COMMISSION

Proposal for a Council Regulation (EEC) on the security measures applicable to classified infor-mation produced or transmitted in connection with European Economic Community or Euratom activities (92/C 72/16) COM(92) 56 final (Submitted by the Commission on 26 February 1992)

THE COUNCIL OF THE EUROPEAN COMMUNITIES,

Having regard to Article 235 of the Treaty establishing the European Economic Community,

Having regard to Article 203 of the Treaty establishing the European Atomic Energy Community,

Having regard to the proposal from the Commission,

Having regard to the opinion of the European Parliament,

Whereas the development of the Community will generate increasing flows of information between the Member States and the institutions of the European Communities;

Whereas protection should be afforded to sensitive information whose unauthorized disclosure could be detrimental to the essential interests of the European Communities and of Member States;

Whereas some common classification rules should therefore be laid down to ensure adequate protection of information at both the production and the transmission stages; whereas the rules should be implemented by the competent administrative and judicial authorities within the framework of existing provisions in. Member States and the Community institutions;

Whereas under present Community law it is for each institution and each Member State to determine which information should be classified, with the proviso that the security gradings should be respected by all parties. whereas access to information is one of the fundamental principles of democracy; whereas it is therefore necessary to limit classification of information to the absolute minimum;

Whereas the rules should cover not only physical protection of classified information but also the persons and firms who may have access to it, without prejudice to the status of persons who are exercising an electoral mandate or a government function or who are members of an institution or body established by the Treaties;

Whereas protection of personal data and privacy are covered by separate measures;

Whereas special measures should be laid down for the protection of computerized information to allow for the particular characteristics of electronic techniques;

Whereas any failure to comply with the requirements of this Regulation or of supplementary provisions adopted by the institutions or the Member States will render the offender liable to disciplinary action; whereas provision must be made for other appropriate sanctions to be taken, where necessary, against serious offenders;

Whereas this Regulation will help to further the achievement of Community objectives in general and to protect the interests of the Community institutions and Member States;

Whereas a Commission decision based on Article 95 (if the Treaty establishing the European Coal and Steel Community will be adopted to cover ECSC classified information;

Whereas the Treaties do not provide specific powers of action for the establishment of common rules in this field;

Whereas this Regulation is without prejudice to the application of the specific security, measures laid down in Council Regulation (Euratom) No 3 (1) on the security gradings and the security measures to be applied to Euratom classified information;

Whereas the provisions of this Regulation do not affect the normal rules of confidentiality which apply to all public servants with regard to information not expressly intended for the public,

HAS ADOPTED THIS REGULATION:

TITLE I - PROTECTION: PRINCIPLES AND GENERAL RULES

Article 1 Scope: subject matter

1. This Regulation establishes security gradings for sensitive information connected with EEC or Euratom activities and the security measures to be applied to such information both inside Member States and institutions and when it is transmitted by one Member State or institution to another.

2. This Regulation also establishes the conditions of access to classified information by public servants and persons or firms under contract.

3. This Regulation does not apply to information covered by Regulation (Euratom) No 3.

Article 2 Supplementary provisions

1. The security measures laid down in this Regulation provide a framework of general principles and coordinated rules.

2. The institutions of the European Communities (hereinafter called 'the institutions') and the Member States,may, where necessary, supplement them by rules on matters within their jurisdiction in order to take account of local conditions, provided this does not jeopardize the uniformity of treatment of the information referred to in Article 1 (OJ No 17, 6.10.1958,p406/58).

3. The institutions of the European Communities are the European Parliament, the Council, the Commission and the Court of Justice.

4. For the purposes of this Regulation, the Court of Auditors, the Economic and Social Committee and the European Investment Bank are deemed to be institutions.

Article 3 Classified information

1. For the purposes of this Regulation, "classified information" means all forms of information whose unauthorized disclosure could be detrimental to the essential interests of the European Communities and of the Member States and which therefore must be protected by appropriate security measures.

2. "Information" means any information, whether recorded in writing, orally or optically and whatever the medium used: paper, audio or video tape, transmission networks, technical or physical processes. For the purposes of this Regulation, the concept of classified information must be understood solely by reference to its context.

3. Where information is not contained in a written document, protection of classified information may require special rules taking account of the nature of the medium, in particular for audio and video recordings, microfilm, film or video tapes or computer media.

4. The information referred to in paragraphs 1 and 2 above shall retain its classified status even when it is preparatory or only for temporary use.

Article 4 Classification principles

1. The security grading applicable to an item of infor-mation shall be determined by reference to the content of the information in question.

2. Security gradings shall be assigned only where necessary and for the time necessary.

3. Where the information to be protected has a temporary security grading, the date shall be indicated beyond which it can be considered declassified or an equivalent embargo shall be attached.

4. Where a number of items of information are grouped together, the security grading to be applied to the whole shall be at least as high as that of the item of information bearing the highest grading. A collection of information may, however, be given a higher grading than any of its constituent parts.

Article 5 Security gradings

Security gradings for EC classified information shall be as follows:

(a) EC-TOP SECRET: where unauthorized disclosure might be extremely detrimental to the essential interests of the Communities or of one or more Member States;

(b) EC-SECRET: where unauthorized disclosure might be seriously detrimental to the essential interests of the Communities or of one or more Member States;

(c) EC-CONFIDENTIAL where unauthorized disclosure might be detrimental to the essential interests of the Communities or of one or more Member States.

Article 6 Information from outside sources

1. Classified information from any of the institutions or Member States shall retain its original security grading.

2. Information from any other source, whether or not bearing a security grading, shall if necessary be assigned an EC security grading by the recipient institution or Member State, account being taken of the legitimate interests of the author or the source of the information.

TITLE II - PROCEDURAL PROVISIONS

Article 7 Assignment of security gradings

The assignment of security gradings shall be the responsibility of the institution or Member State in which the document originates.

Each institution and each Member State shall determine the internal procedures for assignment of security gradings, taking account of the criteria laid down in Article 4 and avoiding unnecessary gradings.

Article 8 Declassification of information

1. The institution or Member State which assigned the security grading to an item of information shall be responsible for deciding that the grading is to be lifted or changed and for informing the recipients.

In the case of TOP SECRET or SECRET information such decisions shall be communicated to recipients in writing.

2. Information temporarily classified shall be declassified automatically on the expiry date or as otherwise specified.

3. Information in historical archives is subject to a declassification procedure after 30 years with a view to allowing public access.

Article 9 Scope: persons

1. The security measures laid down in this Regulation hall be observed by all officials or other public servants who, for any reason, have occasion:

(a) in an institution, in a committee for which an institution is responsible or in the course of work with the staff of an institution, to have access to classified information produced within the institution or communicated to it;

(b) in a Member State, to have access to EC classified information produced in the Member State or communicated to it.

2. Any firm or company, including subcontractors, working for an institution or Member State whose staff may have occasion to read classified information by reason of their work shall be bound by the requirements of this Regulation and shall impose the same obligations on every member of staff concerned. It shall designate a person to be responsible for monitoring the implementation of these measures.

Article 10 Access to classified documents

1. Access to and possession of EC classified information shall be restricted to the persons referred to in Article 9 who, by reason of their duties or of service requirements, need to acquaint themselves with such information or to handle it.

2. To be allowed access to EC-TOP SECRET and EC-SECRET and EC-CONFIDENTIAL information, the persons referred to in paragraph 1 must be given authorisation in accordance with Article 11.

3. Such authorization shall be granted only to persons who have been vetted in accordance with Article 12.

4. Where only occasional access to EC-CONFIDENTIAL information is required, such access may be authorized by way of exception without prior vetting, provided that all necessary precautions are taken.

Article 11 Authorization

1. Authorizations under Article 10 shall be granted by each institution and Member State to persons subject to its authority in accordance with its own arrangements.

2. Authorizations shall terminate when the authorized person leaves the service of the Communities or their contract ends.

3. Authorizations shall be subject to periodical review every five years at least.

Article 12 Vetting

1. (a) Vetting shall be undertaken at the request of the institution or Member State to whose authority the person to be given authorization in accordance with Article 10 (2) or (3) is subject.

The vetting shall be carried out by the Member State of which the person concerned is a national.

(b) Where the person concerned is not a Community national, the Member State responsible for vetting is the one in which the person is domiciled or usually resident.

(c) Where the person concerned has been resident for a period of time in a Member State other than the one referred to in the previous paragraph, or if the person has ties in another Member State, the Member State in question shall take part in the vetting procedure. The Member State in question shall communicate the results of its enquiries to the Member State responsible for vetting.

2. The vetting procedure shall be governed by the relevant rules and requirements applied in the Member State in question.

3. Institutions and Member States shall cooperate and exchange whatever information is necessary for the proper application of this Article.

In particular, institutions and Member States shall notify each other of anything which may cast doubts on the credentials of the authorized person.

Article 13 Instructions

All persons authorized in accordance with Article 10 shall, at the time of authorization and at regular intervals thereafter, be given appropriate instructions concerning the protection of classified information and methods to be applied. They shall sign a declaration that they have received the instructions and that they undertake to comply with them.

TITLE III - STRUCTURES

Article 14 Responsibility for security

Each institution and Member State shall designate a department to supervise the application of this Regulation and of supplementary measures as provided for in Article 2 and shall inform the other institutions and Member States through the Commission.

Article 15 Coordination between institutions and Member States

1. The institutions and Member States shall set up whatever procedures are necessary for the coherent application of this Regulation.

2. The Commission shall organize the necessary coordination between institutions and between the institutions and the Member States.

3. The Commission shall be assisted in this task by an Advisory Committee on Security composed of representatives of the Member States and chaired by a Commission representative.

4. The committee shall draw up its rules of procedure. Representatives of other institutions may attend its meetings as observers.

5. The committee's remit shall be to examine, on the initiative of its chairman or at the request of an institution or Member State, any matter coming within the scope of this Regulation.

Article 16 Security officers

1. The institutions and Member States shall designate, in each department receiving or handling classified infor-mation, officials of appropriate rank (hereinafter called "security officers") to be responsible for the implementation of this Regulation.

2. It shall be the task of security officers to:

(a) keep up to date the list of persons in their departments authorized to have access to CONFIDENTIAL, SECRET and TOP SECRET information;

(b) give instructions to staff regarding their responsibility for the protection of classified information;

(c) enforce the physical security measures;

(d) supervise the work of the special offices provided for in Article 17.

3. Only persons authorized in accordance with Article 10 to have access to classified information may be security officers.

Article 17 Special offices

1. The institutions and Member States shall use specialized departments (hereinafter called "special offices") for the exchange of EC-TOP SECRET, EC-SECRET, and EC-CONFIDENTIAL information.

2. The special office shall assume responsibility for handling classified information referred to in paragraph 1, in particular registration, reproduction, translation, transmission, storage and destruction.

3. Where necessary for the discharge of their duties, officials assigned to the special offices shall be authorized to have access to classified information in accordance with Article 10.

TITLE IV - PROTECTION OF DOCUMENTS

Article 18 Distinctive marking of classified documents

1. The security grading assigned to classified information in written form shall be shown as follows:

EC-TOP SECRET and EC-SECRET: by a clearly visible stamp on the top and bottom of each page or by some equivalent indication, such as a diagonal band extending across the full page,

EC-CONFIDENTIAL: by a clearly visible stamp on each page or by some equivalent indication, such as a diagonal band extending across the full page.

The stamp shall be in all the official languages of the Community.

2. In the case of temporary classification, the date after which the document may be considered declassified or the equivalent embargo formula shall be added in a suitable place.

3. Each copy of an EC-TOP SECRET or EC-SECRET document shall bear a serial number, by means of which the source, recipient and year can be identified. This serial number shall be repeated on the cover page of each document. The pages shall be numbered.

4. If the security grading of a classified document is changed, the document shall be marked as appropriate for the new grading.

5. References to EC-TOP SECRET, EC-SECRET and EC-CONFIDENTIAL information, including computerized references, shall be kept to a minimum and under no circumstances must they reveal either the content or the security grading of the information.

Article 19 Preparation, production and reproduction of EC-TOP SECRET, EC-SECRET and EC-CONFIDENTIAL documents

1. Runs of EC-TOP SECRET, EC-SECRET and EC-CONFIDENTIAL documents shall bc strictly limited to the number of copies required to cover estimated essential needs.

2. Classified information may be reproduced in whole or in part, in whatever form and by whatever means, only under the authority of one of the special offices referred to in Article 17.

The number of copies (e.g. further runs, duplicates or extracts) shall be limited to essential needs not foreseen when the document was originally produced.

Article 20 Registration, distribution and reception of EC-TOP SECRET, EC-SECRET and EC-CONFIDENTIAL information

All EC-TOP SECRET, EC-SECRET and EC-CONFIDENTIAL documents shall be registered in one of the special offices referred to in Article 17; the special office thereby takes delivery of the document and arranges any necessary transmission. The purpose of such registration shall be to make it possible:

- to draw up immediately a list of the persons who have consulted the information or had it in their possession,

- to ascertain at once, after distribution, who is in possession of each copy and of any duplicates.

Article 21 Messengers

With the agreement of the security department concerned, messengers shall be specially designated to carry classified documents, in particular EC-TOP SECRET and EC-SECRET documents.

Article 22 Delivery

1. EC-TOP SECRET, EC-SECRET and EC-CONFIDENTIAL information shall be dispatched and received by the special offices.

2. The following procedures shall apply for the delivery of classified documents:

(a) EC-TOP SECRETand EC-SECRET: by authorized messenger, or by diplomatic bag or by insured mail, with advice of delivery;

(b) EC-CONFIDENTIAL: by messenger, internal mail or registered post, with advice of delivery;

(c) whatever the means of delivery, the envelope shall bear no distinctive marking on the outside.

Article 23 Diplomatic bag

The delivery of classified documents by diplomatic bag shall be governed by appropriate rules which afford adequate protection.

Article 24 Removal of classified documents from buildings

1. Classified documents shall be kept at all times in a secure location.

2. Classified documents may only be taken away where absolutely necessary and shall remain at all times in the personal custody of the person who removes them.

Classified documents should not be left in locations where they cannot remain under surveillance at all times.

TITLE V - DESTRUCTION

Article 25 Destruction of classified documents

1. Outdated and surplus copies of classified documents shall be destroyed under the responsibility of the appropriate authorities.

The destruction of EC-TOP SECRET, EC-SECRET and EC-CONFIDENTIAL documents shall be carried out using a shredder or another approved method of destruction.

2. The destruction of EC-TOP SECRET and EC-SECRET documents shall be witnessed, recorded in a report and noted in the register of the special office in question.

3. At least one copy shall be kept in the archives with adequate protection.

TITLE VI - PROTECTION OF OTHER INFORMATION MATERIAL AND MEDIA

Article 26 Other information material

Information material and media other than those referred to in Titles IV and V shall be protected in accordance with the principles laid down in these two titles.

TITLE VII - TRANSMISSION BY TELECOMMUNICATIONS

Article 27 Transmission of classified documents by telecommunications

1. EC-TOP SECRET, EC-SECRET and EC-CONFIDENTIAL information shall not be sent by telegram, radio, telephone, telex, telefax or any other electronic means unless it is enciphered using a system the security department regards as safe.

2. Notwithstanding paragraph 1, EC-CONFIDENTIAL information may in cases of emergency and absolute necessity be sent by such means without being enciphered, provided that authorization is obtained from the competent authority of the institution or the Member State and the Cipher Office is informed.

3. EC-CONFIDENTIAL information which has been sent without being enciphered may never subsequently be sent in enciphered form.

4. The provisions of this Article shall apply in conjunction with the rules and directives on the security of computerized information laid down in Article 32.

TITLE VIII - PHYSICAL PROTECTION

Article 28 Buildings

1. Buildings or parts of buildings housing classified documents shall be accessible only to persons authorized to enter them. They shall be suitably protected by providing, where necessary, permanent surveillance or installing an alarm system.

2. Visitors shall not be left unaccompanied in places where classified documents are kept.

Article 29 Security furniture

EC-TOP SECRET, EC-SECRET and EC-CONFIDENTIAL documents shall be kept in cupboards or other storage units approved by the security, office as being sufficiently sturdy and having a safe locking mechanism.

Article 30 Protection of combination-lock settings and security keys

1. The setting of combination locks shall be changed at the time of delivery, every time staff having knowledge of the setting is changed, whenever the setting has or appears to have been compromised and, at all events, every 12 months at least.

2. The term "security keys" shall mean all keys to furniture used to house classified documents.

3. Holders of security keys and the departments responsible shall take whatever measures are necessary to safeguard security keys, in particular, to prevent unauth-orized persons from having access to them.

4. The loss of a security key or the compromising of a combination-lock setting shall be brought to the immediate attention of the security officer, who shall arrange at once for the lock to be replaced or the setting to be changed.

Article 31 Special provisions for the protection of classified information

If special circumstances prevent the application of any of the provisions of this Regulation or dictate stricter measures, the responsible security officer, after consulting the security department, shall take or cause to be taken appropriate measures to provide a degree of protection equivalent to that provided for in this Regulation.

TITLE IX - PROTECTION OF COMPUTERIZED INFORMATION

Article 32 Security of computerized information

1. Classified information in computerized or electronic form shall be governed by the protective measures laid down in this Regulation. The processing of such information (for example, its storage or transmission) using equipment such as computers, networks and terminals shall be subject to security measures specially devised for these techniques.

2. Each Member State and institution shall adopt special rules for the security of computerized information. These rules shall comprise general measures supplemented by specific measures based on an analysis of the risks.

3. These measures shall in particular:

(a) define responsibilities for:

- authorizing access,

- applying the authorization procedure (ie: permitting access),

- checking effective access against authorizations granted;

(b) ensure reliable identification and authentication of users;

(c) set the technical security criteria for operating systems, networks and software on the basis of recognized standards;

(d) determine rules for the management of computer configurations and in particular rules for the certification of the criteria provided for in (c).

4. The measures shall also include common rules and technical options as regards:

(a) the enciphering and authentication of data and the management of keys;

(b) the precautions to be taken for the elimination of electromagnetic radiation by reference to the Tempest standard (or a European equivalent to be defined).

TITLE X - FINAL PROVISIONS

Article 33 Procedure in the event of infringement of this Regulation

1. Any person employed by an institution who in the course of his duties has access to classified information shall be informed by the security department or the security officers that failure to comply with the requirements of this Regulation renders him liable to disciplinary action.

2. Any person who finds, or has reason to believe, that classified information has gone astray or been compromised or that an infringement of this Regulation or of security measures has been committed shall immediately inform the security officer, who will at once inform his superior.

3. If there is a suggestion that EC-TOP SECRET, EC-SECRET or EC-CONFIDENTIAL information has come to the knowledge of an unauthorized person, the security department shall be informed immediately so that it can assess the situation.

4. If the suspected breach within the meaning of paragraph 3 is confirmed, the security department shall take appropriate steps with the responsible officials concerned in order to limit the damage caused to a minimum and to prevent any recurrence.

5. If a serious infringement committed in an institution or a Member State concerns information originating in another institution or Member State, that institution or Member State shall be advised.

Article 34 Penalties

Member States and institutions shall take appropriate action to penalize failure to comply with the requirements of this Regulation.

Article 35 Treaties or agreements with Member States and regulations

1. These provisions shall be without prejudice to the obligations of the Community and/or the Member States in this field arising out of treaties or agreements concluded with third countries, international organisations or a national of a third country.

2. This Regulation shall be without prejudice to Regulation (Euratom) No 3 implementing Article 24 of the Treaty establishing the European Atomic Energy Community.

Article 36 Entry into force

This Regulation shall enter into force on the 20th day following its publication in the Official Journal of the European Communities.

This Regulation shall be binding in its entirety and directly applicable in all Member States.