSION DECISION of 23 January 2002	L 21	23	24.1.2002
M7	COMMISSION DECISION of 26 March 2003	L 92	14	9.4.2003
►M8	COMMISSION DECISION of 7 July 2004	L 251	9	27.7.2004
M9	COMMISSION DECISION of 15 November 2005	L 347	83	30.12.2005
►M10	COMMISSION DECISION of 23 December 2005	L 19	20	24.1.2006
►M11	COMMISSION DECISION of 15 December 2006	L 32	144	6.2.2007
►M12	COMMISSION DECISION of 30 April 2008	L 140	22	30.5.2008
►M13	COMMISSION DECISION of 24 February 2010	L 55	60	5.3.2010
►M14	COMMISSION DECISION of 9 November 2011	L 296	58	15.11.2011

▼B

RULES OF PROCEDURE OF THE COMMISSION

(C(2000) 3614)

THE COMMISSION OF THE EUROPEAN COMMUNITIES,

Having regard to the Treaty establishing the European Coal and Steel Community, and in particular Article 16 thereof,

Having regard to the Treaty establishing the European Community, and in particular Article 218(2) thereof,

Having regard to the Treaty establishing the European Atomic Energy Community, and in particular, Article 131 thereof,

Having regard to the Treaty on European Union, and in particular Articles 28(1) and 41(1) thereof,

HAS ADOPTED THESE RULES OF PROCEDURE:

▼M13

CHAPTER I

THE COMMISSION

Article 1

The principle of collective responsibility

The Commission shall act collectively in accordance with these Rules of Procedure and in compliance with the priorities which it has set in the context of the political guidelines laid down by the President in accordance with Article 17(6) TEU.

Article 2

Political guidelines, priorities, work programme and budget

In compliance with the political guidelines laid down by the President, the Commission shall establish its priorities and reflect them in its work programme and the draft budget which it shall adopt each year.

Article 3

The President

1. The President shall lay down the political guidelines within which the Commission shall exercise its functions ( 1 ). The President shall steer the work of the Commission in order to ensure it is carried out.

2. The President shall decide on the internal organisation of the Commission, ensuring that it acts consistently, efficiently and as a collegiate body ( 2 ).

Without prejudice to Article 18(4) TEU, the President shall assign to Members of the Commission special fields of activity with regard to which they are specifically responsible for the preparation of Commission work and the implementation of its decisions ( 3 ).

The President may ask Members of the Commission to carry out specific tasks with a view to ensuring that the political guidelines that he has laid down and the priorities set by the Commission are implemented.

He may change these assignments at any time ( 4 ).

The Members of the Commission shall carry out the duties devolved to them by the President under his authority (4) .

3. The President shall appoint Vice-Presidents, other than the High Representative of the Union for Foreign Affairs and Security Policy, from among the Members of the Commission ( 5 ), and shall draw up the order of precedence within the Commission.

4. The President may set up groups of Members of the Commission, designating their chairpersons, setting their mandate and operating procedures, and deciding on their membership and term.

5. The President shall represent the Commission. He shall designate the Members of the Commission to assist him in this task.

6. Without prejudice to Article 18(1) TEU, a member of the Commission shall resign if the President so requests ( 6 ).

Article 4

Decision-making procedures

Commission decisions shall be taken:

(a) at Commission meetings by oral procedure in accordance with Article 8 of these Rules of Procedure; or

(b) by written procedure in accordance with Article 12 of these Rules of Procedure; or

(d) by delegation procedure in accordance with Article 14 of these Rules of Procedure.

SECTION 1

Commission meetings

Article 5

Convening Commission meetings

1. Meetings of the Commission shall be convened by the President.

2. The Commission shall, as a general rule, meet at least once a week. It shall hold additional meetings whenever necessary.

3. Members of the Commission shall be required to attend all meetings. If a Member of the Commission is unable to attend a meeting, they shall inform the President in good time of the reasons for their absence. The President shall judge whether Members may be released from these requirements in certain circumstances.

Article 6

Agenda of Commission meetings

1. The President shall adopt the agenda of each Commission meeting.

2. Without prejudice to the prerogative of the President to adopt the agenda, any proposal involving significant expenditure must be presented in agreement with the Member of the Commission responsible for the budget.

3. If a Member of the Commission proposes the inclusion of an item on the agenda, the President must be notified as prescribed by the Commission in the implementing rules referred to in Article 28 of these Rules of Procedure, hereinafter referred to as ‘the implementing rules’.

4. The agenda and the necessary documents shall be circulated to the Members of the Commission as prescribed in accordance with the implementing rules.

5. The Commission may, on a proposal from the President, discuss any question which is not on the agenda or for which the necessary documents have been distributed late.

Article 7

Quorum

The number of Members whose presence is necessary to constitute a quorum shall be equal to a majority of the number of Members specified in the Treaty.

Article 8

Decision-making

1. The Commission shall take decisions on the basis of proposals from one or more of its Members.

2. A vote shall be taken if any Member so requests. The vote may be on the original draft text or on an amended draft text by the Member or Members responsible for the initiative or by the President.

3. Commission decisions shall be adopted if a majority of the number of Members specified in the Treaty vote in favour.

4. The President shall formally note the outcome of discussions, which shall be recorded in the minutes of the meeting provided for in Article 11 of these Rules of Procedure.

Article 9

Confidentiality

Meetings of the Commission shall not be public. Discussions shall be confidential.

Article 10

Attendance of officials or other persons

1. Unless the Commission decides otherwise, the Secretary-General and the President’s Head of Cabinet shall attend meetings. The circumstances in which other persons may attend Commission meetings shall be determined in accordance with the implementing rules.

2. In the absence of a Member of the Commission, his Head of Cabinet may attend the meeting and, at the invitation of the President, state the views of the absent Member.

3. The Commission may decide to hear any other person.

Article 11

Minutes

1. Minutes shall be taken of all meetings of the Commission.

2. The draft minutes shall be submitted to the Commission for approval at a subsequent meeting. The approved minutes shall be authenticated by the signatures of the President and the Secretary-General.

SECTION 2

Other decision-making procedures

Article 12

Decisions taken by written procedure

1. The agreement of the Members of the Commission to a draft text from one or more of its Members may be obtained by means of written procedure, provided that the approval of the Legal Service and the agreement of the departments consulted in accordance with Article 23 of these Rules of Procedure has been obtained.

Such approval and/or agreement may be replaced by an agreement between the Members of the Commission where a meeting of the College has decided, on a proposal from the President, to open a finalisation written procedure as provided for in the implementing rules.

2. For this purpose, the draft text shall be circulated in writing to all Members of the Commission as laid down by it in accordance with the implementing rules, with a time limit within which Members must make known any reservations they may have or amendments they wish to make.

3. Any Member of the Commission may, in the course of the written procedure, request that the draft text be discussed. He shall send a reasoned request to that effect to the President.

4. A draft text on which no Member has made and maintained a request for suspension up to the time limit set for the written procedure shall stand adopted by the Commission.

▼M14

5. Any Member of the Commission wishing to suspend a written procedure in the field of coordination and surveillance of the economic and budgetary policies of the Member States, in particular of the euro area, shall send a reasoned request to that effect to the President, explicitly indicating the aspects of the draft decision to which it relates, based on an impartial and objective assessment of the timing, structure, reasoning or result of the proposed decision.

If the President considers that the reasons given are not well-founded, and if the request for suspension is maintained, he or she may refuse to allow the suspension and may decide that the written procedure shall continue; in that case, the Secretary-General shall ask the other Members of the Commission for their position to ensure that the quorum laid down in Article 250 of the Treaty on the Functioning of the European Union has been met. The President may also include the item on the agenda of the next Commission meeting with a view to its adoption.

▼M13

Article 13

Decision taken by empowerment procedure

1. The Commission may, provided the principle of collective responsibility is fully respected, empower one or more of its Members to take management or administrative measures on its behalf and subject to such restrictions and conditions as it shall impose.

2. The Commission may also instruct one or more of its Members to adopt, with the agreement of the President, the definitive text of any instrument or of any proposal to be presented to the other institutions, the substance of which has already been determined in discussion.

3. Powers conferred in this way may be subdelegated to the Directors-General and Heads of Department unless this is expressly prohibited in the empowering decision.

4. The provisions of paragraphs 1, 2 and 3 shall be without prejudice to the rules concerning delegation in respect of financial matters or the powers conferred on the appointing authority and the authority empowered to conclude contracts of employment.

Article 14

Decisions taken by delegation procedure

The Commission may, provided the principle of collective responsibility is fully respected, delegate the adoption of management or administrative measures to the Directors-General and Heads of Department, acting on its behalf and subject to such restrictions and conditions as it shall impose.

Article 15

Subdelegation for individual decisions awarding grants and contracts

The Director-General or Head of Department who has received delegated or subdelegated powers under Articles 13 and 14 for the adoption of financing decisions may decide to subdelegate certain decisions selecting projects and certain individual decisions awarding grants and public procurement contracts to the competent Director or, in agreement with the Member of the Commission responsible, to the competent Head of Unit, subject to the restrictions and conditions laid down in the implementing rules.

Article 16

Information concerning decisions adopted

Decisions adopted by written procedure, empowerment procedure or delegation procedure shall be recorded in a day note or week note which shall be recorded in the minutes of the next Commission meeting.

SECTION 3

Provisions common to all decision-making procedures

Article 17

Authentication of instruments adopted by the Commission

1. Instruments adopted by the Commission in the course of a meeting, in the authentic language or languages, shall be attached to a summary note prepared during the meeting at which they were adopted in such a way that they cannot be separated from it. They shall be authenticated by the signatures of the President and the Secretary-General on the last page of the summary note.

2. The non-legislative instruments of the Commission referred to in Article 297(2) TFEU and adopted by written procedure shall be authenticated by the signatures of the President and the Secretary-General on the last page of the summary note referred to in the preceding paragraph, unless these instruments must be published and enter into force before the date of the next meeting of the Commission. For the purposes of authentication, copies of the day notes referred to in Article 16 of these Rules of Procedure shall be attached to the summary note referred to in the preceding paragraph in such a way that they cannot be separated from it.

The other instruments adopted by written procedure and the instruments adopted by empowerment procedure in accordance with Article 12, Article 13(1) and (2) of these Rules of Procedure shall be attached, in the authentic language or languages, to the day note referred to in Article 16 of these Rules of Procedure in such a way that they cannot be separated from it. They shall be authenticated by the signature of the Secretary-General on the last page of the day note.

3. Instruments adopted by delegation procedure or by subdelegation shall be attached in the authentic language or languages, in such a way that they cannot be separated, by the computer application provided for that purpose, to the day note referred to in Article 16 of these Rules of Procedure. They shall be authenticated by a certifying statement signed by the official to whom the powers have been delegated or subdelegated in accordance with Article 13(3), Articles 14 and 15 of these Rules of Procedure.

4. For the purposes of these Rules of Procedure, ‘instrument’ means any instrument referred to in Article 288 TFEU.

5. For the purposes of these Rules of Procedure, ‘authentic language or languages’ means the official languages of the European Union, without prejudice to the application of Council Regulation (EC) No 920/2005 ( 7 ), in the case of instruments of general application, and the language or languages of those to whom they are addressed, in other cases.

SECTION 4

Preparation and implementation of Commission decisions

Article 18

Groups of Members of the Commission

Groups of Members of the Commission shall contribute to the coordination and preparation of the work of the Commission in accordance with the political guidelines and mandate laid down by the President.

Article 19

Members’ cabinets and relations with departments

1. Members of the Commission shall have their own cabinet to assist them in their work and in preparing Commission decisions. The rules governing the composition and operation of the cabinets shall be laid down by the President.

2. In compliance with the principles laid down by the President, Members of the Commission shall approve their working arrangements with the departments for which they are responsible. In particular, these arrangements must specify the way in which Members of the Commission give instructions to the departments concerned, which will regularly provide them with all the information on their area of activity necessary for them to exercise their responsibilities.

Article 20

The Secretary-General

1. The Secretary-General shall assist the President so that, in the context of the political guidelines laid down by the President, the Commission achieves the priorities that it has set.

2. The Secretary-General shall also help to ensure political consistency by organising the necessary coordination between departments at the start of the preparatory stages, in accordance, inter alia, with Article 23 of these Rules of Procedure.

He shall see that documents submitted to the Commission are of good quality in terms of substance and comply with the rules as to form and, in this context, shall help to ensure that they are consistent with the principles of subsidiarity and proportionality, external obligations, interinstitutional considerations and the Commission’s communication strategy.

3. The Secretary-General shall assist the President in preparing the proceedings and conducting the meetings of the Commission.

He shall also assist the Members chairing groups of Members set up under Article 3(4) of these Rules of Procedure in preparing and conducting their meetings. He shall provide the secretariat of these groups.

4. The Secretary-General shall ensure that decision-making procedures are properly implemented and that effect is given to the decisions referred to in Article 4 of these Rules of Procedure.

In particular, except in specific cases, he shall take the necessary steps to ensure that Commission instruments are officially notified to those concerned and are published in the Official Journal of the European Union and that documents of the Commission and its departments are transmitted to the other institutions of the European Union and to the national parliaments.

He shall be responsible for distributing written information that the Members of the Commission wish to circulate within the Commission.

5. The Secretary-General shall be responsible for official relations with the other institutions of the European Union, subject to any decisions by the Commission to exercise any function itself or to assign it to its Members or departments.

In this context, he shall help to ensure overall consistency by providing coordination between departments during procedures involving other institutions.

6. The Secretary-General shall ensure that appropriate information is given to the Commission concerning the progress made on internal and interinstitutional procedures.

CHAPTER II

COMMISSION DEPARTMENTS

Article 21

Structure of departments

The Commission shall establish a number of Directorates-General and equivalent departments forming a single administrative service to assist it in the preparation and performance of its tasks, and in the implementation of its priorities and the political guidelines laid down by the President.

The Directorates-General and equivalent departments shall normally be divided into directorates, and directorates into units.

Article 22

Creation of specific functions and structures

In special cases the President may set up specific functions or structures to deal with particular matters and shall determine their responsibilities and method of operation.

Article 23

Cooperation and coordination between departments

1. In order to ensure the effectiveness of Commission action, departments shall work in close cooperation and in coordinated fashion from the outset in the preparation and implementation of Commission decisions.

2. The department responsible for preparing an initiative shall ensure from the beginning of the preparatory work that there is effective coordination between all the departments with a legitimate interest in the initiative by virtue of their powers or responsibilities or the nature of the subject.

3. Before a document is submitted to the Commission, the department responsible shall, in accordance with the implementing rules, consult the departments with a legitimate interest in the draft text in sufficient time.

4. The Legal Service shall be consulted on all drafts or proposals for legal instruments and on all documents which may have legal implications.

The Legal Service must always be consulted before initiating any of the decision-making procedures provided for in Articles 12, 13 and 14 of these Rules of Procedure, except for decisions concerning standard instruments where its agreement has already been secured (repetitive instruments). Such consultation is not required for the decisions referred to in Article 15 of these Rules of Procedure.

5. The Secretariat-General shall be consulted on all initiatives which:

— are subject to approval by oral procedure, without prejudice to personnel questions concerning individual members of staff, or

— are of political importance, or

— are part of the Commission’s annual work programme or the programming instrument in force, or

— concern institutional issues, or

— are subject to impact assessment or public consultation,

and for any joint position or initiative that may commit the Commission vis-à-vis other institutions or bodies.

▼M14

5a. The Directorate-General responsible for economic and financial affairs must be consulted on all initiatives relating to or having a potential impact on growth, competitiveness or economic stability in the European Union or in the euro area.

▼M13

6. With the exception of the decisions referred to in Article 15 of these Rules of Procedure, the Directorate-General responsible for the budget and the Directorate-General responsible for human resources and security shall be consulted on all documents which may have implications for the budget and finances or for personnel and administration respectively. The department responsible for combating fraud shall likewise be consulted where necessary.

7. The department responsible shall endeavour to frame a proposal that has the agreement of the departments consulted. In the event of a disagreement it shall append to its proposal the differing views expressed by these departments, without prejudice to Article 12 of these Rules of Procedure.

CHAPTER III

DEPUTISING

Article 24

Continuity of service

The Members of the Commission and the departments shall ensure they take all appropriate measures to ensure continuity of service, in compliance with the provisions adopted for that purpose by the Commission or the President.

Article 25

Deputising for the President

Where the President is prevented from exercising his functions, they shall be exercised by one of the Vice-Presidents or Members in the order laid down by the President.

Article 26

Deputising for the Secretary-General

Where the Secretary-General is prevented from exercising his functions, or where the post is vacant, they shall be exercised by the Deputy Secretary-General present with the highest grade or, in the event of equal grade, by the Deputy Secretary-General with the greatest seniority in the grade or, in the event of equal seniority, by the eldest or by an official designated by the Commission.

If there is no Deputy Secretary-General present and no official has been designated by the Commission, the subordinate official present in the highest function group with the highest grade or, in the event of equal grade, the subordinate official with the greatest seniority in the grade or, in the event of equal seniority, the one who is eldest, shall deputise.

Article 27

Deputising for hierarchical superiors

1. Where a Director-General is prevented from exercising his functions, or where the post is vacant, they shall be exercised by the Deputy Director-General present with the highest grade or, in the event of equal grade, by the Deputy Director-General with the greatest seniority within the grade or, in the event of equal seniority, by the eldest or by an official designated by the Commission.

If there is no Deputy Director-General present and no official has been designated by the Commission, the subordinate official present in the highest function group with the highest grade or, in the event of equal grade, the subordinate official with the greatest seniority in the grade or, in the event of equal seniority, the one who is eldest, shall deputise.

2. Where a Head of Unit is prevented from exercising his functions, or where the post is vacant, they shall be exercised by the Deputy Head of Unit or an official designated by the Director-General.

If there is no Deputy Head of Unit present and no official has been designated by the Commission, the subordinate official present in the highest function group with the highest grade or, in the event of equal grade, the subordinate official with the greatest seniority in the grade or, in the event of equal seniority, the one who is eldest, shall deputise.

3. Where any other hierarchical superior is prevented from exercising his duties, or where the post is vacant, the Director-General shall designate an official in agreement with the Member of the Commission responsible. If no replacement has been designated, the subordinate official present in the highest function group with the highest grade, or in the event of equal grade, the subordinate official with the greatest seniority in the grade or, in the event of equal seniority, the one who is eldest, shall deputise.

CHAPTER IV

FINAL PROVISIONS

Article 28

The Commission shall, as necessary, lay down implementing rules to give effect to these Rules of Procedure.

The Commission may adopt supplementary measures relating to the functioning of the Commission and of its departments, taking into account developments in technology and information technology.

Article 29

These Rules of Procedure shall enter into force on the day following their publication in the Official Journal of the European Union.

▼B

ANNEX

CODE OF GOOD ADMINISTRATIVE BEHAVIOUR FOR STAFF OF THE EUROPEAN COMMISSION IN THEIR RELATIONS WITH THE PUBLIC

Quality service

The Commission and its staff have a duty to serve the Community interest and, in so doing, the public interest.

The public legitimately expects quality service and an administration that is open, accessible and properly run.

Quality service calls for the Commission and its staff to be courteous, objective and impartial.

Purpose

In order to enable the Commission to meet its obligations of good administrative behaviour and in particular in the dealings that the Commission has with the public, the Commission undertakes to observe the standards of good administrative behaviour set out in this Code and to be guided by these in its daily work.

Scope

The Code is binding on all staff covered by the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Communities (hereinafter referred to as the ‘Staff Regulations’) and the other provisions on relations between the Commission and its staff that are applicable to officials and other servants of the European Communities. However, persons employed under private law contracts, experts on secondment from national civil services and trainees, etc. working for the Commission should also be guided by it in their daily work.

Relations between the Commission and its staff are governed exclusively by the Staff Regulations.

1. GENERAL PRINCIPLES

The Commission respects the following general principles in its relations with the public:

Lawfulness

The Commission acts in accordance with the law and applies the Rules and Procedures laid down in Community legislation.

Non-discrimination and equal treatment

The Commission respects the principle of non-discrimination and in particular, guarantees equal treatment for members of the public irrespective of nationality, gender, racial or ethnic origin, religion or beliefs, disability, age or sexual orientation. Thus, differences in treatment of similar cases must be specifically warranted by the relevant features of the particular case in hand.

Proportionality

The Commission ensures that the measures taken are proportional to the aim pursued.

In particular, the Commission will ensure that the application of this Code never leads to the imposition of administrative or budgetary burdens out of proportion to the benefit expected.

Consistency

The Commission shall be consistent in its administrative behaviour and shall follow its normal practice. Any exceptions to this principle must be duly justified.

2. GUIDELINES FOR GOOD ADMINISTRATIVE BEHAVIOUR

Objectivity and impartiality

Staff shall always act objectively and impartially, in the Community interest and for the public good. They shall act independently within the framework of the policy fixed by the Commission and their conduct shall never be guided by personal or national interest or political pressure.

Information on administrative procedures

Where a member of the public requires information relating to a Commission administrative procedure, staff shall ensure that this information is provided within the deadline fixed for the relevant procedure.

3. INFORMATION ON THE RIGHTS OF INTERESTED PARTIES

Listening to all parties with a direct interest

Where Community law provides that interested parties should be heard, staff shall ensure that an opportunity is given to them to make their views known.

Duty to justify decisions

A Commission decision should clearly state the reasons on which it is based and should be communicated to the persons and parties concerned.

As a general rule, full justification for decisions should be given. However, where it may not be possible, for example because of the large number of persons concerned by similar decisions, to communicate in detail the grounds of individual decisions, standard replies may be given. These standard replies should include the principal reasons justifying the decision taken. Furthermore, an interested party who expressly requests a detailed justification shall be provided with it.

Duty to state arrangements for appeals

Where Community law so provides, decisions notified shall clearly state that an appeal is possible and describe how to submit it, (the name and office address of the person or department with whom the appeal must be lodged and the deadline for lodging it).

Where appropriate, decisions should refer to the possibility of starting judicial proceedings and/or of lodging a complaint with the European Ombudsman in accordance with Article 230 or 195 of the Treaty establishing the European Community.

4. DEALING WITH INQUIRIES

The Commission undertakes to answer enquiries in the most appropriate manner and as quickly as possible.

Requests for documents

If a document has already been published, the person making the enquiry should be directed to the sales agents of the Office for Official Publications of the European Communities or to the documentation or information centres which provide free access to documents, such as Info-Points, European documentation centres, etc. Many documents are also easily accessible in electronic form.

The rules on access to documents are laid down in a specific measure.

Correspondence

In accordance with Article 21 of the Treaty establishing the European Community, the Commission shall reply to letters in the language of the initial letter, provided that it was written in one of the official languages of the Community.

A reply to a letter addressed to the Commission shall be sent within 15 working days from the date of receipt of the letter by the responsible Commission department. The reply should identify the person responsible for the matter and state how he or she may be contacted.

If a reply cannot be sent within 15 working days, and in all cases where the reply requires other work on it, such as interdepartmental consultation or translation, the member of staff responsible should send a holding reply, indicating a date by which the addressee may expect to be sent a reply in the light of this additional work, taking into account the relative urgency and complexity of the matter.

If the reply is to be drawn up by a department other than the one to which the initial correspondence is addressed, the person making the enquiry should be informed of the name and office address of the person to whom the letter has been passed.

These rules do not apply to correspondence which can reasonably be regarded as improper, for example because it is repetitive, abusive and/or pointless. Then the Commission reserves the right to discontinue any such exchanges of correspondence.

Telephone communication

When answering the telephone, staff shall identify themselves or their department. They shall return telephone calls as promptly as possible.

Staff replying to enquiries shall provide information on subjects for which they have direct responsibility and should direct the caller to the specific appropriate source in other cases. If necessary, they should refer callers to their superior or consult him or her before giving the information.

Where enquiries concern areas for wich staff are directly responsible, they shall establish the identity of the caller and check whether the information has already been made public before giving it out. If this is not the case, the member of staff may consider that it is not in the Community interest for the information to be disclosed. In this case he or she should explain why they are unable to disclose it and refer in appropriate cases to the obligation to exercise discretion as laid down in Article 17 of the Staff Regulations.

When appropriate, staff should request confirmation in writing of the enquiries made by telephone.

Electronic mail

Staff shall reply to e-mail messages promptly following the guidelines described in the section on telephone communication.

However, where the e-mail message is, by its nature, the equivalent of a letter, it shall be handled according to the guidelines for handling correspondence and shall be subject to the same deadlines.

Requests from the media

The Press and Communication Service is responsible for contacts with the media. However, when requests for information from the media concern technical subjects falling within their specific areas of responsibility, staff may answer them.

5. PROTECTION OF PERSONAL DATA AND CONFIDENTIAL INFORMATION

The Commission and its staff shall respect, in particular:

— the rules on the protection of personal privacy and personal data,

— the obligations set out in Article 287 of the Treaty establishing the European Community and in particular those which relate to professional secrecy,

— the rules on secrecy in criminal investigations,

— the confidentiality of matters falling within the ambit of the various committees and bodies provided for in Article 9 of and Annexes II and III to the Staff Regulations.

6. COMPLAINTS

The European Commission

Complaints may be lodged concerning a possible breach of the principles set out in this Code directly with the Secretariat-General ( 8 ) of the European Commission, which shall forward it to the relevant department.

The Director-General or head of Department shall reply to the complainant in writing, within two months. The complainant then has one month in which to apply to the Secretary-General of the European Commission to review the outcome of the complaint. The Secretary-General shall reply to the request for a review within one month.

The European Ombudsman

Complaints may also be lodged with the European Ombudsman in accordance with Article 195 of the Treaty establishing the European Community and the Statute of the European Ombudsman.

▼M1

COMMISSION PROVISIONS ON SECURITY

Whereas:

(1)

In order to develop Commission activities in areas which require a degree of confidentiality, it is appropriate to establish a comprehensive security system applicable to the Commission, the other institutions, bodies, offices and agencies established by virtue or on the basis of the EC Treaty or the Treaty on European Union, the Member States, as well as any other recipient of European Union classified information, hereafter referred to as ‘EU classified information’.

(2)	In order to safeguard the effectiveness of the security system thus established, the Commission will make EU classified information available only to those outside bodies which offer guarantees that they have taken all measures necessary to apply rules strictly equivalent to these provisions.

(3)

These provisions are taken without prejudice to Regulation No 3 of 31 July 1958 implementing Article 24 of the Treaty establishing the European Atomic Energy Community ( 9 ), to Council Regulation (EC) No 1588/90 of 11 June 1990 on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities ( 10 ) and to Commission Decision C (95) 1510 final of 23 November 1995 on the protection of informatics systems.

(4)	The Commission's security system is based on the principles put forward in Council Decision 2001/264/EC of 19 March 2001 adopting the Council's security regulations ( 11 ) with a view to ensuring a smooth functioning of the decision-making process of the Union.

(5)	The Commission underlines the importance of associating, where appropriate, the other institutions with the rules and standards of confidentiality which are necessary in order to protect the interests of the Union and its Member States.

(6)	The Commission recognises the need to create its own concept of security, taking into consideration all elements of security and the specific character of the Commission as an institution.

(7)	These provisions are taken without prejudice to Article 255 of the Treaty and to Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents ( 12 );

▼

(8)

These provisions are without prejudice to Article 286 of the Treaty and to Regulation (EC) 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data.

▼M1

Article 1

The Commission's rules on security are set out in the Annex.

Article 2

1. The Member of the Commission responsible for security matters shall take appropriate measures to ensure that, when handling EU classified information, the rules referred to in Article 1 are respected within the Commission by Commission officials and other servants, by personnel seconded to the Commission, as well as within all Commission premises, including its Representations and Offices in the Union and its Delegations in third countries and by contractors external to the Commission.

▼

When a contract or grant agreement between the Commission and an external contractor or beneficiary involves the processing of EU classified information in the contractor's or beneficiary's premises, the appropriate measures to be taken by the said external contractor or beneficiary to ensure that the rules referred to in Article 1 are complied with, when handling EU classified information, shall be an integral part of the contract or grant agreement.

▼M1

2. Member States, other institutions, bodies, offices and agencies established by virtue or on the basis of the Treaties shall be allowed to receive EU classified information on the condition that they ensure that, when EU classified information is handled, rules strictly equivalent to those referred to in Article 1 are respected within their services and premises, in particular by:

(a) members of Member States' permanent representations to the European Union as well as by members of national delegations attending meetings of the Commission or of its bodies, or participating in other Commission activities,

(b) other members of the Member States' national administrations handling EU classified information, whether they serve in the territory of the Member States or abroad,

Article 3

Third states, international organisations and other bodies shall be allowed to receive EU classified information on the condition that they ensure that, when such information is handled, rules strictly equivalent to those referred to in Article 1 are respected.

Article 4

In keeping with the basic principles and minimum standards of security contained in Part I of the Annex, the Member of the Commission responsible for security matters may take measures in accordance with Part II of the Annex.

Article 5

As from the date of their application, these provisions shall replace:

(a) Commission Decision C (94) 3282 of 30 November 1994 on the security measures applicable to classified information produced or transmitted in connection with activities of the European Union;

(b) Commission Decision C (99) 423 of 25 February 1999 relating to the procedures whereby officials and other employees of the European Commission may be allowed access to classified information held by the Commission.

Article 6

As from the date of application of these provisions, all classified information held by the Commission until that date, with the exception of Euratom classified information, shall:

(a) if created by the Commission, be considered to be reclassified ‘ ► RESTREINT UE ◄ ’ by default, unless its author decides to give it another classification by 31 January 2002. In such case the author shall inform all addressees of the document concerned;

(b) if created by authors outside the Commission, retain its original classification and thus be treated as EU classified information of the equivalent level, unless the author agrees to declassification or downgrading of the information.

ANNEX

RULES ON SECURITY

Contents
PART I:	BASIC PRINCIPLES AND MINIMUM STANDARDS OF SECURITY
1.	INTRODUCTION
2.	GENERAL PRINCIPLES
3.	FOUNDATIONS OF SECURITY
4.	PRINCIPLES OF INFORMATION SECURITY
4.1.	Objectives
4.2.	Definitions
4.3.	Classification
4.4.	Aims of security measures
5.	ORGANISATION OF SECURITY
5.1.	Common minimum standards
5.2.	Organisation
6.	SECURITY OF PERSONNEL
6.1.	Clearance of personnel
6.2.	Records of personnel clearances
6.3.	Security instruction of personnel
6.4.	Management responsibilities
6.5.	Security status of personnel
7.	PHYSICAL SECURITY
7.1.	Need for protection
7.2.	Checking
7.3.	Security of buildings
7.4.	Contingency plans
8.	SECURITY OF INFORMATION
9.	COUNTER-SABOTAGE AND CONTROL OF OTHER FORMS OF MALICIOUS WILFUL DAMAGE
10.	RELEASE OF CLASSIFIED INFORMATION TO THIRD STATES OR INTERNATIONAL ORGANISATIONS
PART II:	THE ORGANISATION OF SECURITY IN THE COMMISSION
11.	THE MEMBER OF THE COMMISSION RESPONSIBLE FOR SECURITY MATTERS
12.	THE COMMISSION SECURITY POLICY ADVISORY GROUP
13.	THE COMMISSION SECURITY BOARD
14.	THE ► COMMISSION SECURITY DIRECTORATE ◄
15.	SECURITY INSPECTIONS
16.	CLASSIFICATIONS, SECURITY DESIGNATORS AND MARKINGS
16.1.	Levels of classification
16.2.	Security designators
16.3.	Markings
16.4.	Affixing of classification
16.5.	Affixing of security designators
17.	CLASSIFICATION MANAGEMENT
17.1.	General
17.2.	Application of classifications
17.3.	Downgrading and declassification
18.	PHYSICAL SECURITY
18.1.	General
18.2.	Security requirements
18.3.	Physical security measures
18.3.1.	Security areas
18.3.2.	Administrative area
18.3.3.	Entry and exit controls
18.3.4.	Guard patrols
18.3.5.	Security containers and strong rooms
18.3.6.	Locks
18.3.7.	Control of keys and combinations
18.3.8.	Intrusion detection devices
18.3.9.	Approved equipment
18.3.10.	Physical protection of copying and telefax machines
18.4.	Protection against overlooking and eavesdropping
18.4.1.	Overlooking
18.4.2.	Eavesdropping
18.4.3.	Introduction of electronic and recording equipment
18.5.	Technically secure areas
19.	GENERAL RULES ON THE NEED TO KNOW PRINCIPLE AND EU PERSONAL SECURITY CLEARANCES
19.1.	General
19.2.	Specific rules on access to ► TRES SECRET UE/EU TOP SECRET ◄ information
19.3.	Specific rules on access to ► SECRET UE ◄ and ► CONFIDENTIEL UE ◄ information
19.4.	Specific rules on access to ► RESTREINT UE ◄ information
19.5.	Transfers
19.6.	Special instructions
20.	SECURITY CLEARANCE PROCEDURE FOR COMMISSION OFFICIALS AND OTHER EMPLOYEES
21.	PREPARATION, DISTRIBUTION, TRANSMISSION, COURRIER PERSONAL SECURITY AND EXTRA COPIES OR TRANSLATIONS AND EXTRACTS OF EU CLASSIFIED DOCUMENTS
21.1.	Preparation
21.2.	Distribution
21.3.	Transmission of EU classified documents
21.3.1.	Packaging, receipts
21.3.2.	Transmission within a building or group of buildings
21.3.3.	Transmission within a country
21.3.4.	Transmission from one State to another
21.3.5.	Transmission of ► RESTREINT UE ◄ documents
21.4.	Courier personnel security
21.5.	Electronic and other means of technical transmission
21.6.	Extra copies and translations of and extracts from EU classified documents
22.	EUCI REGISTRIES, MUSTERS, CHECKS, ARCHIVE STORAGE AND DESTRUCTION OF EUCI
22.1.	Local EUCI Registries
22.2.	The ► TRES SECRET UE/EU TOP SECRET ◄ Registry
22.2.1.	General
22.2.2.	The Central ► TRES SECRET UE/EU TOP SECRET ◄ Registry
22.2.3.	► TRES SECRET UE/EU TOP SECRET ◄ sub-registries
22.3.	Inventories, musters and checks of EU classified documents
22.4.	Archive storage of EU classified documents
22.5.	Destruction of EU classified documents
22.6.	Destruction in emergencies
23.	SECURITY MEASURES FOR SPECIFIC MEETINGS HELD OUTSIDE THE COMMISSION PREMISES AND INVOLVING EU CLASSIFIED INFORMATION
23.1.	General
23.2.	Responsibilities
23.2.1.	The ► Commission Security Directorate ◄
23.2.2.	Meeting Security Officer (MSO)
23.3	Security measures
23.3.1.	Security areas
23.3.2.	Passes
23.3.3.	Control of photographic and audio equipment
23.3.4.	Checking of briefcases, portable computers and packages
23.3.5.	Technical security
23.3.6.	Delegations' documents
23.3.7.	Safe custody of documents
23.3.8.	Inspection of offices
23.3.9.	Disposal of EU classified waste
24.	BREACHES OF SECURITY AND COMPROMISE OF EU CLASSIFIED INFORMATION
24.1.	Definitions
24.2.	Reporting breaches of security
24.3.	Legal action
25.	PROTECTION OF EU CLASSIFIED INFORMATION HANDLED IN INFORMATION TECHNOLOGY AND COMMUNICATION SYSTEMS
25.1.	Introduction
25.1.1.	General
25.1.2.	Threats to, and vulnerabilities of systems
25.1.3.	Main purpose of security measures
25.1.4.	System-specific security requirement statement (SSRS)
25.1.5.	Security modes of operation
25.2.	Definitions
25.3.	Security responsibilities
25.3.1.	General
25.3.2.	The Security accreditation authority (SAA)
25.3.3.	The INFOSEC Authority (IA)
25.3.4.	The Technical Systems Owner (TSO)
25.3.5.	The Information Owner (IO)
25.3.6.	Users
25.3.7.	INFOSEC training
25.4.	Non technical security measures
25.4.1.	Personnel security
25.4.2.	Physical security
25.4.3.	Control of access to a system
25.5.	Technical security measures
25.5.1.	Security of information
25.5.2.	Control and accountability of information
25.5.3.	Handling and control of removable computer storage media
25.5.4.	Declassification and destruction of computer storage media
25.5.5.	Communications security
25.5.6.	Installation and radiation security
25.6.	Security during handling
25.6.1.	Security operating procedures (SecOPs)
25.6.2.	Software protection/configuration management
25.6.3.	Checking for the presence of malicious software/computer viruses
25.6.4.	Maintenance
25.7.	Procurement
25.7.1.	General
25.7.2.	Accreditation
25.7.3.	Evaluation and certification
25.7.4.	Routine checking of security features for continued accreditation
25.8.	Temporary or occasional use
25.8.1.	Security of microcomputers/personal computers
25.8.2.	Use of privately-owned IT equipment for official Commission work
25.8.3.	Use of contractor-owned or nationally-supplied IT equipment for official Commission work
26.	RELEASE OF EU CLASSIFIED INFORMATION TO THIRD STATES OR INTERNATIONAL ORGANISATIONS
26.1.1.	Principles regulating the release of EU classified information
26.1.2.	Levels
26.1.3.	Security agreements
APPENDIX 1:	Comparison of national security classifications
APPENDIX 2:	Practical classification guide
APPENDIX 3:	Guidelines for the release of EU classified information to third States or international organisations: Level 1 cooperation
APPENDIX 4:	Guidelines for the release of EU classified information to third States or international organisations: Level 2 cooperation
APPENDIX 5:	Guidelines for the release of EU classified information to third States or international organisations: Level 3 cooperation
APPENDIX 6:	List of abbreviations

PART I: BASIC PRINCIPLES AND MINIMUM STANDARDS OF SECURITY

1. INTRODUCTION

These provisions lay down the basic principles and minimum standards of security to be respected in an appropriate manner by the Commission in all its places of employment, as well as by all recipients of EUCI, so that security is safeguarded and each may be assured that a common standard of protection is established.

2. GENERAL PRINCIPLES

The Commission's security policy forms an integral part of its general internal management policy and is thus based on the principles governing its general policy.

These principles include legality, transparency, accountability and subsidiarity (proportionality).

Legality indicates the need to stay strictly within the legal framework in executing security functions and the need to conform to the legal requirements. It also means that responsibilities in the domain of security have to be based on proper legal provisions. The provisions in the Staff Regulations fully apply, notably its Article 17 on the obligation of staff to exercise discretion with regard to Commission information and its Title VI on disciplinary measures. Finally it means that breaches of security within the responsibility of the Commission have to be dealt with in a manner consistent with Commission policy on disciplinary actions and with its policy on cooperation with Member States in the area of criminal justice.

Transparency indicates the need for clarity regarding all security rules and provisions, for balance between the different services and the different domains (physical security versus information protection etc.) and the need for a consistent and structured security awareness policy. It also defines a need for clear written guidelines for implementing security measures.

Accountability means that responsibilities in the domain of security will be clearly defined. Moreover it indicates the need to test regularly whether these responsibilities have been correctly executed.

Subsidiarity, or proportionality, means that security shall be organised on the lowest possible level and as close as possible to the Directorates General and services of the Commission. It also indicates that security activities shall be limited to only those elements that really need it. And finally it means that security measures shall be proportional to the interests to be protected and to the actual or potential threat to these interests, allowing for a defence which causes the least possible disruption.

3. FOUNDATIONS OF SECURITY

The foundations of sound security are:

(a) Within each Member State, a national security organisation responsible for:

1. The collection and recording of intelligence on espionage, sabotage, terrorism and other subversive activities, and

2. Providing information and advice to its governments, and through it, to the Commission, on the nature of the threats to security and the means of protection against them;

(b) Within each Member State, and within the Commission, a technical INFOSEC authority (IA) responsible for working with the security authority concerned to provide information and advice on technical threats to security and the means for protection against them;

(c) Regular collaboration among government departments and the appropriate services of the European institutions to order to establish and recommend, as appropriate:

1. What persons, information and resources need to be protected, and

2. Common standards of protection;

(d) Close cooperation between the ► Commission Security Directorate ◄ and the security services of the other European institutions and with the NATO Office of Security (NOS).

4. PRINCIPLES OF INFORMATION SECURITY

4.1. Objectives

Information security has the following principal objectives:

(a) To safeguard EU classified information (EUCI) from espionage, compromise or unauthorised disclosure;

(b) To safeguard EU information handled in communications and information systems and networks, against threats to its confidentiality, integrity and availability;

(d) In the event of failure, to assess the damage caused, limit its consequences and adopt the necessary remedial measures.

4.2. Definitions

Throughout these rules:

(a) The term ‘EU classified information’ (EUCI) means any information and material, an unauthorised disclosure of which could cause varying degrees of prejudice to EU interests, or to one or more of its Member States, whether such information originates within the EU or is received from Member States, third States or international organisations.

(b) The term ‘document’ means any letter, note, minute, report, memorandum, signal/message, sketch, photograph, slide, film, map, chart, plan, notebook, stencil, carbon, typewriter or printer ribbon, tape, cassette, computer disk, CD-ROM, or other physical medium on which information has been recorded.

(c) The term ‘material’ means ‘document’ as defined in b) and also any item of equipment, either manufactured or in the process of manufacture.

(d) The term ‘need to know’ means the need of an individual employee to have access to EU classified information in order to be able to perform a function or a task.

(e) ‘Authorisation’ means a decision by the ► Director of the Commission Security Directorate ◄ to grant an individual access to EUCI up to a specific level, on the basis of a positive result of a security screening (vetting), carried out by a National Security Authority under national law.

(f) The term ‘classification’ means the allocation of an appropriate level of security to information the unauthorised disclosure of which might cause a certain degree of prejudice to Commission or to Member State interests.

(g) The term ‘downgrading’ (déclassement) means a reduction in the level of classification.

(h) The term ‘declassification’ (déclassification) means the removal of any classification.

(i) The term ‘originator’ means the duly authorised author of a classified document. Within the Commission, Heads of departements may authorize their staff to originate EUCI.

(j) The term ‘Commission departments’ means Commission departments and services, including the cabinets, in all places of employment, including Joint Research Centre, Representations and Offices in the Union and Delegations in third countries.

4.3. Classification

(a) Where confidentiality is concerned, care and experience are needed in the selection of information and material to be protected and the assessment of the degree of protection it requires. It is fundamental that the degree of protection should correspond to the security criticality of the individual piece of information and material to be protected. In order to ensure the smooth flow of information, steps shall be taken to avoid both overclassification and underclassification.

(b) The classification system is the instrument for giving effect to these principles; a similar system of classification shall be followed in planning and organising ways to counter espionage, sabotage, terrorism and other threats so that the greatest measure of protection is given to the most important premises housing classified information and to the most sensitive points within them.

(d) The level of classification may solely be based on the content of that information.

(e) Where a number of items of information is grouped together, the classification level to be applied to the whole shall at least be as high as the highest classification. A collection of information may however be given a higher classification than its constituent parts.

(f) Classifications shall be assigned only when necessary and for as long as necessary.

4.4. Aims of security measures

The security measures shall:

(a) Extend to all persons having access to classified information, classified information-carrying media, all premises containing such information and important installations.

(b) Be designed to detect persons whose position might endanger the security of classified information and important installations housing classified information and provide for their exclusion or removal.

(d) Ensure that classified information is disseminated solely on the basis of the need-to-know principle that is fundamental to all aspects of security.

(e) Ensure the integrity (i.e. prevention of corruption or unauthorised alteration or unauthorised deletion) and the availability (i.e. access is not denied to those needing and authorised to have access) of all information, either classified or not classified, and especially of such information stored, processed or transmitted in electromagnetic form.

5. ORGANISATION OF SECURITY

5.1. Common minimum standards

The Commission shall ensure that common minimum standards of security are observed by all recipients of EUCI, inside the institution and under its competence, e.g. by all departments and contractors, so that EU classified information can be passed in the confidence that it will be handled with equal care. Such minimum standards shall include criteria for the clearance of personnel, and procedures for the protection of EU classified information.

The Commission shall only allow access of EUCI to outside bodies under the condition that they ensure that, when EUCI is handled, provisions at least strictly equivalent to these minimum standards are respected.

▼

Such minimum standards shall also be applied when the Commission confers by contract or grant agreement, tasks involving, entailing and/or containing EU classified information on industrial or other entities: these common minimum standards are contained in Section 27 of Part II.

▼M1

5.2. Organisation

Within the Commission security is organised on two levels:

(a) On the level of the Commission as a whole there is a ► Commission Security Directorate ◄ with a Security Accreditation Authority (SAA) also acting as Crypto Authority (CrA) and as TEMPEST Authority, and with an INFOSEC Authority (IA) and one or more Central EUCI Registries, each with one or more Registry Control Officer (RCO).

(b) On the level of the Commission departments, security is the responsibility of one or more Local Security Officers (LSO), one or more Central Informatics Security Officers (CISO), Local Informatics Security Officers (LISO) and Local EU Classified Information Registries with one or more Registry Control Officers.

6. SECURITY OF PERSONNEL

6.1. Clearance of personnel

All persons who require access to information classified ► CONFIDENTIEL UE ◄ or above shall be appropriately cleared before such access is authorised. Similar clearance shall be required in the case of persons whose duties involve the technical operation or maintenance of communication and information systems containing classified information. This clearance shall be designed to determine whether such individuals:

(a) Are of unquestioned loyalty;

(b) Are of such character and discretion as to cast no doubt upon their integrity in the handling of classified information, or

Particularly close scrutiny in the clearance procedures shall be given to persons:

(d) To be granted access to ► TRES SECRET UE/EU TOP SECRET ◄ information;

(e) Occupying positions involving regular access to a considerable volume of ► SECRET UE ◄ information;

(f) Whose duties give them special access to secure communication or information systems and thus the opportunity to gain unauthorised access to large amounts of EU classified information or to inflict serious damage upon the mission through acts of technical sabotage.

In the circumstances outlined in subparagraphs (d), (e) and (f), the fullest practicable use shall be made of the technique of background investigation.

When persons not having an established ‘need to know’ are to be employed in circumstances in which they may have access to EU classified information (e.g. messengers, security agents, maintenance personnel and cleaners, etc.), they shall first be appropriately security-cleared.

6.2. Records of personnel clearances

All Commission departments handling EU classified information or housing secure communication or information systems shall maintain a record of the clearances granted to the personnel assigned thereto. Each clearance shall be verified as the occasion demands to ensure that it is adequate for that person's current assignment; it shall be re-examined as a matter of priority whenever new information is received indicating that continued assignment on classified work is no longer consistent with the interests of security. The Local Security Officer of the Commission department shall hold record of the clearances within his or her domain.

6.3. Security instruction of personnel

All personnel employed in positions where they could have access to classified information shall be thoroughly instructed on taking up assignment and at regular intervals in the need for security and the procedures for accomplishing it. Such personnel are required to certify in writing that they have read and fully understand the present security provisions.

6.4. Management responsibilities

Managers shall have the duty of knowing those of their staff who are engaged in classified work or who have access to secure communication or information systems and of recording and reporting any incidents or apparent vulnerabilities, likely to have a bearing on security.

6.5. Security status of personnel

Procedures shall be established to ensure that, when adverse information becomes known concerning an individual, it is determined whether the individual is employed on classified work or has access to secure communication or information systems, and the ► Commission Security Directorate ◄ is informed. If it is established that such an individual constitutes a security risk, he or she shall be barred or removed from assignments where he or she might endanger security.

7. PHYSICAL SECURITY

7.1. Need for protection

The degree of physical security measures to be applied to ensure the protection of EU classified information shall be proportional to the classification, volume of and threat to the information and material held. All holders of EU classified information shall follow uniform practices regarding classification of that information and meet common standards of protection regarding custody, transmission and disposal of information and material requiring protection.

7.2. Checking

Before leaving areas containing EU classified information unattended, persons having custody thereof shall ensure that it is securely stored and that all security devices have been activated (locks, alarms, etc.). Further independent checks shall be carried out after working hours.

7.3. Security of buildings

Buildings housing EU classified information or secure communication and information systems shall be protected against unauthorised access. The nature of the protection afforded to EU classified information, e.g. barring of windows, locks for doors, guards at entrances, automated access control systems, security checks and patrols, alarm systems, intrusion detection systems and guard dogs, shall depend on:

(a) The classification, volume and location within the building of the information and material to be protected;

(b) The quality of the security containers for this information and material, and

The nature of the protection afforded to communication and information systems shall similarly depend upon an assessment of the value of the assets at stake and of the potential damage if security were compromised, upon the physical nature and location of the building in which the system is housed, and upon the location of the system within the building.

7.4. Contingency plans

Detailed plans shall be prepared in advance for the protection of classified information during a local or national emergency.

8. SECURITY OF INFORMATION

Information security (INFOSEC) relates to the identification and application of security measures to protect EU classified information processed, stored or transmitted in communication, information and other electronic systems against loss of confidentiality, integrity or availability, whether accidental or intentional. Adequate countermeasures shall be taken in order to prevent access to EU classified information by unauthorised users, to prevent the denial of access to EU classified information to authorised users, and to prevent corruption or unauthorised modification or deletion of EU classified information.

9. COUNTER-SABOTAGE AND CONTROL OF OTHER FORMS OF MALICIOUS WILFUL DAMAGE

Physical precautions for the protection of important installations housing classified information are the best protective security safeguards against sabotage and malicious wilful damage, and clearance of personnel alone is not an effective substitute. The competent national body shall be asked to provide intelligence regarding espionage, sabotage, terrorism and other subversive activities.

10. RELEASE OF CLASSIFIED INFORMATION TO THIRD STATES OR INTERNATIONAL ORGANISATIONS

The decision to release EU classified information originating in the Commission to a third State or international organisation shall be taken by the Commission as a college. If the originator of the information for which release is desired is not the Commission, the Commission shall first seek the originator's consent to release. If the originator cannot be established, the Commission will assume the former's responsibility.

If the Commission receives classified information from third States, from international organisations or from other third parties, that information shall be given protection appropriate to its classification and equivalent to the standards established in these provisions for EU classified information, or such higher standards as may be required by the third party releasing the information. Mutual checks may be arranged.

The above principles shall be implemented in accordance with the detailed provisions set out in Part II, Section 26, and Appendixes 3, 4 and 5.

PART II: THE ORGANISATION OF SECURITY IN THE COMMISSION

11. THE MEMBER OF THE COMMISSION RESPONSIBLE FOR SECURITY MATTERS

The Member of the Commission responsible for security matters shall:

(a) Implement the Commission's security policy;

(b) Consider security problems referred to him by the Commission or its competent bodies;

(c) Examine questions involving changes in the Commission security policy, in close liaison with the National Security (or other appropriate) Authorities of the Member States (hereinafter ‘NSA’).

In particular, the Member of the Commission responsible for security matters shall be responsible for:

(a) Co-ordinating all matters of security relating to Commission activities;

(b) Addressing to the designated authorities of the Member States requests for the NSA to provide security clearances for personnel employed in the Commission in accordance with Section 20;

(c) Investigating or ordering an investigation into any leakage of EU classified information that, on prima facie evidence, has occurred in the Commission;

(d) Requesting the appropriate security authorities to initiate investigations when a leakage of EU classified information appears to have occurred outside the Commission, and co-ordinating the enquiries when more than one security authority is involved;

(e) Carrying out periodic examinations of the security arrangements for the protection of EU classified information;

(f) Maintaining close liaison with all security authorities concerned in order to achieve overall co-ordination of security;

(g) Keeping the Commission security policy and procedures constantly under review and, as required, preparing appropriate recommendations. In this regard, the Member of the Commission responsible for security matters shall present to the Commission the annual inspection plan prepared by the ► Commission Security Directorate ◄ .

12. THE COMMISSION SECURITY POLICY ADVISORY GROUP

A Commission Security Policy Advisory Group shall be set up. It shall consist of the Member of the Commission responsible for security matters or his/her delegate, who shall have the chair, and of representatives of the NSA of each Member State. Representatives of other European institutions may also be invited. Representatives of relevant EC and EU decentralised agencies may also be invited to attend when questions concerning them are discussed.

The Commission Security Policy Advisory Group shall meet at the request of its chair or any of its members. The Group shall have the task to examine and assess all relevant security issues, and to present recommendations to the Commission as appropriate.

▼

13. THE COMMISSION SECURITY BOARD

A Commission Security Board shall be set up. It shall consist of the Director-General for Administration and Personnel, who shall have the chair, a Member of the Cabinet of the Commissioner responsible for security matters, a Member of the Cabinet of the President, the Deputy Secretary-General who chairs the Commission crisis management group, the Directors-General of the Legal Service, External Relations, Justice, Freedom and Security, the Joint Research Centre, Informatics and the Internal Audit Service and the Director of the Commission Security Directorate, or their representatives. Other Commission officials may be invited. Its remit is to assess security measures within the Commission and to make recommendations in this domain to the Member of the Commission responsible for security matters.

▼M1

14. THE ► COMMISSION SECURITY DIRECTORATE ◄

In order to fulfil the responsibilities mentioned in Section 11 the Member of the Commission responsible for security matters shall have the ► Commission Security Directorate ◄ at his or her disposal for co-ordinating, supervising and implementing security measures.

The ► Director of the Commission Security Directorate ◄ shall be the principal adviser to the Member of the Commission responsible for security matters on security matters and shall act as secretary to the Security Policy Advisory Group. In this regard he or she shall direct the updating of the security regulations and co-ordinate security measures with the competent authorities of the Member States and, as appropriate, with international organisations linked to the Commission by security agreements. To that effect, he/she shall act as a liaison officer.

The ► Director of the Commission Security Directorate ◄ shall be responsible for the accreditation of IT systems and networks within the Commission. The ► Director of the Commission Security Directorate ◄ shall decide, in agreement with the relevant NSA, on the accreditation of IT systems and networks involving the Commission on the one hand, and on the other hand any other recipient of EU classified information.

15. SECURITY INSPECTIONS

Periodic inspections of the security arrangements for the protection of EU classified information shall be carried out by the ► Commission Security Directorate ◄ .

The ► Commission Security Directorate ◄ may be assisted in this task by the security services of other EU institutions holding EUCI or by Member State National Security Authorities ( 13 ).

At the request of a Member State an inspection of EUCI can be conducted by its NSA within the Commission, jointly with the ► Commission Security Directorate ◄ and in mutual agreement.

16. CLASSIFICATIONS, SECURITY DESIGNATORS AND MARKINGS

16.1. Levels of classification ( 14 )

Information is classified at the following levels (see also, Appendix 2):

► TRES SECRET UE/EU TOP SECRET ◄ : This classification shall be applied only to information and material the unauthorised disclosure of which could cause exceptionally grave prejudice to the essential interests of the European Union or of one or more of its Member States.

► SECRET UE ◄ : This classification shall be applied only to information and material the unauthorised disclosure of which could seriously harm the essential interests of the European Union or of one or more of its Member States.

► CONFIDENTIEL UE ◄ : This classification shall be applied to information and material the unauthorised disclosure of which could harm the essential interests of the European Union or of one or more of its Member States.

► RESTREINT UE ◄ : This classification shall be applied to information and material the unauthorised disclosure of which could be disadvantageous to the interests of the European Union or of one or more of its Member States.

No other classifications are permitted.

16.2. Security designators

To set limits to the validity of a classification (for classified information signifying automatic downgrading or declassification) an agreed security designator may be used. This designator shall either be ‘UNTIL …(time/date)’ or ‘UNTIL …(event)’.

Additional security designators such as CRYPTO or any other EU-recognised security designator, shall apply where there is a need for limited distribution and special handling in addition to that designated by the security classification.

Security designators shall only be used in combination with a classification.

16.3. Markings

A marking may be used for specifying the field covered by the document or a particular distribution on a need-to-know basis, or (for non-classified information) to signify the end of an embargo.

A marking is not a classification and must not be used in lieu of one.

The ESDP marking shall be applied to documents and copies thereof concerning the security and defence of the Union or of one or more of its Member States, or concerning military or non-military crisis management.

16.4. Affixing of classification

Classification shall be affixed as follows:

(a) On ► RESTREINT UE ◄ documents, by mechanical or electronic means;

(b) On ► CONFIDENTIEL UE ◄ documents, by mechanical means or by hand or by printing on pre-stamped, registered paper;

16.5. Affixing of security designators

Security designators shall be affixed directly under the classification, by the same means as those for affixing classifications.

17. CLASSIFICATION MANAGEMENT

17.1. General

Information shall be classified only when necessary. The classification shall be clearly and correctly indicated, and shall be maintained only as long as the information requires protection.

The responsibility for classifying information and for any subsequent downgrading or declassification rests solely with the originator.

Officials and other employees of the Commission shall classify, downgrade or declassify information on instruction from or with the agreement of their Head of department.

The detailed procedures for the treatment of classified documents have been so framed as to ensure that they are subject to protection appropriate to the information they contain.

The number of persons authorised to originate ► TRES SECRET UE/EU TOP SECRET ◄ documents shall be kept to a minimum, and their names kept on a list drawn up by the ► Commission Security Directorate ◄ .

17.2. Application of classifications

The classification of a document shall be determined by the level of sensitivity of its contents in accordance with the definition at Section 16. It is important that classification is correctly and sparingly used. This applies especially to ► TRES SECRET UE/EU TOP SECRET ◄ classification.

The originator of a document that is to be given a classification shall bear in mind the rules set out above and curb any tendency to over- or under-classify.

A practical guide for the classification is contained in Appendix 2.

Individual pages, paragraphs, sections, annexes, appendices, attachments and enclosures of a given document may require different classifications and shall be classified accordingly. The classification of the document as a whole shall be that of its most highly classified part.

The classification of a letter or note covering enclosures shall be as high as the highest classification of its enclosures. The originator should indicate clearly at which level it should be classified when detached from its enclosures.

Public access shall remain governed by Regulation (EC) No 1049/2001.

17.3. Downgrading and declassification

EU classified documents may be downgraded or declassified only with the permission of the originator, and, if necessary, after discussion with other interested parties. Downgrading or declassification shall be confirmed in writing. The originator shall be responsible for informing its addressees of the change, and they in turn shall be responsible for informing any subsequent addressees, to whom they have sent or copied the document, of the change.

If possible, originators shall specify on classified documents a date, period or event when the contents may be downgraded or declassified. Otherwise, they shall keep the documents under review every five years, at the latest, in order to ensure that the original classification is necessary.

18. PHYSICAL SECURITY

18.1. General

The main objectives of physical security measures are to prevent an unauthorised person from gaining access to EU classified information and/or material, to prevent theft and degradation of equipment and other property and to prevent harassment or any other type of aggression of staff, other employees and visitors.

18.2. Security requirements

All premises, areas, buildings, rooms, communication and information systems, etc. in which EU classified information and material is stored and/or handled shall be protected by appropriate physical security measures.

In deciding what degree of physical security protection is necessary, account shall be taken of all relevant factors such as:

(a) The classification of information and/or material;

(b) The amount and form (e.g. hard copy, computer storage media) of the information held;

(c) The locally assessed threat from intelligence services which target the EU, the Member States, and/or other institutions or third parties holding EU classified information from, namely, sabotage, terrorism and other subversive and/or criminal activities.

The physical security measures applied shall be designed to:

(a) Deny surreptitious or forced entry by an intruder;

(b) Deter, impede and detect actions by disloyal personnel;

18.3. Physical security measures

18.3.1. Security areas

Areas where information classified ► CONFIDENTIEL UE ◄ or higher is handled and stored shall be so organised and structured as to correspond to one of the following:

(a) Class I Security Area: an area where ► CONFIDENTIEL UE ◄ or above is handled and stored in such a way that entry into the area constitutes, for all practical purposes, access to classified information. Such an area requires:

(i) A clearly defined and protected perimeter through which all entry and exit is controlled;

(ii) An entry control system, which admits only those duly cleared and specially authorised to enter the area;

(iii) Specification of the classification of the information normally held in the area, i.e. the information to which entry gives access.

(b) Class II Security Area: an area where ► CONFIDENTIEL UE ◄ or above is handled and stored in such a way that it can be protected from access by unauthorised persons by means of internally established controls, e.g. premises containing Services in which ► CONFIDENTIEL UE ◄ or above is regularly handled and stored. Such an area requires:

(i) A clearly defined and protected perimeter through which all entry and exit is controlled;

(ii) An entry control system that admits unescorted only those duly cleared and specially authorised to enter the area. For all other persons, provision shall be made for escorts or equivalent controls, to prevent unauthorised access to EU classified information and uncontrolled entry to areas subject to technical security inspections.

Those areas not occupied by duty personnel on a 24-hour basis shall be inspected immediately after normal working hours to ensure that EU classified information is properly secured.

18.3.2. Administrative area

Around or leading up to Class I or Class II security areas, an administrative area of lesser security may be established. Such an area requires a visibly defined perimeter allowing personnel and vehicles to be checked. Only ► RESTREINT UE ◄ and non-classified information shall be handled and stored in such areas.

18.3.3. Entry and exit controls

Entry and exit into and from Class I and Class II security areas shall be controlled by a pass or personal recognition system applicable to all staff normally working in these areas. A system of visitor checks designed to deny unauthorised access to EU classified information shall also be established. Pass systems may be supported by automated identification, which shall be regarded as a supplement to, but not a total replacement for, guards. A change in the threat assessment may entail a strengthening of the entry and exit control measures, for example during the visit of prominent persons.

18.3.4. Guard patrols

Patrols of Class I and Class II security areas are to take place outside normal working hours to protect EU assets against compromise, damage or loss. The frequency of patrols will be determined by local circumstances but, as a guide, are to be conducted once every 2 hours.

18.3.5. Security containers and strong rooms

Three classes of containers shall be used for the storage of EU classified information:

— Class A: containers nationally approved for storage of ► TRES SECRET UE/EU TOP SECRET ◄ information within a Class I or a Class II security area;

— Class B: containers nationally approved for storage of ► SECRET UE ◄ and ► CONFIDENTIEL UE ◄ information within a Class I or a Class II security area;

— Class C: Service furniture suitable for storage of ► RESTREINT UE ◄ information only.

For strong rooms constructed within a Class I or a Class II security area, and for all Class I security areas where information classified ► CONFIDENTIEL UE ◄ and higher is stored on open shelves or displayed on charts, maps, etc., the walls, floors and ceilings, door(s) with lock(s) need to be certified by the SAA as offering equivalent protection to the class of security container approved for the storage of information of the same classification.

18.3.6. Locks

Locks used with security containers and strong rooms in which EU classified information is stored shall meet the following standards:

— Group A: nationally approved for Class A containers;

— Group B: nationally approved for Class B containers;

— Group C: suitable for Class C Service furniture only.

18.3.7. Control of keys and combinations

Keys of security containers shall not be taken out of the Commission buildings. Combination settings of security containers shall be committed to memory by persons needing to know them. For use in an emergency, the Local Security Officer of the Commission department concerned shall be responsible for holding spare keys and a written record of each combination setting; the latter shall be held in separate sealed opaque envelopes. Working keys, spare security keys and combination settings shall be kept in separate security containers. These keys and combination settings should be given security protection no less stringent than the material to which they give access.

Knowledge of the combination settings of security containers shall be restricted to as few people as practicable. Combinations shall be reset:

(a) On receipt of a new container;

(b) Whenever a change of personnel occurs;

(d) At intervals of preferably six months, and at least every twelve months.

18.3.8. Intrusion detection devices

When alarm systems, closed circuit television and other electrical devices are used to protect EU classified information, an emergency electrical supply shall be available to ensure the continuous operation of the system if the main power supply is interrupted. Another basic requirement is that a malfunction in or tampering with such systems shall result in an alarm or other reliable warning to the surveillance personnel.

18.3.9. Approved equipment

The ► Commission Security Directorate ◄ shall maintain up-to-date lists by type and model of the security equipment that they have approved for the protection of classified information under various specified circumstances and conditions. The ► Commission Security Directorate ◄ shall base these lists, inter alia, on information from NSAs.

18.3.10. Physical protection of copying and telefax machines

Copying and telefax machines shall be physically protected to the extent necessary to ensure that only authorised persons can use them for processing classified information and that all classified products are subject to proper controls.

18.4. Protection against overlooking and eavesdropping

18.4.1. Overlooking

All appropriate measures shall be taken by day and by night to ensure that EU classified information is not seen, even accidentally, by any unauthorised person.

18.4.2. Eavesdropping

Services or areas in which information classified ► SECRET UE ◄ and above is regularly discussed shall be protected against passive and active eavesdropping attacks where the risk demands it. The assessment of the risk of such attacks shall be the responsibility of the ► Commission Security Directorate ◄ after consultation, as necessary, with NSAs.

18.4.3. Introduction of electronic and recording equipment

It is not permitted to introduce mobile phones, private computers, recording devices, cameras and other electronic or recording devices into security areas or technically secure areas without prior authorisation from the ► Director of the Commission Security Directorate ◄ .

To determine the protective measures to be taken in premises sensitive to passive eavesdropping (e.g. insulation of walls, doors, floors and ceilings, measurement of compromising emanations) and to active eavesdropping (e.g. search for microphones), the ► Commission Security Directorate ◄ may request assistance from experts from NSAs.

Likewise, when circumstances require, the telecommunications equipment and the electrical or electronic office equipment of any kind used during meetings at ► SECRET UE ◄ level and above may be checked by technical security specialists of NSAs at the request of the ► Director of the Commission Security Directorate ◄ .

18.5. Technically secure areas

Certain areas may be designated as technically secure areas. A special entry check shall be carried out. Such areas shall be kept locked by an approved method when not occupied and all keys treated as security keys. Such areas shall be subject to regular physical inspections, which will also be undertaken following any unauthorised entry or suspicion of such an entry.

A detailed inventory of equipment and furniture shall be kept in order to monitor their movements. No item of furniture or equipment shall be brought into such an area until it has undergone a careful inspection by specially trained security personnel, designed to detect any listening devices. As a general rule, the installation of communication lines in technically secure areas is not permitted without prior authorisation from the appropriate authority.

19. GENERAL RULES ON THE NEED TO KNOW PRINCIPLE AND EU PERSONAL SECURITY CLEARANCES

19.1. General

Access to EU classified information shall be authorised only for persons having a ‘need-to-know’ for carrying out their duties or missions. Access to ► TRES SECRET UE/EU TOP SECRET ◄ , ► SECRET UE ◄ and ► CONFIDENTIEL UE ◄ information shall be authorised only for persons in possession of the appropriate security clearance.

The responsibility for determining ‘need-to-know’ shall rest with the department in which the person concerned is to be employed.

Requesting the clearance of personnel shall be the responsibility of each department.

This will result in the issue of a ‘EU personal security certificate’ showing the level of classified information to which the cleared person may have access and the date of expiry.

An EU personal security certificate for a given classification may give the holder access to information with a lower classification.

Persons other than officials or other employees, such as external contractors, experts or consultants, with whom it may be necessary to discuss, or to whom it may be necessary to show, EU classified information, must have a EU personal security clearance as regards EU classified information and be briefed as to their responsibility for security.

Public access shall remain governed by Regulation (EC) No 1049/2001.

19.2. Specific rules on access to ► TRES SECRET UE/EU TOP SECRET ◄ information

All persons who are to have access to ► TRES SECRET UE/EU TOP SECRET ◄ information shall first be screened for access to such information.

All persons who are required to have access to ► TRES SECRET UE/EU TOP SECRET ◄ information shall be designated by the Member of the Commission responsible for security matters and their names kept in the appropriate ► TRES SECRET UE/EU TOP SECRET ◄ registry. The ► Commission Security Directorate ◄ will create and maintain this registry.

Before having access to ► TRES SECRET UE/EU TOP SECRET ◄ information, all persons shall sign a certificate to the effect that they have been briefed on Commission security procedures and that they fully understand their special responsibility for safeguarding ► TRES SECRET UE/EU TOP SECRET ◄ information, and the consequences which the EU rules and national law or administrative rules provide when classified information passes into unauthorised hands, either by intent or through negligence.

In the case of persons having access to ► TRES SECRET UE/EU TOP SECRET ◄ information at meetings, etc., the competent Control Officer of the service or body in which that person is employed shall notify the body organising the meeting that the persons concerned have such authorisation.

The names of all persons ceasing to be employed on duties requiring access to ► TRES SECRET UE/EU TOP SECRET ◄ information shall be removed from the ► TRES SECRET UE/EU TOP SECRET ◄ list. In addition, the attention of all such persons shall be drawn again to their special responsibility for the safeguarding of ► TRES SECRET UE/EU TOP SECRET ◄ information. They shall also sign a declaration stating that they will neither use nor pass on ► TRES SECRET UE/EU TOP SECRET ◄ information in their possession.

19.3. Specific rules on access to ► SECRET UE ◄ and ► CONFIDENTIEL UE ◄ information

All persons who are to have access to ► SECRET UE ◄ or ► CONFIDENTIEL UE ◄ information shall first be screened to the appropriate grading.

All persons who are to have access to ► SECRET UE ◄ or ► CONFIDENTIEL UE ◄ information shall be acquainted with the appropriate security provisions and shall be aware of the consequences of negligence.

In the case of persons having access to ► SECRET UE ◄ or ► CONFIDENTIEL UE ◄ information at meetings, etc., the Security Officer of the body in which that person is employed shall notify the body organising the meeting that the persons concerned have such authorisation.

19.4. Specific rules on access to ► RESTREINT UE ◄ information

Persons with access to ► RESTREINT UE ◄ information will be made aware of these security rules and of the consequences of negligence.

19.5. Transfers

When a member of staff is transferred from a post which involves the handling of EU classified material, the Registry will oversee the proper transfer of that material from the outgoing to the incoming official.

When a member of staff is transferred to another post involving the handling of EU classified material the Local Security Officer will brief him accordingly.

19.6. Special instructions

Persons who are required to handle EU classified information should, on first taking up their duties and periodically thereafter, be made aware of:

(a) The dangers to security arising from indiscreet conversation;

(b) Precautions to take in their relations with the press and with representatives of special interest groups;

(c) The threat presented by the activities of intelligence services that target the EU and Member States as regards EU classified information and activities;

(d) The obligation to report immediately to the appropriate security authorities any approach or manoeuvre giving rise to suspicions of espionage activity or any unusual circumstances relating to security.

All persons normally exposed to frequent contact with representatives of countries whose intelligence services target the EU and Member States as regards EU classified information and activities shall be given a briefing on the techniques known to be employed by various intelligence services.

There are no Commission security provisions concerning private travel to any destination by personnel cleared for access to EU classified information. The ► Commission Security Directorate ◄ shall, however, acquaint the officials and other servants falling within their responsibility with travel regulations to which they may be subjected.

20. SECURITY CLEARANCE PROCEDURE FOR COMMISSION OFFICIALS AND OTHER EMPLOYEES

(a) Only Officials and other employees of the Commission or persons working within the Commission who, by reason of their duties and for the requirements of the service, need to have knowledge of, or to use, classified information held by the Commission, shall have access to such information.

(b) In order to have access to information classified as ‘ ► TRES SECRET UE/EU TOP SECRET ◄ ’, ‘ ► SECRET UE ◄ ’ and ‘ ► CONFIDENTIEL UE ◄ ’, the persons referred to in paragraph (a) above must have been authorised, in accordance with the procedure referred to in paragraphs (c) and (d) of this Section.

(c) Authorisation shall be granted only to persons who have undergone security screening by the competent national authorities of the Member States (NSA) in accordance with the procedure referred to in paragraphs (i) to (n).

(d) The ► Director of the Commission Security Directorate ◄ shall be responsible for granting the authorisations referred to in paragraphs (a), (b) and (c).

(e) He/she shall grant authorisation after obtaining the opinion of the competent national authorities of the Member States on the basis of security screening carried out in accordance with paragraphs (i) to (n).

(f) The ► Commission Security Directorate ◄ shall maintain an up to date list of all sensitive posts, provided by the relevant Commission departments, and of all persons who have been granted a (temporary) authorisation.

(g) Authorisation, which shall be valid for a period of five years, may not exceed the duration of the tasks on the basis of which it was granted. It may be renewed in accordance with the procedure referred to in paragraph (e).

(h) Authorisation shall be withdrawn by the ► Director of the Commission Security Directorate ◄ where he/she considers there are justifiable grounds for doing so. Any decision to withdraw authorisation shall be notified to the person concerned, who may ask to be heard by the ► Director of the Commission Security Directorate ◄ , and to the competent national authority.

(i) Security screening shall be carried out with the assistance of the person concerned and at the request of the ► Director of the Commission Security Directorate ◄ . The competent national authority for screening is the one of the Member State of which the person subject to authorisation is a national. Where the person concerned is not a national of an EU Member State, the ► Director of the Commission Security Directorate ◄ will request a security screening from the EU Member State in which the person is domiciled or usually resident.

(j) As part of the screening procedure, the person concerned shall be required to complete a personal information form.

(k) The ► Director of the Commission Security Directorate ◄ shall specify in its request the type and level of classified information to be made available to the person concerned, so that the competent national authorities can carry out the screening process and give their opinion as to the level of authorisation it would be appropriate to grant to that person.

(l) The whole security-screening process together with the results obtained shall be subject to the relevant rules and regulations in force in the Member State concerned, including those concerning appeals.

(m) Where the competent national authorities of the Member State give a positive opinion, the ► Director of the Commission Security Directorate ◄ may grant the person concerned authorisation.

(n) A negative opinion by the competent national authorities shall be notified to the person concerned, who may ask to be heard by the ► Director of the Commission Security Directorate ◄ . Should he consider it necessary, the ► Director of the Commission Security Directorate ◄ may ask the competent national authorities for any further clarification they can provide. If the negative opinion is confirmed, authorisation shall not be granted.

(o) All persons granted authorisation within the meaning of paragraphs (d) and (e) shall, at the time the authorisation is granted and at regular intervals thereafter, receive any necessary instructions concerning the protection of classified information and the means of ensuring such protection. Such persons shall sign a declaration acknowledging receipt of the instructions and give an undertaking to obey them.

(p) The ► Director of the Commission Security Directorate ◄ shall take any measure necessary in order to implement this section, in particular as regards the rules governing access to the list of authorised persons.

(q) Exceptionally, if required by the service, the ► Director of the Commission Security Directorate ◄ may, after giving the national competent authorities notification and provided there is no reaction from them within a month, grant temporary authorisation for a period not exceeding six months, pending the outcome of the screening referred to in paragraph (i).

(r) The provisional and temporary authorisations thus granted shall not give access to ► TRES SECRET UE/EU TOP SECRET ◄ information; such access shall be limited to officials who have effectively undergone a screening with positive results, in accordance with paragraph (i). Pending the outcome of the screening, the officials requested to be cleared at ► TRES SECRET UE/EU TOP SECRET ◄ level may be authorised, temporarily and provisionally, to access information classified up to, and including, ► SECRET UE ◄ .

21. PREPARATION, DISTRIBUTION, TRANSMISSION, COURRIER PERSONAL SECURITY AND EXTRA COPIES OF TRANSLATIONS AND EXTRACTS OF EU CLASSIFIED DOCUMENTS

21.1. Preparation

1. The EU classifications shall be applied as established in Section 16 and for ► CONFIDENTIEL UE ◄ and above appear at the top and bottom centre of each page, and each page shall be numbered. Each EU classified document shall bear a reference number and a date. In the case of ► TRES SECRET UE/EU TOP SECRET ◄ and ► SECRET UE ◄ documents, this reference number shall appear on each page. If they are to be distributed in several copies, each one shall bear a copy number, which will appear on the first page, together with the total number of pages. All annexes and enclosures shall be listed on the first page of a document classified ► CONFIDENTIEL UE ◄ and above.

2. Documents classified ► CONFIDENTIEL UE ◄ and above shall be typed, translated, stored, photocopied, reproduced magnetically or microfilmed only by persons who have been cleared for access to EU classified information up to at least the appropriate security classification of the document in question.

3. The provisions regulating the computerised production of classified documents are set out in Section 25.

21.2. Distribution

1. EU classified information shall be distributed only to persons with a need to know and having the appropriate security clearance. The originator shall specify the initial distribution.

2. ► TRES SECRET UE/EU TOP SECRET ◄ documents shall be circulated through ► TRES SECRET UE/EU TOP SECRET ◄ registries (see Section 22.2). In the case of ► TRES SECRET UE/EU TOP SECRET ◄ messages, the competent registry may authorise the head of the communications centre to produce the number of copies specified in the list of addressees.

3. Documents classified ► SECRET UE ◄ and below may be redistributed by the original addressee to other addressees based on a need to know. The originating authorities shall, however, clearly state any caveats they wish to impose. Whenever such caveats are imposed, the addressees may redistribute the documents only with the originating authorities' authorisation.

4. Every document classified ► CONFIDENTIEL UE ◄ and above shall, on arriving at or leaving a DG or service, be recorded by the departments' Local EUCI Registry. The particulars to be entered (references, date and where applicable the copy number) shall be such as to identify the documents and be entered into a logbook or in special protected computer media (see Section 22.1).

21.3. Transmission of EU classified documents

21.3.1. Packaging, receipts

1. Documents classified ► CONFIDENTIEL UE ◄ and above shall be transmitted in heavy duty, opaque double envelopes. The inner envelope shall be marked with the appropriate EU security classification as well as, if possible, full particulars of the recipient's job title and address.

2. Only a Registry Control Officer (see Section 22.1), or his substitute, may open the inner envelope and acknowledge receipt of the documents enclosed, unless that envelope is addressed to an individual. In such a case, the appropriate Registry (see Section 22.1) shall log the arrival of the envelope, and only the individual to whom it is addressed may open the inner envelope and acknowledge receipt of the documents it contains.

3. A receipt form shall be placed in the inner envelope. The receipt, which will not be classified, should quote the reference number, date and copy number of the document, but never its subject.

4. The inner envelope shall be enclosed in an outer envelope bearing a package number for receipting purposes. Under no circumstances shall the security classification appear on the outer envelope.

5. For documents classified ► CONFIDENTIEL UE ◄ and above, couriers and messengers shall obtain receipts against the package numbers.

21.3.2. Transmission within a building or group of buildings

Within a given building or group of buildings, classified documents may be carried in a sealed envelope bearing only the addressee's name, on condition that it is carried by a person cleared to the level of classification of the documents.

21.3.3. Transmission within a country

1. Within a country, ► TRES SECRET UE/EU TOP SECRET ◄ documents should be sent only by means of official messenger service or by persons authorised to have access to ► TRES SECRET UE/EU TOP SECRET ◄ information.

2. Whenever a messenger service is used for the transmission of a ► TRES SECRET UE/EU TOP SECRET ◄ document outside the confines of a building or group of buildings, the packaging and receipting provisions contained in this Chapter shall be complied with. Delivery services shall be so staffed as to ensure that packages containing ► TRES SECRET UE/EU TOP SECRET ◄ documents remain under the direct supervision of a responsible official at all times.

3. Exceptionally, ► TRES SECRET UE/EU TOP SECRET ◄ documents may be taken by officials, other than messengers, outside the confines of a building or group of buildings for local use at meetings and discussions, provided that:

(a) The bearer is authorised to have access to those ► TRES SECRET UE/EU TOP SECRET ◄ documents;

(b) The mode of transportation complies with rules governing the transmission of ► TRES SECRET UE/EU TOP SECRET ◄ documents;

(d) Arrangements are made for the list of documents so carried to be held in the ► TRES SECRET UE/EU TOP SECRET ◄ Registry holding the documents and recorded in a log, and checked against this record on their return.

4. Within a given country, ► SECRET UE ◄ and ► CONFIDENTIEL UE ◄ documents may be sent either by post, if such transmission is permitted under national regulations and is in accordance with the provisions of those regulations, or by messenger service or by persons cleared for access to EU classified information.

5. The ► Commission Security Directorate ◄ will prepare instructions on the personal carrying of EU classified documents based on these rules. The bearer shall be required to read and sign these instructions. In particular, the instructions shall make it clear that, under no circumstances, may documents:

(a) Leave the bearer's possession unless they are in safe custody in accordance with the provisions contained in Section 18;

(b) Be left unattended in public transport or private vehicles, or in places such as restaurants or hotels. They may not be stored in hotel safes or left unattended in hotel rooms;

21.3.4. Transmission from one State to another

1. Material classified ► CONFIDENTIEL UE ◄ and above shall be conveyed by EU diplomatic or military courier services.

2. However, the personal carriage of material classified ► SECRET UE ◄ and ► CONFIDENTIEL UE ◄ may be permitted if provisions for the carriage are such as to ensure that they cannot fall into any unauthorised person's hands.

3. The Member of the Commission responsible for security matters may authorise personal carriage when diplomatic and military couriers are not available or the use of such couriers would result in a delay that would be detrimental to EU operations and the material is urgently required by the intended recipient. The ► Commission Security Directorate ◄ will prepare instructions covering the personal carriage of material classified up to and including ► SECRET UE ◄ internationally by persons other than diplomatic and military couriers. The instructions shall require that:

(a) The bearer has the appropriate security clearance;

(b) A record is held in the appropriate department or registry of all material so carried;

(c) Packages or bags containing EU material bear an official seal to prevent or discourage inspection by customs, and labels with identification and instructions to the finder;

(d) The bearer carries a courier certificate and/or mission order recognised by all EU Member States authorising him to carry the package as identified;

(e) No EU non-member State or its frontier is crossed when travelling overland unless the shipping State has a specific guarantee from that State;

(f) The bearer's travel arrangements with regard to destinations, routes to be taken and means of transportation to be used will be in accordance with EU rules or — if national regulations with respect to such matters are more stringent — in accordance with such regulations;

(g) The material must not leave the possession of the bearer unless it is housed in accordance with the provisions for safe custody contained in Section 18;

(h) The material must not be left unattended in public or private vehicles, or in places such as restaurants or hotels. It must not be stored in hotel safes or left unattended in hotel rooms;

(i) If the material being carried contains documents, these must not be read in public places (e.g. in aircraft, trains, etc.).

4. The person designated to carry the classified material must read and sign a security briefing that contains, as a minimum, the instructions listed above and procedures to be followed in an emergency or in case the package containing the classified material is challenged by customs or airport security officials.

21.3.5. Transmission of ► RESTREINT UE ◄ documents

No special provisions are laid down for the conveyance of ► RESTREINT UE ◄ documents, except that they should be such as to ensure that they can not fall into any unauthorised person's hands.

21.4. Courier personnel security

All couriers and messengers employed to carry ► SECRET UE ◄ and ► CONFIDENTIEL UE ◄ documents shall be appropriately security cleared.

21.5. Electronic and other means of technical transmission

1. Communications security measures are designed to ensure the secure transmission of EU classified information. The detailed rules applicable to the transmission of such EU classified information are dealt with in Section 25.

2. Only accredited communications centres and networks and/or terminals and systems may transmit information classified ► CONFIDENTIEL UE ◄ and ► SECRET UE ◄ .

21.6. Extra copies and translations of and extracts from EU classified documents

1. Only the originator may authorise the copy or translation of ► TRES SECRET UE/EU TOP SECRET ◄ documents.

2. If persons without ► TRES SECRET UE/EU TOP SECRET ◄ clearance require information which, although contained in a ► TRES SECRET UE/EU TOP SECRET ◄ document, does not have that classification, the Head of the ► TRES SECRET UE/EU TOP SECRET ◄ Registry (see Section 22.2) may be authorised to produce the necessary number of extracts from that document. He/she shall, at the same time, take the necessary steps to ensure that these extracts are given the appropriate security classification.

3. Documents classified ► SECRET UE ◄ and lower may be reproduced and translated by the addressee, within the framework of these security provisions and on condition that it complies strictly with the need-to-know principle. The security measures applicable to the original document shall also be applicable to reproductions and/or translations thereof.

22. EUCI REGISTRIES, MUSTERS, CHECKS, ARCHIVE STORAGE AND DESTRUCTION OF EUCI

22.1. Local EUCI Registries

1. Within the Commission, in each department, as required, one or more Local EUCI Registries shall be responsible for the registration, reproduction, dispatch, archiving and destruction of documents classified ► SECRET UE ◄ and ► CONFIDENTIEL UE ◄ .

2. When a department does not have a Local EUCI Registry, the Local EUCI Registry of Secretariat General will act as its EUCI Registry.

3. Local EUCI Registries shall report to the Head of department from whom they receive their instructions. The Head of these registries shall be Registry Control Officer (RCO).

4. They shall be subject to the supervision of the Local Security Officer as far as the application of the provisions regarding the handling of EUCI documents and compliance with the corresponding security measures is concerned.

5. Officials assigned to the Local EUCI Registries shall be authorised to have access to EUCI in accordance with Section 20.

6. Under the authority of the relevant Head of department the Local EUCI Registries shall:

(a) Manage operations relating to the registration, reproduction, translation, transmission, dispatch and destruction of such information;

(b) Update the list of particulars on classified information;

7. The Local EUCI Registries shall keep a register of the following particulars:

(a) The date of preparation of the classified information;

(b) The level of classification;

(d) The name and department of the issuer;

(e) The recipient or recipients, with serial number;

(f) The subject;

(g) The number;

(h) The number of copies circulated;

(i) The preparation of inventories of the classified information submitted to the department;

(j) The register of declassification and downgrading of classified information.

8. The general rules provided for in Section 21 shall apply to the Local EUCI Registries of the Commission, unless modified by the specific rules laid down in this Section.

22.2. The ► TRES SECRET UE/EU TOP SECRET ◄ Registry

22.2.1. General

1. A Central ► TRES SECRET UE/EU TOP SECRET ◄ Registry ensures the recording, handling and distribution of ► TRES SECRET UE/EU TOP SECRET ◄ documents in accordance with these security provisions. The head of the ► TRES SECRET UE/EU TOP SECRET ◄ Registry will be the ► TRES SECRET UE/EU TOP SECRET ◄ Registry Control Officer.

2. The Central ► TRES SECRET UE/EU TOP SECRET ◄ Registry will act as the main receiving and despatching authority in the Commission, with other EU institutions, Member States, international organisations and third States with which the Commission has agreements on security procedures for the exchange of classified information.

3. When necessary, sub-registries shall be established, to be responsible for the internal management of ► TRES SECRET UE/EU TOP SECRET ◄ documents; they shall keep up-to-date records of the circulation of each document held on the Sub-Registry's charge.

4. ► TRES SECRET UE/EU TOP SECRET ◄ sub-registries shall be set up as specified in Section 22.2.3 in response to long term needs and shall be attached to a central ► TRES SECRET UE/EU TOP SECRET ◄ Registry. If there is a need to consult ► TRES SECRET UE/EU TOP SECRET ◄ documents only temporarily and occasionally, these documents may be released without setting up a ► TRES SECRET UE/EU TOP SECRET ◄ sub-registry, provided rules are laid down to ensure that they remain under the control of the appropriate ► TRES SECRET UE/EU TOP SECRET ◄ registry and that all physical and personnel security measures are observed.

5. Sub-registries may not transmit ► TRES SECRET UE/EU TOP SECRET ◄ documents directly to other sub-registries of the same Central ► TRES SECRET UE/EU TOP SECRET ◄ Registry without express approval by the latter.

6. All exchanges of ► TRES SECRET UE/EU TOP SECRET ◄ documents between sub-registries not attached to the same central registry shall be routed through the Central ► TRES SECRET UE/EU TOP SECRET ◄ Registries.

22.2.2. The Central ► TRES SECRET UE/EU TOP SECRET ◄ Registry

As the Control Officer, the head of the Central ► TRES SECRET UE/EU TOP SECRET ◄ Registry shall be responsible for:

(a) The transmission of ► TRES SECRET UE/EU TOP SECRET ◄ documents in accordance with the provisions defined in Section 21.3;

(b) Maintaining a list of all its dependent ► TRES SECRET UE/EU TOP SECRET ◄ sub-registries together with names and signatures of the appointed Control Officers and their authorised deputies;

(c) Holding receipts from registries for all ► TRES SECRET UE/EU TOP SECRET ◄ documents distributed by the Central Registry;

(d) Maintaining a record of ► TRES SECRET UE/EU TOP SECRET ◄ documents held and distributed;

(e) Maintaining an up-to-date list of all Central ► TRES SECRET UE/EU TOP SECRET ◄ Registries with which he/she normally corresponds, together with the names and signatures of their appointed Control Officers and their authorised deputies;

(f) The physical safeguarding of all ► TRES SECRET UE/EU TOP SECRET ◄ documents held within the registry in accordance with regulations contained in Section 18.

22.2.3. ► TRES SECRET UE/EU TOP SECRET ◄ sub-registries

As the Control Officer, the head of an ► TRES SECRET UE/EU TOP SECRET ◄ sub-registry shall be responsible for:

(a) The transmission of ► TRES SECRET UE/EU TOP SECRET ◄ documents in accordance with provisions contained in Section 21.3;

(b) Maintaining an up-to-date list of all persons authorised to have access to the ► TRES SECRET UE/EU TOP SECRET ◄ information under his control;

(c) The distribution of ► TRES SECRET UE/EU TOP SECRET ◄ documents in accordance with the instructions of the originator or on a need-to-know basis, having first checked that the addressee has the requisite security clearance;

(d) Maintaining an up-to-date record of all ► TRES SECRET UE/EU TOP SECRET ◄ documents held or circulating under his control or which have been passed to other ► TRES SECRET UE/EU TOP SECRET ◄ registries and holding all corresponding receipts;

(e) Maintaining an up-to-date list of ► TRES SECRET UE/EU TOP SECRET ◄ registries with whom he is authorised to exchange ► TRES SECRET UE/EU TOP SECRET ◄ documents, together with the names and signatures of their Control Officers and authorised deputies;

(f) The physical safeguarding of all ► TRES SECRET UE/EU TOP SECRET ◄ documents held within the sub-registry in accordance with the rules laid down in Section 18.

22.3. Inventories, musters and checks of EU classified documents

1. Every year, each ► TRES SECRET UE/EU TOP SECRET ◄ Registry as referred to in this Section shall carry out an itemised inventory of ► TRES SECRET UE/EU TOP SECRET ◄ documents. A document is deemed to have been accounted for if the registry physically musters the document, or holds a receipt from the ► TRES SECRET UE/EU TOP SECRET ◄ registry to which the document has been transferred, a destruction certificate for the document or an instruction to downgrade or declassify that document. They shall forward the findings of the annual inventories to the Member of the Commission responsible for security matters, by 1 April each year at the latest.

2. ► TRES SECRET UE/EU TOP SECRET ◄ Sub-registries shall forward the findings of their annual inventory to the Central Registry to which they are answerable, on a date specified by the latter.

3. EU classified documents below the level of ► TRES SECRET UE/EU TOP SECRET ◄ shall be subject to internal checks according to instructions from the Member of the Commission responsible for security matters.

4. These operations shall afford the opportunity to secure holders' views as to:

(a) The possibility of downgrading or declassifying certain documents;

(b) Documents to be destroyed.

22.4. Archive storage of EU classified information

1. EUCI shall be stored under conditions that comply with all relevant requirements listed in Section 18.

2. To minimise storage problems, the Control Officers of all registries shall be authorised to have ► TRES SECRET UE/EU TOP SECRET ◄ , ► SECRET UE ◄ and ► CONFIDENTIEL UE ◄ documents microfilmed or otherwise stored in magnetic or optical media for archive purposes, providing that:

(a) The microfilming/storage process is undertaken by personnel with current clearance for the corresponding appropriate classification level;

(b) The microfilm/storage medium is afforded the same security as the original documents;

(d) Rolls of film, or other type of support, contain only documents of the same ► TRES SECRET UE/EU TOP SECRET ◄ , ► SECRET UE ◄ or ► CONFIDENTIEL UE ◄ classification;

(e) The microfilming/storing of an ► TRES SECRET UE/EU TOP SECRET ◄ or ► SECRET UE ◄ document is clearly indicated in the record used for the annual inventory;

(f) Original documents that have been microfilmed or otherwise stored are destroyed, in accordance with the rules set out in Section 22.5.

3. These rules also apply to any other form of authorised storage, such as electromagnetic media and optical disk.

22.5. Destruction of EU classified documents

1. To prevent the unnecessary accumulation of EU classified documents, those regarded by the head of the establishment holding them as out of date and surplus in number shall be destroyed as soon as practicable, in the following manner:

(a) ► TRES SECRET UE/EU TOP SECRET ◄ documents shall be destroyed only by the Central Registry responsible for them. Each document destroyed shall be listed in a destruction certificate, signed by the ► TRES SECRET UE/EU TOP SECRET ◄ Control Officer and by the Officer witnessing the destruction, who shall be ► TRES SECRET UE/EU TOP SECRET ◄ cleared. A note to this effect shall be made in the logbook;

(b) The registry shall keep the destruction certificates, together with the distribution sheets, for a period of ten years. Copies shall be forwarded to the originator or to the appropriate central registry only when explicitly requested;

(c) ► TRES SECRET UE/EU TOP SECRET ◄ documents, including all classified waste resulting from the preparation of ► TRES SECRET UE/EU TOP SECRET ◄ documents such as spoiled copies, working drafts, typed notes, floppy disks, shall be destroyed, under the supervision of a ► TRES SECRET UE/EU TOP SECRET ◄ Registry Control Officer, by burning, pulping, shredding or otherwise reducing into an unrecognisable and non-reconstitutable form.

2. ► SECRET UE ◄ documents shall be destroyed by the registry responsible for those documents, under the supervision of a security cleared person, using one of the processes indicated in paragraph 1 (c). ► SECRET UE ◄ documents that are destroyed shall be listed on signed destruction certificates to be retained by the Registry, together with the distribution forms, for at least three years.

3. ► CONFIDENTIEL UE ◄ documents shall be destroyed by the registry responsible for those documents, under the supervision of a security cleared person, by one of the processes indicated in paragraph 1 (c). Their destruction shall be recorded according to instructions from the Member of the Commission responsible for security matters.

4. ► RESTREINT UE ◄ documents shall be destroyed by the registry responsible for those documents or by the user, in accordance with instructions from the Member of the Commission responsible for security matters.

22.6. Destruction in emergencies

1. The Commission departments shall prepare plans based on local conditions for the safeguarding of EU classified material in a crisis including if necessary emergency destruction and evacuation plans. It shall promulgate instructions deemed necessary to prevent EU classified information from falling into unauthorised hands.

2. The arrangements for the safeguarding and/or destruction of ► SECRET UE ◄ and ► CONFIDENTIEL UE ◄ material in a crisis shall under no circumstances adversely affect the safeguarding or destruction of ► TRES SECRET UE/EU TOP SECRET ◄ material, including the enciphering equipment, whose treatment shall take priority over all other tasks.

3. The measures to be adopted for the safeguarding and destruction of enciphering equipment in an emergency shall be covered by specific instructions.

4. Instructions need to be available on the spot in a sealed envelope. Means/tools for destruction must be available.

23. SECURITY MEASURES FOR SPECIFIC MEETINGS HELD OUTSIDE THE COMMISSION PREMISES AND INVOLVING EU CLASSIFIED INFORMATION

23.1. General

When Commission or other important meetings are held outside the Commission premises and where justified by the particular security requirements relating to the high sensitivity of the issues or information dealt with, the security measures described below shall be taken. These measures concern only the protection of EU classified information; other security measures may have to be planned.

23.2. Responsibilities

23.2.1. The ► Commission Security Directorate ◄

The ► Commission Security Directorate ◄ shall cooperate with the competent authorities of the Member State on whose territory the meeting is being held (the host Member State), in order to ensure the security of the Commission's or other important meetings and for the security of the delegates and their staff. As regards the protection of security, it should specifically ensure that:

(a) Plans are drawn up to deal with security threats and security-related incidents, the measures in question covering in particular the safe custody of EU classified documents in offices;

(b) Measures are taken to provide possible access to Commission's communications system for the receipt and transmission of EU classified messages. The host Member State will be requested to provide access if required to secure telephone systems.

The ► Commission Security Directorate ◄ shall act as an adviser on security for the preparation of the meeting; it should be represented there to help and advise the Meeting Security Officer (MSO) and delegations as necessary.

Each delegation to a meeting shall be asked to designate a Security Officer, who will be responsible for dealing with security matters within his/her delegation and for maintaining liaison with the Meeting Security Officer, as well as with the ► Commission Security Directorate ◄ representative as required.

23.2.2. Meeting Security Officer (MSO)

A Meeting Security Officer shall be appointed and be responsible for the general preparation and control of general internal security measures and for coordination with the other security authorities concerned. The measures taken by the MSO shall in general relate to:

(a) Protective measures at the meeting place to ensure that the meeting is conducted without any incident that might compromise the security of any EU classified information that may be used there;

(b) Checking the personnel whose access to the place of the meeting, delegations' areas and conference rooms is permitted, and checking any equipment;

(c) Constant coordination with the competent authorities of the host Member State and with the ► Commission Security Directorate ◄ ;

(d) The inclusion of security instructions in the meeting dossier with due regard for the requirements set out in these security rules and any other security instructions considered necessary.

23.3. Security measures

23.3.1. Security areas

The following security areas shall be established:

(a) A Class II security area, consisting of a drafting room, the Commission offices and reprographic equipment, as well as delegations' offices as appropriate;

(b) A Class I security area, consisting of the conference room and interpreters' and sound engineers' booths;

(c) Administrative areas, consisting of the press area and those parts of the meeting place that are used for administration, catering and accommodation, as well as the area immediately adjacent to the Press Centre and the meeting place.

23.3.2. Passes

The MSO shall issue appropriate badges as requested by the delegations, according to their needs. Where required, a distinction may be made as regards access to different security areas.

The security instructions for the meeting shall require all persons concerned to wear and display their badges prominently at all times within the place of the meeting, so that they can be checked as needed by security personnel.

Apart from badge-holding participants, as few people as possible shall be admitted to the meeting place. The MSO shall only allow national delegations to receive visitors during the meeting upon their request. Visitors should be given a visitor's badge. A visitor's pass form bearing his/her name and the name of the person being visited shall be filled in. Visitors shall be accompanied at all times by a security guard or by the person being visited. The visitor's pass form shall be carried by the accompanying person, who shall return it, together with the visitor's badge, to the security personnel when the visitor leaves the meeting place.

23.3.3. Control of photographic and audio equipment

No camera or recording equipment may be brought into a Class I security area, with the exception of equipment brought by photographers and by sound engineers duly authorised by the MSO.

23.3.4. Checking of briefcases, portable computers and packages

Pass-holders allowed access to a security area may normally bring in their briefcases and portable computers (with own power supply only) without a check being made. In the case of packages for delegations, delegations may take delivery of the packages, which will either be inspected by the delegation Security Officer, screened by special equipment or opened by security personnel for inspection. If the MSO considers it necessary, more stringent measures for the inspection of briefcases and packages may be laid down.

23.3.5. Technical security

The meeting room may be made technically secure by a technical security team, which may also conduct electronic surveillance during the meeting.

23.3.6. Delegations' documents

Delegations shall be made responsible for taking EU classified documents to and from meetings. They shall also be responsible for the verification and security of those documents during their use in the premises assigned to them. The host Member States' help may be requested for the transportation of classified documents to and from the place of the meeting.

23.3.7. Safe custody of documents

If the Commission or delegations are unable to store their classified documents in accordance with approved standards, they may lodge those documents in a sealed envelope with the Meeting Security Officer, against receipt, so that the latter can store the documents in accordance with approved standards.

23.3.8. Inspection of offices

The Meeting Security Officer shall arrange for the Commission and delegations' offices to be inspected at the end of each working day to ensure that all EU classified documents are being kept in a safe place. If not, he/she shall take the appropriate measures.

23.3.9. Disposal of EU classified waste

All waste shall be treated as EU classified, and waste-paper baskets or bags should be given to the Commission and delegations for its disposal. Before leaving the premises they have been assigned, the Commission and delegations shall take their waste to the Meeting Security Officer, who shall arrange for its destruction according to the rules.

At the end of the meeting, all documents held but no longer wanted by the Commission or delegations shall be treated as waste. A thorough search of Commission and delegations' premises shall be made before the security measures adopted for the meeting are lifted. Documents for which a receipt was signed shall, as far as applicable, be destroyed as prescribed in Section 22.5.

24. BREACHES OF SECURITY AND COMPROMISE OF EU CLASSIFIED INFORMATION

24.1. Definitions

A breach of security occurs as the result of an act or omission contrary to a Commission security provision that might endanger or compromise EU classified information.

Compromise of EU classified information occurs when it has wholly or in part fallen into the hands of unauthorised persons, i.e. who do not have either the appropriate security clearance or the necessary need-to-know or if there is the likelihood of such an event having occurred.

EU classified information may be compromised as a result of carelessness, negligence or indiscretion as well as by the activities of services which target the EU or its Member States, as regards EU classified information and activities, or by subversive organisations.

24.2. Reporting breaches of security

All persons who are required to handle EU classified information shall be thoroughly briefed on their responsibilities in this domain. They shall report at once any breach of security that may come to their notice.

When a Local Security Officer or Meeting Security Officer discovers or is informed of a breach of security relating to EU classified information or of the loss or disappearance of EU classified material, he or she shall take timely action in order to:

(a) Safeguard evidence;

(b) Establish the facts;

(d) Prevent a recurrence;

(e) Notify the appropriate authorities of the effects of the breach of security.

In this context, the following information shall be provided:

(i) A description of the information involved, including its classification, reference and copy number, date, originator, subject and scope;

(ii) A brief description of the circumstances of the breach of security, including the date and the period during which the information was exposed to compromise;

(iii) A statement of whether the originator has been informed.

It shall be the duty of each security authority, as soon as it is notified that such a breach of security may have occurred, to report the fact immediately to the ► Commission Security Directorate ◄ .

Cases involving ► RESTREINT UE ◄ information need to be reported only when they present unusual features.

On being informed that a breach of security has occurred, the Member of the Commission responsible for security matters shall:

(a) Notify the authority that originated the classified information in question;

(b) Ask the appropriate security authorities to initiate investigations;

(d) Obtain a report on the circumstances of the breach, the date or period during which it may have occurred and was discovered, with a detailed description of the content and classification of the material involved. Damage done to the interests of the EU or of one or more of its Member States and action taken to prevent a recurrence shall also be reported.

The originating authority shall inform the addressees and shall give appropriate instructions.

24.3. Legal action

Any individual who is responsible for compromising EU classified information shall be liable to disciplinary action according to the relevant rules and regulations, particularly title VI of the Staff Regulations. Such action shall be without prejudice to any further legal action.

In appropriate cases, on the basis of the report mentioned in Section 24.2, the Member of the Commission responsible for security matters shall take all necessary steps in order to allow the competent national authorities to start criminal law procedures.

25. PROTECTION OF EU CLASSIFIED INFORMATION HANDLED IN INFORMATION TECHNOLOGY AND COMMUNICATIONS SYSTEMS

25.1. Introduction

25.1.1. General

The security policy and requirements shall apply to all communications and information systems and networks (hereinafter systems) handling information classified ► CONFIDENTIEL UE ◄ and above. They shall be applied as a supplement to Commission Decision C (95) 1510 final of 23 November 1995 on the protection of informatics systems.

Systems handling ► RESTREINT UE ◄ information also require security measures to protect the confidentiality of that information. All systems require security measures to protect the integrity and availability of those systems and of the information they contain.

The IT security policy applied by the Commission has the following elements:

— It forms an integral part of security in general, and complements all elements of information security, personnel security and physical security;

— Division of responsibilities between technical system owners, owners of EUCI stored or handled in technical systems, IT security specialists and users;

— Description of security principles and requirements of each IT system;

— Approval of these principles and requirements by a designated authority;

— Taking into account the specific threats and vulnerabilities in the IT area.

25.1.2. Threats to, and vulnerabilities of systems

A threat can be defined as a potential for the accidental or deliberate compromise of security. In the case of systems, such a compromise involves loss of one or more of the properties of confidentiality, of integrity and of availability. A vulnerability can be defined as a weakness or lack of controls that would facilitate or allow a threat actuation against a specific asset or target.

EU classified and unclassified information handled in systems in a concentrated form designed for rapid retrieval, communication and use is vulnerable to many threats. These include access to the information by unauthorised users or, conversely, denial of access to authorised users. There are also the risks of the unauthorised disclosure, corruption, modification or deletion of the information. Furthermore, the complex and sometimes fragile equipment is expensive and often difficult to repair or replace rapidly.

25.1.3. Main purpose of security measures

The main purpose of the security measures stated in this section is to provide protection against unauthorised disclosure of EU classified information (the loss of confidentiality) and against the loss of integrity and availability of information. To achieve adequate security protection of a system handling EU classified information, the appropriate standards of conventional security shall be specified by the ► Commission Security Directorate ◄ , along with appropriate special security procedures and techniques particularly designed for each system.

25.1.4. System-specific security requirement statement (SSRS)

For all systems handling information classified ► CONFIDENTIEL UE ◄ and above, a System-specific security requirement statement (SSRS) shall be required to be produced by its Technical System Owner (TSO, see Section 25.3.4) and the Information Owner (see Section 25.3.5) in cooperation with input and assistance as required from the project staff and from the ► Commission Security Directorate ◄ (as INFOSEC Authority -IA, see Section 25.3.3) and approved by the Security Accreditation Authority (SAA, see Section 25.3.2).

An SSRS shall also be required where the availability and integrity of the ► RESTREINT UE ◄ or unclassified information is deemed critical by the Security Accreditation Authority (SAA).

The SSRS shall be formulated at the earliest stage of a project's inception and shall be developed and enhanced as the project develops, fulfilling different roles at different stages in the project and system's life cycle.

25.1.5. Security modes of operation

All systems handling information classified ► CONFIDENTIEL UE ◄ and above shall be accredited to operate in one, or where warranted by requirements during different time periods, more than one, of the following security modes of operation, or their national equivalent:

(a) Dedicated.

(b) System high, and

25.2. Definitions

‘Accreditation’ shall mean: the authorisation and approval granted to a system to process EU classified information in its operational environment.

Note:

Such accreditation should be made after all appropriate security procedures have been implemented and a sufficient level of protection of the system resources has been achieved. Accreditation should normally be made on the basis of the SSRS, including the following:

(a) A statement of the objective of accreditation for the system; in particular, what classification level(s) of information are to be handled and what system or network security mode(s) of operation is being proposed;

(b) Production of a risk management review to identify the threats and vulnerabilities and measures to counter them;

(c) The Security Operating Procedures (SecOPs) with a detailed description of the proposed operations (e.g., modes, services, to be provided) and including a description of the system security features which shall form the basis of accreditation;

(d) The plan for the implementation and maintenance of the security features;

(e) The plan for initial and follow-on system security or network security test, evaluation and certification, and

(f) Certification, where required, together with other elements of accreditation.

‘Central Information Security Officer’ (CISO) shall mean the official in a central IT service who coordinates and supervises security measures for centrally organised systems.

‘Certification’ shall mean: the issue of a formal statement, supported by an independent review of the conduct and results of an evaluation, of the extent to which a system meets the security requirement, or a computer security product meets pre-defined security claims.

‘Communications Security’ (COMSEC) shall mean: The application of security measures to telecommunications in order to deny unauthorised persons information of value which might be derived from the possession and study of such telecommunications or to ensure the authenticity of such telecommunications.

Note:

Such measures include cryptographic, transmission and emission security; and also include procedural, physical, personnel, document and computer security.

‘Computer Security’ (COMPUSEC) shall mean: The application of hardware, firmware and software security features to a computer system in order to protect against, or prevent, the unauthorised disclosure, manipulation, modification/deletion of information or denial of service.

‘Computer Security Product’ shall mean: A generic computer security item which is intended for incorporation into an IT system for use in enhancing, or providing for, confidentiality, integrity or availability of information handled.

‘Dedicated Security Mode of Operation’ shall mean: A mode of operation in which ALL individuals with access to the system are cleared to the highest classification level of information handled within the system, and with a common need-to-know for ALL of the information handled within the system.

Notes:

(1) The common need-to-know indicates there is no mandatory requirement for computer security features to provide separation of information within the system.

(2) Other security features (for example, physical, personnel and procedural) shall conform to the requirements for the highest classification level and all category designations of the information handled within the system.

‘Evaluation’ shall mean: the detailed technical examination, by an appropriate authority, of the security aspects of a system or of a cryptographic or a computer security product.

Notes:

(1) The evaluation investigates the presence of required security functionality and the absence of compromising side effects from such functionality and assesses the incorruptibility of such functionality.

(2) The evaluation determines the extent to which the security requirements of a system, or the security claims of a computer security product, are satisfied and establishes the assurance level of the system or of the cryptographic, or the computer security product's trusted function.

‘Information Owner’ (IO) shall mean the authority (Head of department) that has the responsibility for creating, processing and the use of information, including for deciding who shall be allowed to access this information.

‘Information Security’ (INFOSEC) shall mean: The application of security measures to protect information processed, stored or transmitted in communication, information and other electronic systems against loss of confidentiality, integrity or availability, whether accidental or intentional, and to prevent loss of integrity and availability of the systems themselves.

‘INFOSEC Measures’ include those of computer, transmission, emission and cryptographic security, and the detection, documentation and countering of threats to information and to the systems.

‘IT Area’ shall mean: an area that contains one or more computers, their local peripheral and storage units, control units and dedicated network and communications equipment.

Note:

This does not include a separate area in which remote peripheral devices or terminals/workstations are located even though those devices are connected to equipment in the IT area.

‘IT Network’ shall mean: organisation, geographically disseminated, of IT systems interconnected to exchange data, and comprising the components of the interconnected IT systems and their interface with the supporting data or communications networks.

Notes:

(1) An IT network can use the services of one or several communications networks interconnected to exchange data; several IT networks can use the services of a common communications network.

(2) An IT network is called ‘local’ if it links several computers together in the same site.

‘IT Network Security Features’ include the IT system security features of individual IT systems comprising the network together with those additional components and features associated with the network as such (for example, network communications, security identification and labelling mechanisms and procedures, access controls, programs and audit trails) needed to provide an acceptable level of protection for classified information.

‘IT System’ shall mean: Assembly of equipment, methods and procedures, and if necessary, personnel, organised to accomplish information processing functions.

Notes:

(1) This is taken to mean an assembly of facilities, configured for handling information within the system;

(2) Such systems may be in support of consultation, command, control, communications, scientific or administrative applications including word processing;

(3) The boundaries of a system will generally be determined as being the elements under the control of a single TSO;

(4) An IT system may contain subsystems some of which are themselves IT systems.

‘IT System Security Features’ comprise all hardware/firmware/software functions, characteristics, and features; operating procedures, accountability procedures, and access controls, the IT area, remote terminal/workstation area, and the management constraints, physical structure and devices, personnel and communications controls needed to provide an acceptable level of protection for classified information to be handled in an IT system.

‘Local Informatics Security Officer’ (LISO) shall mean the official in a Commission department who is responsible for coordinating and supervising security measures within his domain.

‘Multi-level Security Mode of Operation’ shall mean: A mode of operation in which NOT ALL individuals with access to the system are cleared to the highest classification level of information handled within the system, and NOT ALL individuals with access to the system have a common need-to-know for the information handled within the system.

Notes:

(1) This mode of operation permits, currently, the handling of information of different classification levels and of mixed information category designations.

(2) The fact that not all individuals are cleared to the highest levels, associated with a lack of common need-to-know, indicates that there is a requirement for computer security features to provide elective access to, and separation of, information within the system.

‘Remote Terminal/workstation Area’ shall mean: an area containing some computer equipment, its local peripheral devices or terminals/workstations and any associated communications equipment, separate from an IT area.

‘Security Operating Procedures’ shall mean the procedures produced by the Technical Systems Owner defining the principles to be adopted on security matters, the operating procedures to be followed and personnel responsibilities.

‘SYSTEM-HIGH Security Mode of Operation’ shall mean: A mode of operation in which ALL individuals with access to the system are cleared to the highest classification level of information handled within the system, but NOT ALL individuals with access to the system have a common need-to-know for the information handled within the system.

Notes:

(1) The lack of common need-to-know indicates that there is a requirement for computer security features to provide selective access to, and separation of, information within the system.

(3) All information handled or being available to a system under this mode of operation, together with output generated, shall be protected as potentially of the information category designation and of the highest classification level being handled until determined otherwise, unless there is an acceptable level of trust that can be placed in any labelling functionality present.

‘A System Specific Security Requirement Statement’ (SSRS) is a complete and explicit statement of the security principles to be observed and of the detailed security requirements to be met. It is based on Commission security policy and risk assessment, or imposed by parameters covering the operational environment, the lowest level of personnel security clearance, the highest classification of information handled, the security mode of operation or user requirements. The SSRS is an integral part of project documentation submitted to the appropriate authorities for technical, budgetary and security approval purposes. In its final form, the SSRS constitutes a complete statement of what it means for the system to be secure.

‘Technical Systems Owner’ (TSO) shall mean the authority responsible for the creation, maintenance, operation and closing down of a system.

‘Tempest’ countermeasures: security measures intended to protect equipment and communication infrastructures against the compromise of classified information through unintentional electromagnetic emissions and through conductivity.

25.3. Security responsibilities

25.3.1. General

The advisory responsibilities of the Commission Security Policy Advisory Group, defined in Section 12, include INFOSEC issues. This Group shall organise its activities in such a way that it can provide expert advice on the above issues.

The ► Commission Security Directorate ◄ shall be responsible for issuing detailed INFOSEC provisions, based on the provisions in this chapter.

In case of problems regarding security (incidents, breaches, etc.), immediate action shall be taken by the ► Commission Security Directorate ◄ .

The ► Commission Security Directorate ◄ shall have an INFOSEC Unit.

25.3.2. The Security accreditation authority (SAA)

The ► Director of the Commission Security Directorate ◄ shall be the Security Accreditation Authority (SAA) for the Commission. The SAA is responsible in the general area of security and in the specialised areas of INFOSEC, Communication security, Crypto security and Tempest security.

The SAA shall be responsible for ensuring the compliance of systems with the Commission's security policy. One of its tasks shall be to grant the approval of a system to handle EU classified information to a defined level of classification in its operational environment.

The jurisdiction of the Commission SAA shall cover all systems in operation within the premises of the Commission. When different components of a system come under the jurisdiction of the Commission SAA and other SAAs, all parties concerned may appoint a joint accreditation board under the coordination of the Commission SAA.

25.3.3. The INFOSEC Authority (IA)

The ► Director of the Commission Security Directorate ◄ INFOSEC Unit is the INFOSEC Authority for the Commission. The INFOSEC Authority is responsible for:

— Providing technical advice and assistance to the SAA;

— Assisting in the development of the SSRS;

— Reviewing the SSRS to ensure consistency with these security rules and the INFOSEC policies and architecture documents;

— Participating in the accreditation panels/boards as required and providing INFOSEC recommendation on accreditation to the SAA;

— Providing support to the INFOSEC training and education activities;

— Providing technical advice in investigation of INFOSEC related incidents;

— Establishing technical policy guidance to ensure that only authorised software is used.

25.3.4. The Technical Systems Owner (TSO)

The responsibility for the implementation and operation of controls and special security features of a system lies with the owner of that system, the Technical Systems Owner (TSO). For centrally owned systems a Central Informatics Security Officer (CISO) shall be nominated. Each department shall, as appropriate, nominate a Local Informatics Security Officer (LISO). The responsibility of a TSO includes the creation of the Security Operating Procedures (SecOPs) and extends throughout the life cycle of a system from the project concept stage to final disposal.

The TSO shall specify the security standards and practices to be met by the supplier of the system.

The TSO may delegate a part of its responsibilities where appropriate to a Local Informatics Security Officer. A single person may perform the various INFOSEC functions.

25.3.5. The Information Owner (IO)

The Information Owner (IO) shall be responsible for EUCI (and other information) that is to be introduced, processed and produced in technical systems. He shall define the requirements for access to this information in systems. He may delegate this responsibility to an Information Manager or to a Database Manager within his domain.

25.3.6. Users

All users shall be responsible for ensuring that their actions do not adversely affect the security of the system that they are using.

25.3.7. INFOSEC training

INFOSEC education and training shall be available to all staff needing it.

25.4. Non technical security measures

25.4.1. Personnel security

Users of the system shall be cleared and have a need-to-know, as appropriate for the classification and content of the information handled within their particular system. Access to certain equipment or information specific to security of systems will call for special clearance issued according to Commission procedures.

The SAA shall designate all sensitive positions and specify the level of clearance and supervision required by all personnel occupying them.

Systems shall be specified and designed in a way that facilitates the allocation of duties and responsibilities to personnel so as to prevent one person having complete knowledge or control of the system security keys points.

IT and remote terminal/workstation areas in which the security of the system can be modified shall not be occupied by only one authorised official or other employee.

The security settings of a system shall only be changed by at least two authorised personnel working in conjunction.

25.4.2. Physical security

IT and remote terminal/workstation areas (as defined in Section 25.2) in which information classified ► CONFIDENTIEL UE ◄ and above is handled by IT means, or where potential access to such information is possible, shall be established as EU Class I or Class II security areas, as appropriate.

25.4.3. Control of access to a system

All information and material which allow access control to a system shall be protected under arrangements commensurate with the highest classification and the category designation of the information to which it may give access.

When no longer used for this purpose, the access control information and material shall be destroyed pursuant to the provisions in Section 25.5.4.

25.5. Technical security measures

25.5.1. Security of information

It shall be incumbent upon the originator of the information to identify and classify all information-bearing documents, whether they are in the form of hard-copy output or computer storage media. Each page of hard-copy output shall be marked, at the top and bottom, with the classification. Output, whether it is the form of hard-copy or computer storage media shall have the same classification as the highest classification of the information used for its production. The way in which a system is operated may also impact on the classification of outputs of that system.

It shall be incumbent upon the Commission departments and their information holders to consider the problems of aggregation of individual elements of information, and the inferences that can be gained from the related elements, and determine whether or not a higher classification is appropriate to the totality of the information.

The fact that the information may be a brevity code, transmission code or in any form of binary representation does not provide any security protection and should not, therefore, influence the classification of the information.

When information is transferred from one system to another the information shall be protected during transfer and in the receiving system in the manner commensurate with the original classification and category of the information.

All computer storage media shall be handled in a manner commensurate with the highest classification of the stored information or the media label, and at all times shall be appropriately protected.

Re-usable computer storage media used for recording EU classified information shall retain the highest classification for which they have ever been used until that information has been properly downgraded or declassified and the media reclassified accordingly, or the media declassified or destroyed in accordance with a procedure approved by the SAA (see 25.5.4).

25.5.2. Control and accountability of information

Automatic (audit trails) or manual logs shall be kept as a record of access to information classified ► SECRET UE ◄ and above. These records shall be retained in accordance with these security rules.

EU classified outputs held within the IT area may be handled as one classified item and need not be registered, provided the material is identified, marked with its classification and controlled in an appropriate manner.

Where output is generated from a system handling EU classified information, and transmitted to a remote terminal/workstation area from an IT area, procedures, agreed by the SAA shall be established for controlling and logging the output. For ► SECRET UE ◄ and above, such procedures shall include specific instructions for accountability of the information.

25.5.3. Handling and control of removable computer storage media

All removable computer storage media classified ► CONFIDENTIEL UE ◄ and above shall be handled as material and general rules will apply. Appropriate identification and classification markings need to be adapted to the specific physical appearances of the media, to enable it to be clearly recognised.

Users shall take the responsibility for ensuring that EU classified information is stored on media with the appropriate classification marking and protection. Procedures shall be established to ensure that, for all levels of EU information, the storage of information on computer storage media is being carried out in accordance with these security rules.

25.5.4. Declassification and destruction of computer storage media

Computer storage media used for recording EU classified information may be downgraded or declassified in accordance with a procedure to be approved by the SAA.

Computer storage media that have held ► TRES SECRET UE/EU TOP SECRET ◄ or special category information shall not be declassified and reused.

If computer storage media cannot be declassified or is not reusable, it shall be destroyed in accordance with the above mentioned procedure.

25.5.5. Communications security

The ► Director of the Commission Security Directorate ◄ is the Crypto Authority.

When EU classified information is transmitted electro-magnetically, special measures shall be implemented to protect the confidentiality, integrity and availability of such transmissions. The SAA shall determine the requirements for protecting transmissions from detection and interception. The information being transmitted in a communication system shall be protected based upon the requirements for confidentiality, integrity and availability.

When cryptographic methods are required to provide confidentiality, integrity and availability such methods and its associated products shall be specifically approved for the purpose by the SAA as Crypto Authority.

During transmission, the confidentiality of information classified ► SECRET UE ◄ and above shall be protected by cryptographic methods or products approved by the Member of the Commission responsible for security matters after having consulted the Commission Security Policy Advisory Group. During transmission, the confidentiality of information classified ► CONFIDENTIEL UE ◄ or ► RESTREINT UE ◄ shall be protected by cryptographic methods or products approved by the Commission Crypto Authority after having consulted the Commission Security Policy Advisory Group.

Detailed rules applicable to the transmission of EU classified information shall be set out in specific security instructions approved by the ► Commission Security Directorate ◄ after having consulted the Commission Security Policy Advisory Group.

Under exceptional operational circumstances, information classified ► RESTREINT UE ◄ , ► CONFIDENTIEL UE ◄ and ► SECRET UE ◄ may be transmitted in clear text provided each occasion is explicitly authorised and duly registered by the Information Owner. Such exceptional circumstances are as follows:

(a) During impending or actual crisis, conflict, or war situations, and

(b) When speed of delivery is of paramount importance, and means of encryption are not available, and it is assessed that the transmitted information cannot be exploited in time to adversely influence operations.

A system shall have the capability of positively denying access to EU classified information at any or all of its remote workstations or terminals, when required either by physical disconnection or by special software features approved by the SAA.

25.5.6. Installation and radiation security

Initial installation of systems and any major change thereto shall be so specified that installation is carried out by security cleared installers under constant supervision by technically qualified personnel who are cleared for access to EU classified information to the level equivalent to the highest classification which the system is expected to store and handle.

Systems handling information classified ► CONFIDENTIEL UE ◄ and above shall be protected in such a way that their security cannot be threatened by compromising emanations and or conductivity, the study and control of which is referred to as ‘Tempest’.

Tempest countermeasures shall be reviewed and approved by the Tempest authority (see 25.3.2).

25.6. Security during handling

25.6.1. Security operating procedures (SecOPs)

Security Operating Procedures (SecOPs) define the principles to be adopted on security matters, the operating procedures to be followed, and personnel responsibilities. The SecOPs shall be prepared under the responsibility of the Technical Systems Owner (TSO).

25.6.2. Software protection/configuration management

Security protection of applications programs shall be determined on the basis of an assessment of the security classification of the program itself rather than of the classification of the information it is to process. The software versions in use shall be verified at regular intervals to ensure their integrity and correct functioning.

New or modified versions of software shall not be used for the handling of EU classified information until verified by the TSO.

25.6.3. Checking for the presence of malicious software/computer viruses

Checking for the presence of malicious software/computer viruses shall be periodically carried out in accordance with the requirements of the SAA.

All computer storage media arriving in the Commission shall be checked for the presence of any malicious software or computer viruses, before being introduced into any system.

25.6.4. Maintenance

Contracts and procedures for scheduled and on-call maintenance of systems for which a SSRS has been produced shall specify requirements and arrangements for maintenance personnel and their associated equipment entering an IT area.

The requirements shall be clearly stated in the SSRS and the procedures shall be clearly stated in the SecOPs. Contractor maintenance requiring remote access diagnostic procedures shall be permitted only in exceptional circumstances, under stringent security control, and only with the approval of the SAA.

25.7. Procurement

25.7.1. General

Any security product to be used with the system to be procured shall either have been evaluated and certified, or currently be under evaluation and certification by an appropriate Evaluation or Certification body of one of the EU Member States against internationally acknowledged criteria (such as the Common Criteria for Information Technology Security Evaluation, re ISO 15408). Specific procedures are required to obtain ACPC approval.

In deciding whether equipment, particularly computer storage media, should be leased rather than purchased, it shall be borne in mind that such equipment, once used for handling EU classified information, cannot be released outside an appropriately secure environment without first being declassified to the approval of the SAA and that such approval may not always be possible.

25.7.2. Accreditation

All systems for which a SSRS has to be produced, prior to handling EU classified information, shall be accredited by the SAA, based upon information provided in the SSRS, SecOPs and any other relevant documentation. Sub-systems and remote terminals/workstations shall be accredited as part of all the systems to which they are connected. Where a system supports both Commission and other organisations, the Commission and relevant Security Authorities shall mutually agree on the accreditation.

The accreditation process may be carried out in accordance with an accreditation strategy appropriate to the particular system and defined by the SAA.

25.7.3. Evaluation and certification

Prior to accreditation, in certain instances, the hardware, firmware and software security features of a system shall be evaluated and certified as being capable of safeguarding information at the intended level of classification.

The requirements for evaluation and certification shall be included in system planning, and clearly stated in the SSRS.

The evaluation and certification processes shall be carried out in accordance with approved guidelines and by technically qualified and appropriately cleared personnel acting on behalf of the TSO.

The teams may be provided from a nominated Member State's evaluation or certification authority or its nominated representatives, for example a competent and cleared contractor.

The degree of evaluation and certification processes involved may be lessened (for example, only involving integration aspects) where systems are based on existing nationally evaluated and certified computer security products.

25.7.4. Routine checking of security features for continued accreditation

The TSO shall establish routine control procedures that shall ensure that all security features of the system are still valid.

The types of change that would give rise to re-accreditation, or requiring the prior approval of the SAA, shall be clearly identified and stated in the SSRS. After any modification, repair or failure that could have affected the security features of the system, the TSO shall ensure that a check is made to ensure the correct operation of the security features. Continued accreditation of the system shall normally depend on the satisfactory completion of the checks.

All systems where security features have been implemented shall be inspected or reviewed on a periodic basis by the SAA. In respect of systems handling ► TRES SECRET UE/EU TOP SECRET ◄ the inspections shall be carried out not less than once annually.

25.8. Temporary or occasional use

25.8.1. Security of microcomputers/personal computers

Microcomputers/Personal Computers (PCs) with fixed disks (or other non-volatile storage media), operating either in stand-alone mode or as networked configurations, and portable computing devices (for example, portable PCs and electronic ‘notebooks’) with fixed hard disks, shall be considered as information storage media in the same sense as floppy diskettes or other removable computer storage media.

This equipment shall be afforded the level of protection, in terms of access, handling, storage and transportation, commensurate with the highest classification level of information ever stored or processed (until downgraded or declassified in accordance with approved procedures).

25.8.2. Use of privately-owned IT equipment for official Commission work

The use of privately-owned removable computer storage media, software and IT hardware (for example, PCs and portable computing devices) with storage capability shall be prohibited for handling EU classified information.

Privately owned hardware, software and media shall not be brought into any Class I or Class II area where EU classified information is handled without the written authorisation of the ► Director of the Commission Security Directorate ◄ . This authorisation can only be provided for technical reasons in exceptional cases.

25.8.3. Use of contractor-owned or nationally-supplied IT equipment for official Commission work

The use of contractor-owned IT equipment and software in organisations in support of official Commission work may be permitted by the ► Director of the Commission Security Directorate ◄ . The use of nationally-provided IT equipment and software may also be permitted; in this case, the IT equipment shall be brought under the control of the appropriate Commission inventory. In either case, if the IT equipment is to be used for handling EU classified information, then the SAA shall be consulted in order that the elements of INFOSEC that are applicable to the use of that equipment are properly considered and implemented.

26. RELEASE OF EU CLASSIFIED INFORMATION TO THIRD STATES OR INTERNATIONAL ORGANISATIONS

26.1.1. Principles regulating the release of EU classified information

The Commission as a college shall decide on release of EU classified information to third States or international organisations on the basis of:

— The nature and content of such information;

— The recipients' need to know;

— The measure of advantages to EU.

The originator of the EU classified information to be released will be asked for its agreement.

These decisions will be taken on a case-by-case basis, depending on:

— The desired degree of cooperation with the third States or international organisations concerned;

— The confidence that may be placed in them — which ensues from the level of security that would be applied to the EU classified information entrusted to those States or organisations and from the consistency between the security rules applicable there and those applied in EU. The Commission Security Policy Advisory Group will give the Commission its technical opinion on this point.

The acceptance of EU classified information by third States or international organisations will imply an assurance that the information will be used for no purposes other than those motivating the release or exchange of information, and that they will provide the protection required by the Commission.

26.1.2. Levels

Once the Commission has decided that classified information may be released to or exchanged with a given State or international organisation, it will decide on the level of cooperation that is possible. This will depend in particular on the security policy and regulations applied by that State or organisation.

There are three levels of cooperation:

Level 1

Cooperation with third States or with international organisations whose security policy and regulations are very close to EU's.

Level 2

Cooperation with third States or with international organisations whose security policy and regulations are markedly different from EU's.

Level 3

Occasional cooperation with third States or with international organisations whose policy and security regulations cannot be assessed.

Each level of cooperation shall determine the procedures and security provisions, detailed in Appendices 3, 4, and 5.

26.1.3. Security agreements

Once the Commission has decided that there is a permanent or long-term need for the exchange of classified information between the Commission and third States or other international organisations, it will draw up ‘agreements on security procedures for the exchange of classified information’ with them, defining the purpose of cooperation and the reciprocal rules on the protection of the information exchanged.

In the case of level 3 occasional cooperation, which by definition is limited in time and purpose, a simple memorandum of understanding defining the nature of the classified information to be exchanged and the reciprocal obligations regarding that information may take the place of the ‘agreement on procedures for the exchange of classified information’ on condition that it is classified no higher than ► RESTREINT UE ◄ .

Draft agreements on security procedures or memoranda of understanding, shall be discussed by the Commission Security Policy Advisory Group before they are presented to the Commission for a decision.

The Member of the Commission responsible for security matters shall request all necessary assistance from Member State NSA's to ensure that the information to be released is used and protected in accordance with the provisions of the agreements on security procedures or memoranda of understanding.

▼

27. COMMON MINIMUM STANDARDS ON INDUSTRIAL SECURITY

27.1. Introduction

This Section deals with security aspects of industrial activities that are unique to negotiating and awarding contracts or grant agreements conferring tasks involving, entailing and/or containing EU classified information and to their performance by industrial or other entities, including the release of, or access to, EU classified information during the public procurement and call for proposals procedures (bidding period and pre-contract negotiations).

27.2. Definitions

For the purpose of these common minimum standards, the following definitions shall apply:

(a) ‘Classified contract’: any contract or grant agreement to supply products, execute works, render available buildings or provide services, the performance of which requires or involves access to or creation of EU classified information;

(b) ‘Classified sub-contract’: a contract entered into by a contractor or a grant beneficiary with another contractor (i.e. the subcontractor) for the supply of products, execution of works, provision of buildings or services, the performance of which requires or involves access to or generation of EU classified information;

(c) ‘Contractor’: an economic operator or legal entity possessing the legal capacity to undertake contracts or to be beneficiary of a grant;

(d) ‘Designated Security Authority (DSA)’: an authority responsible to the National Security Authority (NSA) of an EU Member State which is responsible for communicating to industry or other entities the national policy in all matters of industrial security and for providing direction and assistance in its implementation. The function of DSA may be carried out by the NSA;

(e) ‘Facility Security Clearance (FSC)’: an administrative determination by a NSA/DSA that, from the security viewpoint, a facility can afford adequate security protection to EU classified information of a specific security classification level and that its personnel who require access to EU classified information have been appropriately security cleared and briefed on the necessary security requirements for accessing and protecting EU classified information;

(f) ‘Industrial or other entity’: a contractor or a subcontractor involved in supplying goods, executing works or providing services; this may involve industrial, commercial, service, scientific, research, educational or development entities;

(g) ‘Industrial security’: the application of protective measures and procedures to prevent, detect and recover from the loss or compromise of EU classified information handled by a contractor or subcontractor in (pre)contract negotiations and classified contracts;

(h) ‘National Security Authority (NSA)’: the Government Authority of an EU Member State with ultimate responsibility for the protection of EU classified information within that Member State;

(i) ‘Overall level of security classification of a contract’: determination of the security classification of the whole contract or grant agreement, based on the classification of information and/or material that is to be, or may be, generated, released or accessed under any element of the overall contract or grant agreement. The overall level of security classification of a contract may not be lower than the highest classification of any of its elements, but may be higher because of the aggregation effect;

(j) ‘Security Aspects Letter (SAL)’: a set of special contractual conditions, issued by the contracting authority, which forms an integral part of a classified contract involving access to or generation of EU classified information, and that identifies the security requirements or those elements of the classified contract requiring security protection;

(k) ‘Security Classification Guide (SCG)’: a document which describes the elements of a programme, contract or grant agreement which are classified, specifying the applicable security classification levels. The SCG may be expanded throughout the life of the programme, contract or grant agreement, and the elements of information may be re-classified or downgraded. The SCG must be part of the SAL.

27.3. Organisation

(a) The Commission may confer by classified contract tasks involving, entailing and/or containing EU classified information on industrial or other entities registered in a Member State;

(b) The Commission shall ensure that all requirements deriving from these minimum standards are complied with when awarding classified contracts;

(c) The Commission shall involve the relevant NSA or NSAs in order to apply these minimum standards on industrial security. NSAs may refer these tasks to one or more DSAs;

(d) The ultimate responsibility for protecting EU classified information within industrial or other entities rests with the management of these entities;

(e) Whenever a classified contract or subcontract falling within the scope of these minimum standards is awarded, the Commission and/or the NSA/DSA, as appropriate, will promptly notify the NSA/DSA of the Member State in which the contractor or subcontractor is registered.

27.4. Classified contracts and grant decisions

(a) The security classification of contracts or grant agreements must take account of the following principles:

— the Commission determines, as appropriate, those aspects of the classified contract which require protection and the consequent security classification; in so doing, it must take into account the original security classification assigned by the originator to information generated before awarding the classified contract,

— the overall level of classification of the contract may not be lower than the highest classification of any of its elements,

— EU classified information generated under contractual activities is classified in agreement with the Security Classification Guide,

— where appropriate, the Commission is responsible for changing the overall level of classification of the contract, or security classification of any of its elements, in consultation with its originator, and for informing all interested parties,

— classified information released to the contractor or subcontractor or generated under contractual activity must not be used for purposes other than those defined by the classified contract and must not be disclosed to third parties without the prior written consent of the originator;

(b) The Commission and NSAs/DSAs of the relevant Member States are responsible for ensuring that contractors and subcontractors awarded classified contracts which involve information classified CONFIDENTIEL UE or above take all appropriate measures for safeguarding such EU classified information released to or generated by them in the performance of the classified contract in accordance with national laws and regulations. Non-compliance with the security requirements may result in termination of the classified contract;

(c) All industrial or other entities participating in classified contracts which involve access to information classified CONFIDENTIEL UE or above must hold a national FSC. The FSC is granted by the NSA/DSA of the Member State to confirm that a facility can afford and guarantee adequate security protection of EU classified information to the appropriate classification level;

(d) When a classified contract is awarded, a Facility Security Officer (FSO), appointed by the management of the contractor or subcontractor, shall be responsible for requesting a Personnel Security Clearance (PSC) for all persons employed in industrial or other entities registered in an EU Member State whose duties require access to information classified CONFIDENTIEL UE or above subject to a classified contract, to be granted by the NSA/DSA of that Member State in accordance with its national regulations;

(e) Classified contracts must include the SAL as defined in 27.2.(j). The SAL must contain the SCG;

(f) Before initiating a negotiated procedure for a classified contract the Commission will contact the NSA/DSA of the Member State in which the industrial or other entities concerned are registered in order to obtain confirmation that they hold a valid FSC appropriate to the level of security classification of the contract;

(g) The contracting authority must not place a classified contract with a preferred economic operator before having received the valid FSC certificate;

(h) Unless required by Member State national laws and regulations, an FSC is not required for contracts involving information classified RESTREINT UE;

(i) Invitations to tender in respect of classified contracts must contain a provision requiring that an economic operator who fails to submit a tender or who is not selected be required to return all documents within a specified period of time;

(j) It may be necessary for contractors to negotiate classified subcontracts with subcontractors at various levels. The contractor is responsible for ensuring that all subcontracting activities are undertaken in accordance with the common minimum standards contained in this Section. However, the contractor must not transmit EU classified information or material to a subcontractor without the prior written consent of the originator;

(k) The conditions under which a contractor may subcontract must be defined in the tender or call for proposals and in the classified contract. No subcontract may be awarded to entities registered in a non-EU Member State without the express written authorisation of the Commission;

(l) Throughout the life of the classified contract, compliance with all its security provisions will be monitored by the Commission, in conjunction with the relevant DSA/NSA. Any security incidents shall be reported, in accordance with the provisions laid down in Part II, Section 24 of these Rules on Security. Any change to or withdrawal of an FSC shall immediately be communicated to the Commission and to any other NSA/DSA to which it has been notified;

(m) When a classified contract or a classified subcontract is terminated, the Commission and/or the NSA/DSA, as appropriate, will promptly notify the NSA/DSA of the Member State in which the contractor or subcontractor is registered;

(n) The common minimum standards contained in this Section shall continue to be complied with, and the confidentiality of classified information shall be maintained by the contractors and subcontractors, after termination or conclusion of the classified contract or classified subcontract;

(o) Specific provisions for the disposal of classified information at the end of the classified contract will be laid down in the SAL or in other relevant provisions identifying security requirements;

(p) The obligations and conditions referred to in this Section apply mutatis mutandis to procedures where grants are awarded by decision and notably to the beneficiaries of such grants. The grant decision shall set out all obligations of the beneficiaries.

27.5. Visits

Visits by personnel of the Commission in the context of classified contracts to industrial or other entities in the Member States performing EU classified contracts must be arranged with the relevant NSA/DSA. Visits by employees of industrial or other entities within the framework of an EU classified contract must be arranged between the NSAs/DSAs concerned. However, the NSAs/DSAs involved in an EU classified contract may agree on a procedure whereby visits by employees of industrial or other entities can be arranged directly.

27.6. Transmission and transportation of EU classified information

(a) With regard to the transmission of EU classified information, the provisions of Part II, Section 21 of these Rules on Security shall apply. In order to supplement such provisions, any existing procedures in force among Member States will apply;

(b) The international transportation of EU classified material relating to classified contracts will be in accordance with Member State's national procedures. The following principles will be applied when examining security arrangements for international transportation:

— security is assured at all stages during the transportation and under all circumstances, from the point of origin to the ultimate destination,

— the degree of protection accorded to a consignment is determined by the highest classification of material contained within it,

— an FSC is obtained, where appropriate, for companies providing transportation. In such cases, personnel handling the consignment must be security cleared in compliance with the common minimum standards contained in this Section,

— journeys are point to point to the extent possible, and are completed as quickly as circumstances permit,

— whenever possible, routes should be only through EU Member States. Routes through non-EU Member States should only be undertaken when authorised by the NSA/DSA of the States of both the consignor and the consignee,

— prior to any movement of EU classified material, a Transportation Plan is made up by the consignor and approved by the NSAs/DSAs concerned.

▼

Appendix 1

COMPARISON OF NATIONAL SECURITY CLASSIFICATIONS

EU classification	TRES SECRET UE/EU TOP SECRET	SECRET UE	CONFIDENTIEL UE	RESTREINT UE
WEU classification	FOCAL TOP SECRET	WEU SECRET	WEU CONFIDENTIAL	WEU RESTRICTED
Euratom classification	EURA TOP SECRET	EURA SECRET	EURA CONFIDENTIAL	EURA RESTRICTED
NATO classification	COSMIC TOP SECRET	NATO SECRET	NATO CONFIDENTIAL	NATO RESTRICTED
Belgium	Très Secret	Secret	Confidentiel	Diffusion restreinte
Belgium	Zeer Geheim	Geheim	Vertrouwelijk	Beperkte Verspreiding
Czech Republic	Přísn tajné	Tajné	Důvěrné	Vyhrazené
Denmark	Yderst hemmeligt	Hemmeligt	Fortroligt	Til tjenestebrug
Germany	Streng geheim	Geheim	VS (1) — Vertraulich	VS — Nur für den Dienstgebrauch
Estonia	Täiesti salajane	Salajane	Konfidentsiaalne	Piiratud
Greece	Άκρως Απόρρητο	Απόρρητο	Εμπιστευτικό	Περιορισμένης Χρήσης
Greece	Abr: ΑΑΠ	Abr: (ΑΠ)	Αbr: (ΕΜ)	Abr: (ΠΧ)
Spain	Secreto	Reservado	Confidencial	Difusión Limitada
France	Très Secret Défense (2)	Secret Défense	Confidentiel Défense
Ireland	Top Secret	Secret	Confidential	Restricted
Italy	Segretissimo	Segreto	Riservatissimo	Riservato
Cyprus	Άκρως Απόρρητο	Απόρρητο	Εμπιστευτικό	Περιορισμένης Χρήσης
Latvia	Sevišķi slepeni	Slepeni	Konfidenciāli	Dienesta vajadzībām
Lithuania	Visiškai slaptai	Slaptai	Konfidencialiai	Riboto naudojimo
Luxembourg	Très Secret	Secret	Confidentiel	Diffusion restreinte
Hungary	Szigorúan titkos !	Titkos !	Bizalmas !	Korlátozott terjesztésű !
Malta	L-Ghola Segretezza	Sigriet	Kunfidenzjali	Ristrett
Netherlands	Stg (3). Zeer Geheim	Stg. Geheim	Stg. Confidentieel	Departementaalvertrouwelijk
Austria	Streng Geheim	Geheim	Vertraulich	Eingeschränkt
Poland	Ściśle Tajne	Tajne	Poufne	Zastrzeżone
Portugal	Muito Secreto	Secreto	Confidencial	Reservado
Slovenia	Strogo tajno	Tajno	Zaupno	SVN Interno
Slovakia	Prísne tajné	Tajné	Dôverné	Vyhradené
Finland	Erittäin salainen	Erittäin salainen	Salainen	Luottamuksellinen
Sweden	Kvalificerat hemlig	Hemlig	Hemlig	Hemlig
United Kingdom	Top Secret	Secret	Confidential	Restricted
(1) VS = Verschlusssache. (2) The classification Très secret défense, which covers governmental priority issues, may only be changed with the Prime Minister’s authorisation. (3) Stg = staatsgeheim.

▼M1

Appendix 2

PRACTICAL CLASSIFICATION GUIDE

This guide is indicative and may not be construed as modifying the substantial provisions laid down in Sections 16, 17, 20 and 21.

Classification

When

Who

Affixing

Downgrading/declassification/destruction

Who

When

► TRES SECRET UE/EU TOP SECRET ◄ :

This classification shall be applied only to infomation and material the unauthorised disclosure of which could cause exceptionally grave prejudice to the essential interests of the European Union or of one or more of its Member States [16.1].

The compromise of assets classified ► TRES SECRET UE/EU TOP SECRET ◄ would be likely to:

— Threaten directly the internal stability of the EU or one of its Member States or one of its Member States or friendly countries

— Cause exceptionally grave damage to relations with friendly governments

— Lead directly to widespread loss of life

— Cause exceptionally grave damage to the operational effectiveness or security of Member States or other contributors' forces, or to the continuing effectiveness of extremely valuable security or intelligence operations

— Cause severe long-term damage to the EU or Member States economy.

Duly authorised persons (originators), Directors General, Heads of Service [17.1]

Originators shall specify a date, period or event when the contents may be downgraded or declassified. [16.2]

Otherwise they shall keep the documents under review every five years at the latest, in order to ensure that the original classification is necessary [17.3].

The classification ► TRES SECRET UE/EU TOP SECRET ◄ shall be affixed to ► TRES SECRET UE/EU TOP SECRET ◄ documents, and where applicable a security designator, and/or the defence marking — ESDP, by mechanical means and by hand [16.4, 16.5, 16.3].

The EU classifications and security designators shall appear at the top and bottom centre of each page, and each page shall be numbered. Each document shall bear a reference number and a date; this reference number shall appear on each page.

If they are to be distributed in several copies, each one shall bear a copy number, which will appear on the first page, together with the total number of pages. All annexes and enclosures shall be listed on the first page [21.1].

Declassification or downgrading rests solely with the originator, who shall inform of the change any subsequent addressees to whom he has sent or copied the document [17.3].

► TRES SECRET UE/EU TOP SECRET ◄ documents shall be destroyed by the Central Registry or sub-registry responsible for them. Each document destroyed shall be listed in a destruction certificate, signed by the ► TRES SECRET UE/EU TOP SECRET ◄ Control Officer and by the Officer witnessing the destruction, who shall be ► TRES SECRET UE/EU TOP SECRET ◄ cleared. A note to this effect shall be made in the logbook. The registry shall keep the destruction certificates, together with the distributions sheet, for a period of ten years [22.5].

Surplus copies and documents no longer needed must be destroyed [22.5].

► TRES SECRET UE/EU TOP SECRET ◄ documents, including all classified waste resulting from the preparation of ► TRES SECRET UE/EU TOP SECRET ◄ documents such as spoiled copies, working drafts, typed notes and carbon paper, shall be destroyed, under the supervision of a ► TRES SECRET UE/EU TOP SECRET ◄ Control Officer, by burning, pulping, shredding or otherwise reducing into an unrecognisable and non-reconstitutable form [22.5].

► SECRET UE ◄ :

This classification shall be applied only to information and material the unauthorised disclosure of which could seriously harm the essential interests of the European Union or of one or more of its Member States [16.1].

The compromise of assets classified ► SECRET UE ◄ would be liked to:

— Raise international tensions

— Seriously damage relations with friendly governments

— Threaten life directly or seriously prejudice public order or individual security or liberty

— Cause serious damage to the operational effectiveness or security of Member States or other contributors' forces, or to the continuing effectiveness of highly valuable security or intelligence operations

— Cause substantial material damage to EU or one of its Member States financial, monetary, economic and commercial interests.

Authorised persons (originators), Directors General, Heads of Service [17.1].

Originators shall specify a date period when the contents may be downgraded or declassified. [16.2]

Otherwise they shall keep the documents under review every five years at the latest, in order to ensure that the original classification is necessary [17.3].

The classification ► SECRET UE ◄ shall be affixed to ► SECRET UE ◄ documents, and where applicable a security designator and/or the defence marking — ESDP, by mechanical means and by hand [16.4, 16.5, 16.3].

Declassification and downgrading rests soley with the originator, who shall inform of the change any subsequent addressees to whom he has sent or copied the document [17.3].

► SECRET UE ◄ documents shall be destroyed by the registry responsible for those documents, under the supervision of a security cleared person. ► SECRET UE ◄ documents that are destroyed shall be listed on signed destruction certificates to be retained by the Registry, together with the destruction forms, for at least three years [22.5].

Surplus copies and documents no longer needed must be destroyed [22.5].

► SECRET UE ◄ documents, including all classified waste resulting from the preparation of ► SECRET UE ◄ documents such as spoiled copies, working drafts, typed notes and carbon paper, shall be destroyed by burning, pulping, shredding or otherwise reducing into an unrecognisable and non-reconstitutable form [22.5].

► CONFIDENTIEL UE ◄ :

This classification shall be applied to information and material the unauthorised disclosure of which would harm the essential interests of the European Union or of one or more of its Member States [16.1].

The compromise of assets classified ► CONFIDENTIEL UE ◄ would be likely to:

— Materially damage diplomatic relations, that is, cause formal protest or other sanctions;

— Prejudice individual security or liberty;

— Cause damage to the operational effectiveness or security of Member States or other contributors' forces, or to the effectiveness of valuable security or intelligence operations;

— Substantially undermine the financial viability of major organisations;

— Impede the investigation or facilitate the commission of serious crime;

— Work substantially against EU or Member States financial, monetary, economic and commercial interests;

— Seriously impede the development or operation of major EU policies;

— Shut down or otherwise substantially disrupt significant EU activities.

Authorised persons (originators), Directors General and Heads of Service [17.1].

Originators shall specify a date or period when the contents may be downgraded or declassified. Otherwise they shall keep the documents under review every five years at the latest, in order to ensure that the original classification is necessary [17.3].

The classification ► CONFIDENTIEL UE ◄ shall be affixed to ► CONFIDENTIEL UE ◄ documents, and where applicable a security designator and/or the defence-marking — ESDP introduced, by mechanical means and by hand or by printing on pre-stamped, registered paper [16.4, 16.5, 16.3].

The EU classifications shall appear at the top and bottom centre on each page, and each page shall be numbered. Each document shall bear a reference number and a date.

All annexes and enclosures shall be listed on the first page [21.1].

Declassification and downgrading rests solely with the originator, who shall inform of the change any subsequent addressees to whom he has sent or copied the document [17.3].

► CONFIDENTIEL UE ◄ documents shall be destroyed by the registry responsible for those documents, under the supervision of a cleared person. Their destruction shall be recorded in accordance with national regulations and, in the case of Commission or EU decentralised agencies, according to instructions from the ► Member of the Commission responsible for security matters ◄ [22.5].

Surplus copies and documents no longer needed must be destroyed [22.5].

► CONFIDENTIEL UE ◄ documents, including all classified waste resulting from the preparation of ► CONFIDENTIEL UE ◄ documents such as spoiled copies, working drafts, typed notes and carbon paper, shall be destroyed by burning, pulping, shredding or otherwise reducing into an unrecognisable and non-reconstitutable form [22.5].

► RESTREINT UE ◄ :

This classification shall be applied to information and material the unauthorised disclosure of which could be disadvantageous to the interests of the EU or of one or more of its Member States [16.1].

The compromise of assets classified ► RESTREINT UE ◄ would be likely to:

— Adversely affect diplomatic relations

— Cause substantial distress to individuals

— Make it more difficult to maintain the operational effectiveness or security of Member States or other contributors' forces

— Cause financial loss or facilitate improper gain or advantage for individuals or companies

— Breach proper undertakings to maintain the confidence of information provided by third parties

— Breach statutory restrictions on disclosure of information

— Prejudice the investigation or facilitate the commission of crime

— Disadvantage EU or Member States in commercial or policy negotiations with others

— Impede the effective development or operation of EU policies

— Undermine the proper management of the EU and its operations.

Authorised persons (originators), Directors General, Heads of Service [17.1].

Originators shall specify a date, period or event when the contents may be downgraded or declassified [16.2]. Otherwise they shall keep the documents under review every five years at the latest, in order to ensure that the original classification is necessary [17.3].

The classification ► RESTREINT UE ◄ shall be affixed to ► RESTREINT UE ◄ documents, and where applicable a security designator and/or the defence marking — ESDP, by mechanical or electronic means [16.4, 16.5, 16.3].

The EU classification and security designators shall appear at the top of the first page, and each page shall be numbered. Each document shall bear a reference number and a date [21.1].

Declassification rests solely with the originator, who shall inform of the change any subsequent addressees to whom they have sent or copied the document [17.3].

► RESTREINT UE ◄ documents shall be destroyed by the registry responsible for the document or by the user, according to instructions from the ► Member of the Commission responsible for security matters ◄ [22.5].

Surplus copies and documents no longer needed must be destroyed [22.5].

Appendix 3

Guidelines for the release of EU classified information to third States or international organisations: Level 1 cooperation

PROCEDURES

1. The authority to release EU classified information to countries that are not members of the European Union or to other international organisations, whose security policy and regulations are comparable to EU's, lies with the Commission as a college.

2. Pending the conclusion of a security agreement, the Member of the Commission responsible for security matters is competent to examine requests for the release of EU classified information.

3. In doing so he/she:

— Shall seek the opinions of the originators of the EUCI to be released;

— Shall establish the necessary contacts with the security bodies of the beneficiary countries or international organisations to verify whether their security policy and provisions are such as to guarantee that the classified information released will be protected in accordance with these security provisions;

— Shall seek the opinion of the Commission Security Policy Advisory Group as to the confidence that can be placed in the beneficiary States or international bodies.

4. The Member of the Commission responsible for security matters shall forward the request and the Commission Security Policy Advisory Group's opinion to the Commission for a decision.

SECURITY PROVISIONS TO BE APPLIED BY BENEFICIARIES

5. The Member of the Commission responsible for security matters shall notify the beneficiary States or international organisations of the Commission's decision to authorise the release of EU classified information.

6. The decision to release shall come into force only when the beneficiaries have given a written assurance that they will:

— Use the information for no other than the agreed purposes;

— Protect the information in accordance with these security provisions and in particular the special rules set out below.

7. Personnel

(a) The number of officials having access to the EU classified information shall be strictly limited, based on the need-to-know principle, to those persons whose duties require such access.

(b) All officials or nationals authorised to have access to information classified ► CONFIDENTIEL UE ◄ or above shall hold either a security certificate at the appropriate level or the equivalent security clearance, either one being issued by their own State's government.

8. Transmission of documents

(a) The practical procedures for the transmission of documents shall be decided by agreement. Pending the conclusion of such an agreement the provisions of Section 21 apply. The agreement shall in particular specify the registries to which EU classified information is to be forwarded.

(b) If the classified information whose release is authorised by the Commission includes ► TRES SECRET UE/EU TOP SECRET ◄ , the beneficiary State or international organisation shall set up a central EU registry and, if necessary, EU sub-registries. These registries shall apply strictly equivalent provisions as those of Section 22 of these security provisions.

9. Registration

As soon as a registry receives a EU document classified ► CONFIDENTIEL UE ◄ or above, it shall list the document in a special register held by the organisation, with columns for the date received, particulars of the document (date, reference and copy number), its classification, title, the recipient's name or title, the date of return of the receipt and the date the document is returned to the EU originator or is destroyed.

10. Destruction

(a) EU classified documents shall be destroyed in accordance with the instructions set out in Section 22 of these security provisions. Copies of the destruction certificates for ► SECRET UE ◄ and ► TRES SECRET UE/EU TOP SECRET ◄ documents shall be sent to the EU registry that has forwarded the documents.

(b) EU classified documents shall be included in emergency destruction plans for the beneficiary bodies' own classified documents.

11. Protection of documents

Every step shall be taken to prevent unauthorised persons from having access to EU classified information.

12. Copies, translations and extracts

No photocopies or translation shall be made of a document classified ► CONFIDENTIEL UE ◄ or ► SECRET UE ◄ , or extracts taken, without the authorisation of the head of the security organisation concerned, who shall register and check those copies, translations or extracts and stamp them as necessary.

The reproduction or translation of a ► TRES SECRET UE/EU TOP SECRET ◄ document shall be authorised only by the originating authority, which shall specify the number of copies authorised; if the originating authority cannot be determined, the request shall be referred to the ► Commission Security Directorate ◄ .

13. Breaches of security

When a breach of security involving a EU classified document has taken place or is suspected, the following action shall be taken immediately, subject to the conclusion of a security agreement:

(a) Carry out an investigation to establish the circumstances of the breach of security;

(b) Notify the ► Commission Security Directorate ◄ , the relevant National Security Authority and the originating authority, or clearly state that the latter has not been notified if this has not been done;

(d) Reconsider and implement measures to prevent any recurrence;

(e) Implement any measures recommended by the ► Commission Security Directorate ◄ to prevent a recurrence.

14. Inspections

The ► Commission Security Directorate ◄ shall be permitted, by agreement with the States or international organisations concerned, to carry out an assessment of the effectiveness of measures for the protection of the EU classified information released.

15. Reporting

Subject to the conclusion of a security agreement, as long as the State or international organisation holds EU classified information, it shall submit a yearly report, by a date specified when the authorisation to release the information is given, confirming that these security provisions have been complied with.

Appendix 4

Guidelines for the release of EU classified information to third States or international organisations: Level 2 cooperation

PROCEDURES

1. The authority to release EU classified information to third States or international organisations whose security policy and regulations are markedly different from EU's lies with the originator. The authority to release EUCI created within the Commission lies with the Commission as a college.

2. In principle, it is restricted to information classified up to and including ► SECRET UE ◄ ; it excludes classified information protected by special security designators or markings.

3. Pending the conclusion of a security agreement, the Member of the Commission responsible for security matters is competent to examine requests for the release of EU classified information.

4. In doing so he/she:

— Shall seek the opinions of the originators of the EUCI to be released;

— Shall establish the necessary contacts with the security bodies of the beneficiary States or international organisations to find out information on their security policy and provisions, and in particular to draw up a table comparing the classifications applicable in the EU and in the State or organisation concerned;

— Shall arrange for a meeting of the Commission Security Policy Advisory Group or, under a silent procedure if necessary, enquire from the member States' National Security Authorities with a view to obtaining the Commission Security Policy Advisory Group's opinion.

5. The Commission Security Policy Advisory Group's opinion shall be on the following:

— The confidence that can be placed in the beneficiary States or international organisations with a view to assessing the security risks incurred by the EU or its Member States;

— An assessment of the beneficiaries' ability to protect classified information released by EU;

— Proposals as to practical procedures for the handling of the EU classified information (providing expurgated versions of a text, for example) and documents transmitted (retaining or deleting EU classification headings, specific markings, etc.);

— Downgrading or declassification before the information is released to the beneficiary countries or international organisations.

6. The Member of the Commission responsible for security matters shall forward the request and the Commission Security Policy Advisory Group's opinion to the Commission for a decision.

SECURITY RULES TO BE APPLIED BY BENEFICIARIES

7. The Member of the Commission responsible for security matters shall notify the beneficiary States or international organisations of the Commission's decision to authorise the release of EU classified information and of its restrictions.

8. The decision to release shall come into force only when the beneficiaries have given a written assurance that they will:

— Use the information for no other than the agreed purposes;

— Protect the information in accordance with the provisions laid down by the Commission.

9. The following rules of protection shall apply unless the Commission, having obtained the Commission Security Policy Advisory Group's technical opinion, decides on a particular procedure for the handling of EU classified documents (deleting mention of the EU classification, specific marking, etc.).

10. Personnel

(a) The number of officials having access to EU classified information shall be strictly limited, based on the need-to-know principle, to those persons whose duties require such access;

(b) All officials or nationals authorised to have access to the classified information released by the Commission shall have a national security clearance or authorisation for access, to an appropriate level equivalent to that of the EU, as defined in the comparative table;

(c) These national security clearances or authorisations shall be forwarded to the ► Director of the Commission Security Directorate ◄ for information.

11. Transmission of documents

The practical procedures for the transmission of documents shall be decided by agreement. Pending the conclusion of such an agreement the provisions of Section 21 shall apply. The agreement shall in particular specify the registries to which EU classified information is to be forwarded and the precise addresses to which the documents shall be forwarded as well as the courier or mail services used for the transmission of the EU classified information.

12. Registration on arrival

The addressee State's NSA or its equivalent in the State receiving on behalf of its government the classified information forwarded by the Commission, or the security bureau of the recipient international organisation, shall open a special register to record EU classified information on its receipt. The Register shall contain columns indicating the date received, particulars of the document (date, reference and copy number), its classification, title, the addressee's name or title, the date of return of the receipt and the date of return of the document to EU or its destruction.

13. Return of documents

When the recipient returns a classified document to the Commission, it shall proceed as indicated in the paragraph ‘Transmission of documents’ above.

14. Protection

(a) When the documents are not in use, they shall be stored in a security container that is approved for the storage of nationally-classified material of the same classification. The container shall bear no indication of its contents, which shall be accessible only to persons authorised to handle EU classified information. Where combination locks are used, the combination shall be known only to those officials in the State or organisation having authorised access to the EU classified information stored in the container and shall be changed every six months, or sooner on the transfer of an official, on withdrawal of the security clearance of one of the officials knowing the combination or if there is a risk of compromise.

(b) EU classified documents shall be removed from the security container only by those officials cleared for access to the EU classified documents and having need-to-know. They shall remain responsible for the safe custody of those documents as long as they are in their possession and, in particular, for ensuring that no unauthorised person has access to the documents. They shall also ensure that the documents are stored in a security container when they have finished consulting them and outside working hours.

(c) No photocopies shall be made of a document classified ► CONFIDENTIEL UE ◄ or above, nor extracts taken, without the authorisation of the ► Commission Security Directorate ◄ .

(d) The procedure for the rapid and total destruction of the documents in an emergency shall be defined and confirmed with the ► Commission Security Directorate ◄ .

15. Physical security

(a) When not in use, security containers used for storage of EU classified documents shall be kept locked at all times;

(b) When it is necessary for maintenance or cleaning staff to enter or work in a room which houses such security containers, they shall be escorted at all times by a member of the State's or organisation's security service or by the official more specifically responsible for supervising the security of the room;

(c) Outside normal working hours (at night, at weekends and on public holidays) the security containers containing EU classified documents shall be protected either by a guard or by an automatic alarm system.

16. Breaches of security

When a breach of security involving a EU classified document has taken place or is suspected, the following action shall be taken immediately:

(a) Forward a report immediately to the ► Commission Security Directorate ◄ or the NSA of the Member State that has taken the initiative in forwarding documents (with a copy to the ► Commission Security Directorate ◄ );

(b) Conduct an enquiry, on completion of which a full report shall be submitted to the security body (see (a) above). The requisite measures to remedy the situation shall then be adopted.

17. Inspections

18. Reporting

Appendix 5

Guidelines for the release of EU classified information to third States or international organisations: Level 3 cooperation

PROCEDURES

1. From time to time, the Commission may wish to cooperate in certain special circumstances with States or organisations that cannot give the assurances required by these security rules, but that cooperation may call for the release of EU classified information.

2. The authority to release EU classified information to third States or international organisations whose security policy and regulations are markedly different from EU's lies with the originator. The authority to release EUCI created within the Commission lies with the Commission as a college.

In principle, it is restricted to information classified up to and including ► SECRET UE ◄ ; it excludes classified information protected by special security designators or markings.

3. The Commission shall consider the wisdom of releasing classified information, assess the beneficiaries' need to know and decide on the nature of the classified information that may be communicated.

4. If the Commission is in favour, the Member of the Commission responsible for security matters

— Shall seek the opinions of the originators of the EUCI to be released;

— Shall arrange for a meeting of the Commission Security Policy Advisory Group or, under a silent procedure if necessary, enquire from the Member States' National Security Authorities with a view to obtaining the Commission Security Policy Advisory Group's opinion.

5. The Commission Security Policy Advisory Group's opinion shall be on the following:

(a) An evaluation of the security risks incurred by EU or its Member States;

(b) The level of classification of the information that may be released;

(d) Procedures for handling the documents to be released (see paragraph below);

(e) The possible methods of transmission (use of public postal services, public or secure telecommunications systems, diplomatic bag, cleared couriers, etc.).

6. The documents released to the States or organisations covered in this Appendix shall, in principle, be prepared without reference to the source or an EU classification. The Commission Security Policy Advisory Group may recommend:

— The use of a specific marking or codename;

— The use of a specific system of classification linking the sensitivity of the information to the control measures required of the beneficiary methods of transmission of the documents.

7. The ► Member of the Commission responsible for security matters ◄ shall forward the Commission Security Policy Advisory Group's opinion to the Commission for a decision.

8. Once the Commission has approved the release of EU classified information and the practical implementing procedures, the ► Commission Security Directorate ◄ shall establish the necessary contact with the security body of the State or organisation concerned to facilitate the application of the security measures envisaged.

9. The Member of the Commission responsible for security matters shall inform the Member States about the nature and classification of the information, listing the organisations and countries to which it may be released, as decided by the Commission.

10. The ► Commission Security Directorate ◄ shall take all the necessary measures to facilitate any consequent damage assessment and review of procedures.

Whenever the conditions of cooperation change, the Commission shall reconsider the issue.

SECURITY PROVISIONS TO BE APPLIED BY BENEFICIARIES

11. The Member of the Commission responsible for security matters shall notify the beneficiary States or international organisations of the Commission's decision to authorise the release of EU classified information, together with the detailed rules of protection proposed by the Commission Security Policy Advisory Group and approved by the Commission.

12. The decision shall come into force only when the beneficiaries have given a written assurance that they will:

— Use the information for no other purpose than the cooperation decided by the Commission;

— Offer the information the protection required by the Commission.

13. Transmission of documents

(a) The practical procedures for the transmission of documents shall be agreed between the ► Commission Security Directorate ◄ and the security bodies of the recipient States or international organisations. They shall in particular specify the precise addresses to which the documents must be forwarded.

(b) Documents classified ► CONFIDENTIEL UE ◄ and higher shall be transmitted under double cover. The inner envelope shall bear the specific stamp or codename decided upon and a mention of the special classification approved for the document. A receipt form shall be enclosed for each classified document. The receipt form, which shall not itself be classified, shall quote only the particulars of the document (its reference, date, copy number) and its language, not the title.

(c) The inner envelope shall then be placed in the outer envelope, which shall carry a package number for receipting purposes. The outer envelope shall not bear a security classification.

(d) A receipt showing the package number shall always be given to the couriers.

14. Registration on arrival

The addressee State's NSA or its equivalent in the State receiving the classified information forwarded by the Commission on behalf of its government, or the security bureau of the recipient international organisation, shall open a special register to record EU classified information on its receipt. The Register shall contain columns indicating the date received, particulars of the document (date, reference and copy number), its classification, title, the addressee's name or title, the date of return of the receipt and the date of return of the receipt to EU and the date of destruction of the document.

15. Use and protection of the classified information exchanged

(a) Information at the level of ► SECRET UE ◄ shall be handled by specifically designated officials, authorised to have access to information with this classification. It shall be stored in good quality security cabinets that can be opened only by the persons authorised to have access to the information they contain. The areas in which those cabinets are located shall be permanently guarded and a system of verification shall be set up to ensure that only duly authorised persons are allowed to enter. ► SECRET UE ◄ -level information shall be forwarded by diplomatic bag, secure mail services or by secure telecommunications. An ► SECRET UE ◄ document shall be copied only with the originating authority's written agreement. All copies shall be registered and monitored. Receipts shall be issued for all operations relating to ► SECRET UE ◄ documents;

(b) ► CONFIDENTIEL UE ◄ shall be handled by duly designated officials authorised to be informed on the subject. Documents shall be stored in locked security cabinets in controlled areas;

► CONFIDENTIEL UE ◄ information shall be forwarded by diplomatic bag, military mail services and secure telecommunications. Copies may be made by the recipient body, their number and distribution being recorded in special registers;

(c) ► RESTREINT UE ◄ information shall be handled in premises that are not accessible to unauthorised personnel and stored in locked containers. Documents may be forwarded by public postal services as registered mail in a double envelope and, in emergency situations during operations, by the unprotected public telecommunications systems. The recipients may make copies;

(d) Unclassified information shall not call for special protection measures and may be forwarded by mail and public telecommunications systems. The addressees may make copies.

16. Destruction

Documents no longer needed shall be destroyed. In the case of ► RESTREINT UE ◄ and ► CONFIDENTIEL UE ◄ documents, an appropriate note shall be entered in the special registers. In the case of ► SECRET UE ◄ documents, destruction certificates shall be issued and signed by two persons witnessing their destruction.

17. Breaches of security

If ► CONFIDENTIEL UE ◄ or ► SECRET UE ◄ information is compromised or there is a suspicion of compromise, the NSA of the State or the head of security in the organisation shall conduct an enquiry into the circumstances of the compromise. The ► Commission Security Directorate ◄ shall be notified of its results. The necessary steps shall be taken to remedy inadequate procedures or storage methods if they have given rise to the compromise.

Appendix 6

LIST OF ABBREVIATIONS

ACPC	Advisory Committee on Procurement and Contracts
CrA	Crypto Authority
CISO	Central Informatics Security Officer
COMPUSEC	Computer Security
COMSEC	Communication Security
CSD	► Commission Security Directorate ◄
▼
DSA	Designated Security Authority
▼M1
ESDP	European Security and Defence Policy
EUCI	EU classified information
▼
FSC	Facility Security Clearance
FSO	Facility Security Officer
▼M1
IA	INFOSEC Authority
INFOSEC	Information Security
IO	Information Owner
ISO	International Organisation for Standardisation
IT	Information Technology
LISO	Local Informatics Security Officer
LSO	Local Security Officer
MSO	Meeting Security Officer
NSA	National Security Authority
PC	Personal Computer
▼
PSC	Personnel Security Clearance
▼M1
RCO	Registry Control Officer
SAA	Security Accreditation Authority
▼
SAL	Security Aspects Letter
SCG	Security Classification Guide
▼M1
SecOPS	Security Operating Procedures
SSRS	Specific Security Requirement Statement
TA	Tempest Authority
TSO	Technical Systems Owner

▼M5

DETAILED RULES FOR THE APPLICATION OF REGULATION (EC) No 1049/2001 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL REGARDING PUBLIC ACCESS TO EUROPEAN PARLIAMENT, COUNCIL AND COMMISSION DOCUMENTS

Whereas:

(1)	In accordance with Article 255(2) of the EC Treaty, the European Parliament and the Council adopted Regulation (EC) No 1049/2001 regarding public access to European Parliament, Council and Commission documents. ( 15 )

(2)	In accordance with Article 255(3) of the Treaty, Article 18 of the Regulation, which lays down general principles and limits for the exercise of the right of access to documents, provides that each institution is to adapt its Rules of Procedure to the provisions of the Regulation,

Article 1

Beneficiaries

Citizens of the Union and natural or legal persons residing or having their registered office in a Member State shall exercise their right of access to Commission documents under Article 255(1) of the Treaty and Article 2(1) of Regulation (EC) No 1049/2001 in accordance with these detailed rules. This right of access concerns documents held by the Commission, that is to say, documents drawn up or received by it and in its possession.

Pursuant to Article 2(2) of Regulation (EC) No 1049/2001, citizens of third countries not residing in a Member State and legal persons not having their registered in one of the Member States shall enjoy the right of access to Commission documents on the same terms as the beneficiaries referred to in Article 255(1) of the Treaty.

However, pursuant to Article 195(1) of the Treaty, they shall not have the option of laying a complaint before the European Ombudsman. But if the Commission wholly or partly refuses them access to a document after a confirmatory application, they may bring an action before the Court of First Instance of the European Communities in accordance with the fourth paragraph of Article 230 of the Treaty.

Article 2

Access applications

All applications for access to a document shall be sent by mail, fax or e-mail to the Secretariat-General of the Commission or to the relevant Directorate-General or department. The addresses to which applications are to be sent shall be published in the practical guide referred to in Article 8 of these Rules.

The Commission shall answer initial and confirmatory access applications within fifteen working days from the date of registration of the application. In the case of complex or bulky applications, the deadline may be extended by fifteen working days. Reasons must be given for any extension of the deadline and it must be notified to the applicant beforehand.

If an application is imprecise, as referred to in Article 6(2) of Regulation (EC) No 1049/2001, the Commission shall invite the applicant to provide additional information making it possible to identify the documents requested; the deadline for reply shall run only from the time when the Commission has this information.

Any decision which is even partly negative shall state the reason for the refusal based on one of the exceptions listed in Article 4 of Regulation (EC) No 1049/2001 and shall inform the applicant of the remedies available to him.

Article 3

Treatment of initial applications

Without prejudice to Article 9 of these Rules, as soon as the application is registered, an acknowledgement of receipt shall be sent to the applicant, unless the answer can be sent by return post.

The acknowledgement of receipt and the answer shall be sent in writing, where appropriate, by electronic means.

The applicant shall be informed of the response to his application either by the Director-General or the head of department concerned, or by a Director designated for this purpose in the Secretariat-General or by a Director designated in the OLAF where the application concerns documents concerning OLAF activities referred to in Article 2(1) and (2) of Commission Decision 1999/352/EC, ECSC, Euratom ( 16 ) establishing OLAF, or by a member of staff they have designated for this purpose.

Any answer which is even partly negative shall inform the applicant of his right to submit, within fifteen working days from receipt of the answer, a confirmatory application to the Secretary-General of the Commission or to the Director of OLAF where the confirmatory application concerns documents concerning OLAF activities referred to in Article 2(1) and (2) of Decision 1999/352/EC, ECSC, Euratom.

Article 4

Treatment of confirmatory applications

In accordance with Article 14 of the Commission's Rules of Procedure, the power to take decisions on confirmatory applications is delegated to the Secretary-General. However, where the confirmatory application concerns documents concerning OLAF activities referred to in Article 2(1) and (2) of Decision 1999/352/EC, ECSC, Euratom, the decision-making power is delegated to the Director of OLAF.

The Directorate-General or department shall assist the Secretariat-General in the preparation of the decision.

The decision shall be taken by the Secretary-General or by the Director of OLAF after agreement of the Legal Service.

The decision shall be notified to the applicant in writing, where appropriate by electronic means, and inform him of his right to bring an action before the Court of First Instance or to lodge a complaint with the European Ombudsman.

Article 5

Consultations

1. Where the Commission receives an application for access to a document which it holds but which originates from a third party, the Directorate-General or department holding the document shall check whether one of the exceptions provided for by Article 4 of Regulation (EC) No 1049/2001 applies. If the document requested is classified under the Commission's security rules, Article 6 of these Rules shall apply.

2. If, after that examination, the Directorate-General or department holding the document considers that access to it must be refused under one of the exceptions provided for by Article 4 of Regulation (EC) No 1049/2001, the negative answer shall be sent to the applicant without consultation of the third-party author.

3. The Directorate-General or department holding the document shall grant the application without consulting the third-party author where:

(a) the document requested has already been disclosed either by its author or under the Regulation or similar provisions;

(b) the disclosure, or partial disclosure, of its contents would not obviously affect one of the interests referred to in Article 4 of Regulation (EC) No 1049/2001.

4. In all the other cases, the third-party author shall be consulted. In particular, if the application for access concerns a document originating from a Member State, the Directorate-General or department holding the document shall consult the originating authority where:

(a) the document was forwarded to the Commission before the date from which Regulation (EC) No 1049/2001 applies;

(b) the Member State has asked the Commission not to disclose the document without its prior agreement, in accordance with Article 4(5) of Regulation (EC) No 1049/2001.

5. The third-party author consulted shall have a deadline for reply which shall be no shorter than five working days but must enable the Commission to abide by its own deadlines for reply. In the absence of an answer within the prescribed period, or if the third party is untraceable or not identifiable, the Commission shall decide in accordance with the rules on exceptions in Article 4 of Regulation (EC) No 1049/2001, taking into account the legitimate interests of the third party on the basis of the information at its disposal.

6. If the Commission intends to give access to a document against the explicit opinion of the author, it shall inform the author of its intention to disclose the document after a ten-working day period and shall draw his attention to the remedies available to him to oppose disclosure.

7. Where a Member State receives an application for access to a document originating from the Commission, it may, for the purposes of consultation, contact the Secretariat-General, which shall be responsible for determining the Directorate-General or department responsible for the document within the Commission. The issuing Directorate-General or department of the document reply to the application after consulting the Secretariat-General.

Article 6

Treatment of applications for access to classified documents

Where an application for access concerns a sensitive document as defined in Article 9(1) of Regulation (EC) No 1049/2001, or another document classified under the Commission's security rules, it shall be handled by officials entitled to acquaint themselves with the document.

Reasons shall be given on the basis of the exceptions listed in Article 4 of Regulation (EC) No 1049/2001 for any decision refusing access to all or part of a classified document. If it proves that access to the requested document cannot be refused on the basis of these exceptions, the official handling the application shall ensure that the document is declassified before sending it to the applicant.

The agreement of the originating authority shall be required if access is to be given to a sensitive document.

Article 7

Exercise of the right of access

Documents shall be sent by mail, fax or, if available, by e-mail, depending on the application. If documents are voluminous or difficult to handle, the applicant may be invited to consult the documents on the spot. This consultation shall be free.

If the document has been published, the answer shall consist of the publication references and/or the place where the document is available and where appropriate of its web address on the EUROPA site.

If the volume of the documents requested exceeds twenty pages, the applicant may be charged a fee of EUR 0,10 per page plus carriage costs. The charges for other media shall be decided case by case but shall not exceed a reasonable amount.

Article 8

Measures facilitating access to the documents

1. The coverage of the register provided for by Article 11 of Regulation (EC) No 1049/2001 shall be extended gradually. It shall be announced on the EUROPA homepage.

The register shall contain the title of the document (in the languages in which it is available), its serial number and other useful references, an indication of its author and the date of its creation or adoption.

A help page (in all official languages) shall inform the public how the document can be obtained. If the document is published, there shall be a link to the full text.

2. The Commission shall draw up a practical guide to inform the public of their rights under Regulation (EC) No 1049/2001. The guide shall be distributed in all official languages on the EUROPA site and in booklet form.

Article 9

Documents directly accessible to the public

1. This Article applies only to documents drawn up or received after the date from which Regulation (EC) No 1049/2001 applies.

2. The following documents shall be automatically provided on request and, as far as possible, made directly accessible by electronic means:

(a) agendas for Commission meetings;

(b) ordinary minutes of Commission meetings, after approval;

(d) documents originating from third parties which have already been disclosed by their author or with his consent;

(e) documents already disclosed following a previous application.

3. If it is clear that none of the exceptions provided for in Article 4 of Regulation (EC) No 1049/2001 is applicable to them, the following documents may be made available, as far as possible by electronic means, provided they do not reflect opinions or individual positions:

(a) after the adoption of a proposal for an act of the Council or of the European Parliament and of the Council, preparatory documents for that proposal that were submitted to the College during the adoption process;

(b) after the adoption of an act by the Commission under the implementing powers conferred on it, preparatory documents for that act submitted to the College during the adoption process;

(c) after the adoption by the Commission of an act under its own powers, or of a communication, report or working document, preparatory documents for that document submitted to the College during the adoption process.

Article 10

Internal organisation

The Directors-General and heads of department shall have the power to decide on the action to be taken on initial applications. To this end, they shall designate an official to consider access applications and coordinate the response of his Directorate-General or department.

Answers to initial applications shall be sent to the Secretariat-General for information.

Confirmatory applications shall be sent for information to the Directorate-General or department which answered the initial application.

The Secretariat-General shall ensure coordination and uniform implementation of these rules by Commission Directorates-General and departments. To this end, it shall provide all necessary advice and guidelines.

▼M6

PROVISIONS ON DOCUMENT MANAGEMENT

Whereas:

(1)	All the Commission's activities and decisions in the political, legislative, technical, financial and administrative fields ultimately lead to the production of documents.

(2)

Those documents must be managed on the basis of rules applicable to all Directorates-General and equivalent departments, as they form a direct link with activities in progress and also reflect the Commission's past activities in its dual capacity as a European institution and European public administration.

(3)

Those standard rules must ensure that the Commission is able, at any time, to provide information on the matters for which it is accountable. The documents and files kept by a Directorate-General or equivalent department must therefore preserve the institution's memory, facilitate the exchange of information, provide proof of operations carried out and meet the department's legal obligations.

(4)	Implementation of the abovementioned rules requires the establishment of a sound and reliable organisational structure within each Directorate-General or equivalent department, at interdepartmental level and at Commission level.

(5)	The establishment and implementation of a filing plan associated with a common nomenclature for all the Commission's departments, which will form part of the institution's activity-based management, will make it possible to organise files and improve openness and access to documents.

(6)	Efficient document management is an essential prerequisite for an effective policy of public access to Commission documents. The establishment of registers containing the references of documents drawn up or received by the Commission will help citizens to exercise their right of access,

Article 1

Definitions

For the purposes of these provisions:

— document shall mean any content drawn up or received by the Commission concerning a matter relating to the policies, activities and decisions falling within the institution's competence and in the framework of its official tasks, in whatever medium (written on paper or stored in electronic form or as a sound, visual or audio-visual recording),

— file shall mean the core around which the documents are organised in line with the institution's activities, for reasons of proof, justification or information and to guarantee efficiency in the work.

Article 2

Object

These provisions set out the principles for document management.

Document management must ensure:

— the due creation, receipt and storage of documents,

— the identification of each document by means of appropriate signs enabling it to be filed, searched for and easily referred to,

— the preservation of the institution's memory, retention of proof of activities undertaken and fulfilment of the department's legal obligations,

— easy exchange of information,

— compliance with the Commission's obligations as regards openness.

Article 3

Standard rules

Documents shall undergo the following operations:

— registration,

— filing,

— storage,

— transfer of files to the Historical Archives.

These operations shall be carried out in accordance with a set of standard rules, which shall apply uniformly to all the Commission's Directorates-General and equivalent departments.

Article 4

Registration

As soon as a document is received or formally drawn up within a department, in whatever medium, it shall be analysed with a view to determining what is to be done with it and thus whether or not it must be registered.

A document drawn up or received by a Commission department must be registered if it contains important information which is not short-lived and/or may involve action or follow-up by the Commission or one of its departments. If the document is drawn up within the Commission, it shall be registered by the originating department in its own system. If the document is received by the Commission, it shall be registered by the recipient department. Any subsequent processing of documents registered in this way shall refer to their original registration.

Registration must make it possible clearly and definitely to identify the documents drawn up or received by the Commission or one of its departments so that they can be traced throughout their life cycle.

Registers shall be kept containing document references.

Article 5

Filing

Directorates-General and equivalent departments shall draw up a filing plan adapted to their specific needs.

This filing plan, which shall be accessible by computer, shall be associated with a common nomenclature defined by the Secretariat-General for all the Commission's departments. This nomenclature shall form part of the Commission's activity-based management.

Registered documents shall be organised in files. For each matter falling within the competence of the Directorate-General or equivalent department, a single official file shall be constituted. Each official file must be complete and must correspond to the activities of the department on the matter in question.

The creation of a file and its attachment to the filing plan of a Directorate-General or equivalent department shall be the responsibility of the department responsible for the activity covered by the file in accordance with practical arrangements to be set out in each Directorate-General or equivalent department.

Article 6

Storage

Each Directorate-General or equivalent department shall ensure the physical protection and the short- and medium-term accessibility of the documents for which it is responsible, and must be in a position to produce or reconstruct the files to which they belong.

The administrative rules and legal obligations shall determine the minimum period for which a document must be kept.

Each Directorate-General or equivalent department shall determine its internal organisational structure for the storage of its files. The minimum storage period within its departments shall take account of a common list, drawn up in accordance with the implementing rules referred to in Article 12, for the whole of the Commission.

Article 7

Appraisal and transfer to the Historical Archives

Without prejudice to the minimum storage periods referred to in Article 6, the document management centre(s) referred to in Article 9 shall carry out, at regular intervals, in cooperation with the departments responsible for the files, an appraisal of the documents and files which could be transferred to the Commission's Historical Archives. After evaluating the proposals, the Historical Archives may refuse the transfer of documents or files. Reasons shall be given for any decision refusing transfer and the department concerned shall be informed of such decision.

Files or documents which it is no longer considered necessary for the departments to keep shall be transferred no later than fifteen years after their production, by the document management centre and under the authority of the Director-General, to the Commission's Historical Archives. These files or documents shall then be evaluated in accordance with the rules laid down in the implementing rules referred to in Article 12 and intended to separate those which must be stored from those which have no administrative or historical value.

The Historical Archives shall have special repositories for storing the files and documents transferred in this way. On request, they shall make the documents and files available to the originating Directorate-General or equivalent department.

Article 8

Classified documents

Classified documents shall be processed in accordance with the rules in force on security.

Article 9

Document management centres

Each Directorate-General or equivalent department shall, while taking its structure and constraints into account, put in place or maintain one or more document management centres.

The task of the document management centres shall be to ensure that the documents drawn up or received in their Directorate-General or equivalent department are managed in accordance with the rules.

Article 10

Document management officers

Each Director-General or Head of Department shall designate a document management officer.

For the purpose of setting up a modern and efficient document and records management system, the task of the document management officer shall be to:

— identify the types of document and file specific to the fields of activity of the Directorate-General or equivalent department,

— draw up and update the inventory of the existing specific databases and systems,

— draw up the filing plan of the Directorate-General or equivalent department,

— draw up rules and procedures specific to the Directorate-General or equivalent department which will be used for document and file management, and to ensure that they are applied,

— organise, within the Directorate-General or equivalent department, training for the staff in charge of the implementation, control and monitoring of the management rules laid down in these provisions.

The document management officer shall ensure horizontal coordination between the document management centre(s) and the other departments concerned.

Article 11

Interdepartmental group

An interdepartmental group of document management officers shall be set up. It shall be chaired by the Secretariat-General and its task shall be to:

— ensure the correct and uniform application of these provisions within departments,

— deal with any issues which may arise from their application,

— contribute to the preparation of the implementing rules referred to in Article 12,

— relay the requirements of Directorates-General and equivalent departments as regards training and support measures.

The interdepartmental group shall be convened by its chairman, either on the chairman's initiative or at the request of a Directorate-General or equivalent department.

Article 12

Implementing rules

Rules for the implementation of these provisions shall be adopted and regularly updated by the Secretary-General, in agreement with the Director-General for Personnel and Administration, acting on a proposal from the interdepartmental group of document management officers.

The updating shall, in particular, take account of:

— the development of new information and communication technologies,

— changes in documentary sciences and the results of Community and international research, including the emergence of new standards in the field,

— the Commission's obligations regarding openness and public access to documents and document registers,

— developments in the standardisation and presentation of the Commission's documents and those of its departments,

— the rules laid down concerning the evidential value of electronic documents.

Article 13

Implementation in the departments

Each Director-General or Head of Department shall put in place the necessary organisational, administrative and physical structure and provide the staff required for the implementation of these provisions and the implementing rules by his departments.

Article 14

Information, training and support

The Secretariat-General and the Directorate-General for Personnel and Administration shall put in place the necessary information, training and support measures to ensure the implementation and application of these provisions within the Directorates-General and equivalent departments.

When determining training measures they shall take due account of the training and support requirements of Directorates-General and equivalent departments as relayed by the interdepartmental group of document management officers.

Article 15

Compliance with the provisions

The Secretariat-General shall be responsible for ensuring compliance with these provisions in coordination with the Directors-General and Heads of Department.

▼M11 —————

▼M8

COMMISSION'S PROVISIONS ON ELECTRONIC AND DIGITISED DOCUMENTS

Whereas:

(1)

The effect of the generalised use of the new information and communication technologies by the Commission for its own operation and for its exchanges of documents with the outside world, in particular with Community administrations, including the bodies responsible for the implementation of certain Community policies, and with the national administrations, is that the Commission’s document system contains an increasing number of documents in electronic or digitised form.

(2)

Following the White Paper on the reform of the Commission ( 17 ), of which Actions 7, 8 and 9 aim to ensure the changeover to the e-Commission, and the communication ‘Towards the e-Commission: Implementation Strategy 2001 to 2005 (Actions 7, 8 and 9 of the Reform White Paper)’ ( 18 ), the Commission intensified the development of computer systems which make it possible to manage documents and procedures electronically, in its own working procedures and in relations between departments.

(3)

By Decision 2002/47/EC, ECSC, Euratom ( 19 ), the Commission annexed to its Rules of Procedure provisions on document management to ensure, in particular, that the Commission is able, at any time, to provide information on the matters for which it is accountable. In its communication on simplification and modernisation of the management of its documents ( 20 ), the Commission set the medium-term aim of introducing a system of management and electronic archiving of documents based on a body of common rules and procedures applicable to all departments.

(4)

Documents must be managed in compliance with the security rules which are incumbent on the Commission, in particular as regards classification of documents in accordance with Decision 2001/844/EC, ECSC, Euratom ( 21 ), protection of information systems in accordance with its Decision C(95) 1510, and personal data protection in accordance with Regulation (EC) No 45/2001 of the European Parliament and of the Council ( 22 ). The Commission’s document system must accordingly be so conceived that information systems, networks and transmission facilities which feed it are protected by adequate security measures.

(5)

Provisions must be adopted to determine not only the conditions under which electronic and digitised documents and documents transmitted electronically are valid for the Commission’s purposes, where these conditions are not determined elsewhere, but also the conditions under which they are to be stored, guaranteeing the integrity and legibility over time of such documents and of the related metadata throughout the period for which they are to be kept,

HAS DECIDED AS FOLLOWS:

Article 1

Subject matter

These provisions determine the conditions of validity of electronic and digitised documents for the Commission’s purposes. They are also intended to ensure the authenticity, integrity and legibility over time of these documents and of the relevant metadata.

Article 2

Scope

These provisions apply to electronic and digitised documents established or received and held by the Commission.

They may be made applicable, by agreement, to electronic and digitised documents held by other entities responsible for applying certain Community policies or to documents exchanged via data transmission networks between administrations of which the Commission is part.

Article 3

Definitions

For the purposes of these provisions, the following definitions shall apply:

‘document’ : document as defined both by Article 3(a) of Regulation (EC) No 1049/2001 of the European Parliament and of the Council ( 23 ) and by Article 1 of the provisions on document management annexed to the Rules of Procedure of the Commission, hereinafter referred to as ‘provisions on document management’;

2.	‘electronic document’ : a data-set input or stored on any type of medium by a computer system or a similar mechanism, which can be read or displayed by a person or by such a system or mechanism, and any display or retrieval of such data in printed or other form;

‘document digitisation’ : the process of transforming a document on paper or any other traditional type of medium into an electronic image. Digitisation concerns all types of document and can be carried out from various media such as paper, fax, microforms (microfiche, microfilms), photographs, video or audio cassettes and films;

‘life cycle of a document’ : all the stages or periods in the life of a document from the time it is received or formally drawn up within the meaning of Article 4 of the provisions on document management until its transfer to the Commission’s historical archives and its opening to the public or until its destruction within the meaning of Article 7 of the said provisions;

5.	‘Commission’s document system’ : all documents, files and metadata drawn up, received, recorded, classified and stored by the Commission;

6.	‘integrity’ : the fact that the information contained in the document and the relevant metadata are complete (all the data are present) and correct (each data item is unchanged);

‘legibility over time’ : the fact that the information contained in the documents and the relevant metadata remain easily readable by any person who is required or entitled to have access to them throughout the life cycle of the documents, from their formal establishment or reception until their transfer to the Commission’s historical archives and their opening to the public or until their authorised destruction in accordance with their required storage period;

‘metadata’ : the data describing the context, contents and structure of documents and their management over time, as determined by the implementing rules for the application of the provisions on document management and to be supplemented by the implementing rules for the application of these provisions;

9.	‘electronic signature’ : electronic signature within the meaning of Article 2(1) of Directive 1999/93/EC of the European Parliament and of the Council ( 24 );

10.	‘advanced electronic signature’ : electronic signature within the meaning of Article 2(2) of Directive 1999/93/EC.

Article 4

Validity of electronic documents

1. Whenever the applicable Community or national provision requires the signed original of a document, an electronic document drawn up or received by the Commission satisfies this requirement if the document in question bears an advanced electronic signature which is based on a qualified certificate and which is created by a secure signature creation device or an electronic signature offering equivalent assurances with regard to the functionalities attributed to a signature.

2. Whenever the applicable Community or national provision requires a document to be drawn up in writing without, however, requiring a signed original, an electronic document drawn up or received by the Commission satisfies this requirement if the person from whom it emanates is duly identified and the document is drawn up under such conditions as to guarantee the integrity of its contents and of the relevant metadata and is stored in accordance with the conditions laid down in Article 7.

3. The provisions of this Article shall apply from the day following the adoption of the implementing rules referred to in Article 9.

Article 5

Validity of electronic procedures

1. Where a procedure specific to the Commission requires the signature of an authorised person or the approval of a person at one or more stages of the procedure, the procedure may be managed by computer systems provided that each person is identified clearly and unambiguously and the system in question ensures that the contents, including as regards the stages of the procedure, cannot be altered.

2. Where a procedure involves the Commission and other entities and requires the signature of an authorised person or the approval of a person at one or more stages of the procedure, the procedure may be managed by computer systems offering conditions and technical assurances determined by agreement.

Article 6

Transmission by electronic means

1. The transmission of documents by the Commission to an internal or external recipient may be carried out by the communication technique best adapted to the circumstances of the case.

2. Documents may be transmitted to the Commission by any communication technique, including electronic means: fax; e-mail; electronic form; website etc.

3. Paragraphs 1 and 2 shall not apply where specific means of transmission or formalities connected with transmission are required by the applicable Community or national provisions or by an agreement between the parties.

Article 7

Storage

1. Electronic and digitised documents shall be stored by the Commission throughout the period required, under the following conditions:

(a) the document shall be preserved in the form in which it was drawn up, sent or received or in a form which preserves the integrity not only of its contents but also of the relevant metadata;

(b) the contents of the document and the relevant metadata must be readable throughout the storage period by any person who is authorised to have access to them;

(c) as regards a document sent or received electronically, information which makes it possible to determine its origin and destination and the date and time of despatch or receipt are part of the minimum metadata to be preserved;

(d) as regards electronic procedures managed by computer systems, information concerning the formal stages of the procedure must be stored under such conditions as to ensure that those stages and the authors and participants can be identified.

2. For the purposes of paragraph 1 the Commission shall set up an electronic file deposit system to cover the entire life cycle of the electronic and digitised documents.

The technical conditions of the electronic file deposit system shall be laid down by the implementing rules provided for by in Article 9.

Article 8

Security

Electronic and digitised documents shall be managed in compliance with such security rules as are incumbent on the Commission. To that end, the information systems, networks and transmission facilities which feed the Commission's document system shall be protected by adequate security measures concerning document classification, protection of information systems and personal data protection.

Article 9

Implementing rules

Implementing rules for the application of these provisions shall be drawn up in coordination with the Directorates-General and similar departments and shall be adopted by the Secretary-General of the Commission, in agreement with the Director-General responsible for information technology in the Commission.

They shall be regularly updated to reflect developments in information and communication technology and such new obligations as may become incumbent on the Commission.

Article 10

Application in departments

Each Director-General or Head of Service shall take the necessary measures to ensure that documents, procedures and electronic systems for which he is responsible meet the requirements of these provisions and of the implementing rules.

Article 11

Implementation

The Secretariat-General of the Commission is instructed to ensure the implementation of these provisions in coordination with the Directorates-General and similar departments, in particular the Directorate-General responsible for information technology in the Commission.

▼M10

COMMISSION PROVISIONS SETTING UP THE ARGUS GENERAL RAPID ALERT SYSTEM

Whereas:

(1)

It is appropriate for the Commission to establish a general rapid alert system called ARGUS, in order to enhance its capacity to react quickly, efficiently and in a coordinated manner, in its domain of competence, to crises of a multisectoral nature covering several policy areas and that require action at the Community level, whatever their cause.

(2)	The system should be based initially on an internal communication network allowing the Directorates-General and services of the Commission to share key information in the event of a crisis.

(3)	The system will be reviewed in the light of experience acquired and technological progress to ensure interlinkage and coordination of existing specialised networks.

(4)

It is necessary to define an appropriate coordination process to take decisions and to manage a rapid, coordinated and coherent Commission response to a major multisectoral crisis, whilst keeping it sufficiently flexible and adaptable to the particular needs and circumstances of a specific crisis and respecting the existing policy instruments dealing with specific crises.

(5)

The system must respect the specific characteristics, expertise, arrangements and area of competence of each of the existing sectoral rapid alert systems of the Commission, which enable its service to respond to specific crises in various fields of Community activity, as well as the general principle of subsidiarity.

(6)	Communication being a key element of crisis management, special attention must be devoted to informing the public and communicating effectively with the citizens, through the press and the various communication tools and outlets of the Commission, from Brussels and/or the most appropriate location.

Article 1

The ARGUS system

1. A general rapid alert and response system called ARGUS is established, in order to enhance the capacity of the Commission to provide a quick, efficient and coherent response in the event of a major crisis of a multisectoral nature covering several policy areas requiring action Community level, whatever its cause.

2. ARGUS shall consist of:

(a) an internal communication network;

(b) a specific coordination process to be activated in case of a major multisectoral crisis.

3. These provisions are without prejudice to Commission Decision 2003/246/EC, Euratom on operational procedures for crisis management.

Article 2

The ARGUS information network

1. The internal communication network shall be a permanent platform enabling the Directorates-General and services of the Commission to share in real time relevant information on emerging multisectoral crises or foreseeable or imminent threat thereof and to coordinate appropriate response within the domain of competence of the Commission.

2. The core members of the network are: the Secretariat-General; DG Press and Communication including the Spokesperson’s service; DG Environment; DG Health and Consumer Protection; DG Justice, Freedom and Security; DG External Relations; DG Humanitarian Aid; DG Personnel and Administration; DG Trade; Informatics DG; DG Taxation and Customs Union; the Joint Research Centre and the Legal Service.

3. Any other Directorate-General and service of the Commission can be included in the network, at their request, provided they implement the minimum requirements mentioned in paragraph (4).

4. Directorates-General and services which are members of the network shall appoint an ARGUS correspondent and implement appropriate stand-by duty arrangements allowing the service to be contacted and to react speedily in the event of a crisis warranting its intervention. The system will be designed to allow this to be done within the existing allocation of human resources.

Article 3

Coordination process in the event of a major crisis

1. In the event of a major multisectoral crisis or foreseeable or imminent threat thereof, the President, on his own initiative after having been alerted or at the request of a Member of the Commission, may decide to activate a specific coordination process. The President will also decide on the allocation of the political responsibility for the Commission response to the crisis. He will either keep the responsibility to himself or assign it to a Member of the Commission.

2. Such responsibility will entail leading and coordinating the response to the crisis, representing the Commission towards the other institutions and being responsible for communication with the public. This will not affect the existing competences and mandates in the College.

3. The Secretariat-General, under the authority of the President or the Member of the Commission to whom the responsibility was assigned, will activate the specific operational crisis management structure called Crisis Coordination Committee described in Article 4.

Article 4

The Crisis Coordination Committee

1. The Crisis Coordination Committee is a specific operational crisis management structure established to lead and coordinate the response to the crisis, bringing together representatives of all relevant Commission Directorates-General and services. As a general rule, the Directorates-General and services mentioned in Article 2(2) shall be represented in the Crisis Coordination Committee, plus other Directorates-General and services concerned by the specific crisis. The Crisis Coordination Committee will draw on the existing resources and means of the services.

2. The Crisis Coordination Committee shall be chaired by the Deputy Secretary-General with particular responsibility for policy coordination.

3. The Crisis Coordination Committee will in particular assess and monitor the development of the situation, identify issues and options for decision and action, ensure that decisions and actions are implemented and ensure the coherence and consistency of the response.

4. Decisions agreed within the Crisis Coordination Committee will be adopted through normal Commission decision-making procedures and will be executed by Directorates-General and rapid alert systems.

5. Commission services will dutifully ensure the management of tasks in connection with the response in their domain of competence.

Article 5

The Manual of Operating Procedures

A Manual of Operational Procedures will define detailed provisions to implement this decision.

Article 6

The Commission will review this decision in the light of experience gained and technological progress, at the latest one year after its entry into force, and, if necessary, adopt additional measures relating to the functioning of ARGUS.

▼M12

DETAILED RULES FOR THE APPLICATION OF REGULATION (EC) NO 1367/2006 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL ON THE APPLICATION OF THE PROVISIONS OF THE AARHUS CONVENTION ON ACCESS TO INFORMATION, PUBLIC PARTICIPATION IN DECISION-MAKING AND ACCESS TO JUSTICE IN ENVIRONMENTAL MATTERS TO COMMUNITY INSTITUTIONS AND BODIES

Article 1

Access to environmental information

The time-limit of 15 working days referred to in Article 7 of Regulation (EC) No 1367/2006 shall commence on the date of registration of the request by the responsible Commission department.

Article 2

Public participation

For the purposes of implementing Article 9(1) of Regulation (EC) No 1367/2006 the Commission shall ensure public participation in accordance with the Communication ‘General principles and minimum standards for consultation of interested parties by the Commission’ ( 25 ).

Article 3

Requests for internal review

Requests for internal review of an administrative act or relating to an administrative omission shall be sent by mail, fax or e-mail to the department responsible for the application of the provision on the basis of which the administrative act was adopted, or in respect of which the administrative omission is alleged.

Contact details to that effect shall be made known to the public by all appropriate means.

Where a request is sent to another department than that responsible for the review, that department shall forward the request to the one responsible.

In any case, where the department responsible for the review is not Directorate-General ‘Environment’, it shall inform the latter of the request being made.

Article 4

Decisions concerning the admissibility of requests for internal review

1. As soon as the request for internal review is registered, an acknowledgement of receipt shall be sent to the non-governmental organisation author of the request, where appropriate by electronic means.

2. The Commission department concerned shall determine whether the non-governmental organisation is entitled to make a request for internal review in accordance with Commission Decision 2008/50/EC ( 26 ).

3. In accordance with Article 14 of the Rules of Procedure, the power to take decisions on the admissibility of a request for internal review is delegated to the Director-General or the head of department concerned.

Decisions on the admissibility of the request shall cover any decisions on the entitlement, pursuant to paragraph 2 of this Article, of the non-governmental organisation author of the request, the timely submission of the request under the second subparagraph of Article 10(1) of Regulation (EC) No 1367/2006, and on the indication and substantiation of the grounds on which the request is made, as required in Article 1(2) and (3) of Decision 2008/50/EC.

4. Where the Director-General or the head of department referred to in paragraph 3 finds that the request for internal review is inadmissible in full or in part, the non-governmental organisation author of the request shall be informed in writing, if appropriate by electronic means, stating the reasons.

Article 5

Decisions concerning the substance of requests for internal review

1. Any decision whereby it is determined that the administrative act whose review is sought, or the alleged administrative omission, is in breach of environmental law shall be taken by the Commission.

2. In accordance with Article 13 of the Rules of Procedure, the Member of the Commission responsible for the application of the provisions on the basis of which the administrative act concerned was adopted or to which the alleged administrative omission relates shall be empowered to decide that the administrative act whose review is sought, or the alleged administrative omission, is not in breach of environmental law.

Sub-delegation of powers conferred under the first subparagraph shall be prohibited.

3. The non-governmental organisation author of the request shall be informed of the outcome of the review in writing, if appropriate by electronic means, stating the reasons.

Article 6

Remedies

All replies informing the non-governmental organisation that its request is either inadmissible, in full or part, or that the administrative act whose review is sought, or the alleged administrative omission, is not in breach of environmental law shall apprise the non-governmental organisation of the remedies open to it, namely instituting court proceedings against the Commission, or making a complaint to the Ombudsman, or both, under the conditions laid down in Articles 230 and 195 of the EC Treaty, respectively.

Article 7

Information of the public

A practical guide shall provide to the public appropriate information about their rights under Regulation (EC) No 1367/2006.

( 1 ) Article 17(6)(a) of the Treaty on European Union.

( 2 ) Article 17(6)(b) of the Treaty on European Union.

( 3 ) Article 248 of the Treaty on the Functioning of the European Union.

( 4 ) See footnote 3.

( 5 ) Article 17(6)(c) of the Treaty on European Union.

( 6 ) Article 17(6), second subparagraph, of the Treaty on European Union.

( 7 ) OJ L 156, 18.6.2005, p. 3.

( 8 ) Postal address: Secretariat-General of the European Commission, Unit SG/B/2 ‘Openness, access to documents, relations with civil society’, rue de la Loi/Wetstraat 200, B-1049 Brussels (fax (32-2) 296 72 42).

Electronic address: SG-Code-de-bonne-conduite@cec.eu.int.

( 9 ) OJ 17/58, 6.10.1958, p. 406/58.

( 10 ) OJ L 151, 15.6.1990, p. 1.

( 11 ) OJ L 101, 11.4.2001, p. 1.

( 12 ) OJ L 145, 31.5.2001, p. 43.

( 13 ) Without prejudice to the Vienna Convention of 1961 on diplomatic relations and the Protocol on the privileges and immunities of the European Communities of 8 April 1965.

( 14 ) See a comparative table of EU, NATO, WEU and Member States' security classifications in Appendix 1.

( 15 ) OJ L 145, 31.5.2001, p. 43.

( 16 ) OJ L 136, 31.5.1999, p. 20.

( 17 ) C(2000) 200.

( 18 ) SEC(2001) 924.

( 19 ) OJ L 21, 24.1.2002, p. 23.

( 20 ) C(2002) 99 final.

( 21 ) OJ L 317, 3.12.2001, p. 1.

( 22 ) OJ L 8, 12.1.2001, p. 1.

( 23 ) OJ L 145, 31.5.2001, p. 43.

( 24 ) OJ L 13, 19.1.2000, p. 12.

( 25 ) COM(2002) 704 final.

( 26 ) OJ L 13, 16.1.2008, p. 24.

Top