DECISION OF THE HIGH REPRESENTATIVE OF THE UNION FOR FOREIGN AFFAIRS AND SECURITY POLICY
of 19 June 2023
on the security rules for the European External Action Service
Article 1
Purpose and scope
Article 2
Definitions
Article 3
Duty of care
Article 4
Physical and infrastructure security
Article 5
Alert states and crisis situations
Article 6
The protection of classified information
Article 7
Security incidents, emergencies and crisis response
Article 8
Security of communication and information systems
Article 9
Security breaches and compromise of classified information
Article 10
Investigation of security incidents, breaches and/or compromises and corrective actions
Article 11
Security risk management
Article 12
Security awareness and training
Article 13
Organisation of security in the EEAS
Article 14
CSDP Operations and EU Special Representatives
Article 15
The EEAS Security Committee
Article 16
Security inspections
Article 17
Assessment visits
Article 18
Business continuity planning
Article 19
Travel advice for missions outside the EU
Article 20
Health and Safety
Article 21
Implementation and review
Article 22
Replacement of previous decisions
Article 23
Final provisions
ANNEX A
PRINCIPLES AND STANDARDS FOR PROTECTING EUCI
Article 1
Purpose, scope and definitions
Article 2
Definition of EUCI, security classifications and markings
Article 3
Classification management
Article 4
Protection of classified information
Article 5
Personnel security for handling EU classified information
Article 6
Physical security of EU classified information
Article 7
Management of classified information
Article 8
Protection of EUCI handled in communication and information systems
Article 9
Industrial security
Article 10
Exchange of classified information with third States and International Organisations
Article 11
Breaches of security and compromise of classified information
ANNEX A I
PERSONNEL SECURITY
I. INTRODUCTION
II. AUTHORISING ACCESS TO EUCI
PSC request procedures in the EEAS
Records of PSCs
Exemptions from the PSC requirement
III. SECURITY EDUCATION AND AWARENESS
IV. EXCEPTIONAL CIRCUMSTANCES
V. ATTENDANCE AT MEETINGS IN THE EEAS HEADQUARTERS AND UNION DELEGATIONS.
VI. POTENTIAL ACCESS TO EUCI
ANNEX A II
PHYSICAL SECURITY OF EU CLASSIFIED INFORMATION
I. INTRODUCTION
II PHYSICAL SECURITY REQUIREMENTS AND MEASURES
III. EQUIPMENT FOR THE PHYSICAL PROTECTION OF EUCI
IV. PHYSICALLY PROTECTED AREAS
V. PHYSICAL PROTECTIVE MEASURES FOR HANDLING AND STORING EUCI
VI. CONTROL OF KEYS AND COMBINATIONS USED FOR PROTECTING EUCI
ANNEX A III
MANAGEMENT OF CLASSIFIED INFORMATION
I. INTRODUCTION
II. CLASSIFICATION MANAGEMENT
Classifications and markings
CONFIDENTIEL UE/EU CONFIDENTIAL Without attachment(s) RESTREINT UE/EU RESTRICTED
Markings
Abbreviated classification markings
TRES SECRET UE/EU TOP SECRET |
TS-UE/EU-TS |
SECRET UE/EU SECRET |
S-UE/EU-S |
CONFIDENTIEL UE/EU CONFIDENTIAL |
C-UE/EU-C |
RESTREINT UE/EU RESTRICTED |
R-UE/EU-R |
Creation of EUCI
Downgrading and declassification of EUCI
III. REGISTRATION OF EUCI FOR SECURITY PURPOSES
TRES SECRET UE/EU TOP SECRET registries
IV. COPYING AND TRANSLATING EU CLASSIFIED DOCUMENTS
V. CARRIAGE OF EUCI
Within a building or self-contained group of buildings
Within the EU
From within the EU to the territory of a third State, or between EU entities in third States
VI. DESTRUCTION OF EUCI
VII. SECURITY INSPECTIONS
EEAS security inspections
Conduct of and reporting on EEAS security inspections
Conduct of and reporting on security inspections in EU agencies and bodies established under Title V, Chapter 2 of the TEU
EEAS security inspections checklist
ANNEX A IV
PROTECTION OF EUCI HANDLED IN CIS
I. INTRODUCTION
Authenticity: |
the guarantee that information is genuine and from bona fide sources; |
Availability: |
the property of being accessible and usable upon request by an authorised entity; |
Confidentiality: |
the property that information is not disclosed to unauthorised individuals, entities or processes; |
Integrity: |
the property of safeguarding the accuracy and completeness of information and assets; |
Non-repudiation: |
the ability to prove an action or event has taken place, so that this event or action cannot subsequently be denied. |
II. INFORMATION ASSURANCE PRINCIPLES
Security risk management
Security throughout the CIS-life cycle
Best practice
Defence in depth
Principle of minimality and least privilege
Information Assurance awareness
Evaluation and approval of IT-security products
Transmission within Secured Areas
Secure interconnection of CIS
Computer storage media
Emergency circumstances
III. INFORMATION ASSURANCE FUNCTIONS AND AUTHORITIES
Information Assurance Authority (IAA)
TEMPEST Authority
Crypto Approval Authority (CAA)
Crypto Distribution Authority (CDA)
Security Accreditation Authority (SAA)
Security Accreditation Board (SAB)
Information Assurance Operational Authority
ANNEX A V
INDUSTRIAL SECURITY
I. INTRODUCTION
II. SECURITY ELEMENTS IN A CLASSIFIED CONTRACT
Security classification guide (SCG)
Security aspects letter (SAL)
Programme/project security instructions (PSI)
III. FACILITY SECURITY CLEARANCE (FSC)
IV. Personnel Security Clearances (PSCs) for Contractors’ personnel
V. CLASSIFIED CONTRACTS AND SUB-CONTRACTS
VI. VISITS IN CONNECTION WITH CLASSIFIED CONTRACTS
VII. TRANSMISSION AND CARRIAGE OF EUCI
VIII. TRANSFER OF EUCI TO CONTRACTORS LOCATED IN THIRD STATES
IX. HANDLING AND STORAGE OF INFORMATION CLASSIFIED RESTREINT UE/EU RESTRICTED
ANNEX A VI
EXCHANGE OF CLASSIFIED INFORMATION WITH THIRD STATES AND INTERNATIONAL ORGANISATIONS
I. INTRODUCTION
II. FRAMEWORKS GOVERNING THE EXCHANGE OF CLASSIFIED INFORMATION
III ASSESSMENT VISITS
IV. AUTHORITY TO RELEASE EUCI TO THIRD STATES OR INTERNATIONAL ORGANISATIONS
V. EXCEPTIONAL AD HOC RELEASE OF EUCI
Appendix A
Definitions
Appendix B
Equivalence of security classifications
EU |
TRES SECRET UE/EU TOP SECRET |
SECRET UE/EU SECRET |
CONFIDENTIEL UE/EU CONFIDENTIAL |
RESTREINT UE/EU RESTRICTED |
EURATOM |
EURA TOP SECRET |
EURA SECRET |
EURA CONFIDENTIAL |
EURA RESTRICTED |
Belgium |
Très Secret (Loi 11.12.1998) Zeer Geheim (Wet 11.12.1998) |
Secret (Loi 11.12.1998) Geheim (Wet 11.12.1998) |
Confidentiel (Loi 11.12.1998) Vertrouwelijk (Wet 11.12.1998) |
Nota(1) below |
Bulgaria |
Cтpoгo ceкретно |
Ceкретно |
Поверително |
За служебно ползване |
Czech Republic |
Přísně tajné |
Tajné |
Důvěrné |
Vyhrazené |
Denmark |
YDERST HEMMELIGT |
HEMMELIGT |
FORTROLIGT |
TIL TJENESTEBRUG |
Germany |
STRENG GEHEIM |
GEHEIM |
VS(2) — VERTRAULICH |
VS — NUR FÜR DEN DIENSTGEBRAUCH |
Estonia |
Täiesti salajane |
Salajane |
Konfidentsiaalne |
Piiratud |
Ireland |
Top Secret |
Secret |
Confidential |
Restricted |
Greece |
Άκρως Απόρρητο Abr: ΑΑΠ |
Απόρρητο Abr: (ΑΠ) |
Εμπιστευτικό Αbr: (ΕΜ) |
Περιορισμένης Χρήσης Abr: (ΠΧ) |
Spain |
SECRETO |
RESERVADO |
CONFIDENCIAL |
DIFUSIÓN LIMITADA |
France |
TRÈS SECRET TRÈS SECRET DÉFENSE(3) |
SECRET SECRET DÉFENSE(3) |
CONFIDENTIEL DÉFENSE(3) (4) |
Nota(5) below |
Croatia |
VRLO TAJNO |
TAJNO |
POVJERLJIVO |
OGRANIČENO |
Italy |
Segretissimo |
Segreto |
Riservatissimo |
Riservato |
Cyprus |
Άκρως Απόρρητο Αbr: (AΑΠ) |
Απόρρητο Αbr: (ΑΠ) |
Εμπιστευτικό Αbr: (ΕΜ) |
Περιορισμένης Χρήσης Αbr: (ΠΧ) |
Latvia |
Sevišķi slepeni |
Slepeni |
Konfidenciāli |
Dienesta vajadzībām |
Lithuania |
Visiškai slaptai |
Slaptai |
Konfidencialiai |
Riboto naudojimo |
Luxembourg |
Très Secret Lux |
Secret Lux |
Confidentiel Lux |
Restreint Lux |
Hungary |
‘Szigorúan titkos!’ |
‘Titkos!’ |
‘Bizalmas!’ |
‘Korlátozott terjesztésű!’ |
Malta |
L-Ogħla Segretezza Top Secret |
Sigriet Secret |
Kunfidenzjali Confidential |
Ristrett Restricted(6) |
Netherlands |
Stg. ZEER GEHEIM |
Stg. GEHEIM |
Stg. CONFIDENTIEEL |
Dep. VERTROUWELIJK |
Austria |
Streng Geheim |
Geheim |
Vertraulich |
Eingeschränkt |
Poland |
Ściśle Tajne |
Tajne |
Poufne |
Zastrzeżone |
Portugal |
Muito Secreto |
Secreto |
Confidencial |
Reservado |
Romania |
Strict secret de importanță deosebită |
Strict secret |
Secret |
Secret de serviciu |
Slovenia |
STROGO TAJNO |
TAJNO |
ZAUPNO |
INTERNO |
Slovakia |
Prísne tajné |
Tajné |
Dôverné |
Vyhradené |
Finland |
ERITTÄIN SALAINEN YTTERST HEMLIG |
SALAINEN HEMLIG |
LUOTTAMUKSELLINEN KONFIDENTIELL |
KÄYTTÖ RAJOITETTU BEGRÄNSAD TILLGÅNG |
Sweden |
Kvaliciferat hemlig |
Hemlig |
Konfidentiell |
Begränsat hemlig |