Delegated Decision No 17-2023 of the Administrative Committee of the European... (32023Q0324(01))
EU - Rechtsakte: 01 General, financial and institutional matters

DELEGATED DECISION No 17-2023 OF THE ADMINISTRATIVE COMMITTEE OF THE EUROPEAN COURT OF AUDITORS

of 1 March 2023

on implementing rules for handling RESTREINT UE/EU RESTRICTED information at the European Court of Auditors

THE ADMINISTRATIVE COMMITTEE OF THE EUROPEAN COURT OF AUDITORS,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 287 thereof,
Having regard to Decision No 41-2021 of the Court of Auditors on the security rules for protecting EU classified information (EUCI) (1),
Having regard to the Court of Auditors information security policy (currently DEC 127/15 FINAL) and information classification policy (Staff Notice 123/2020) (2),
Whereas Decision No 41-2021 applies to all the departments and the premises of the Court of Auditors;
Whereas Decision No 41-2021 provides in its Articles 1(3) and 5(6) that the Court of Auditors shall handle RESTREINT UE/EU RESTRICTED level information on its premises and may conclude a service level agreement with another EU institution in Luxembourg in order to be able to handle and store information classified as CONFIDENTIEL UE/EU CONFIDENTIAL or above in a Secured Area of that institution;
Whereas security measures for protecting EU classified information (EUCI) throughout its life-cycle are to be commensurate in particular with its security classification;
Whereas security measures to protect the confidentiality, integrity and availability of information communicated to the Court of Auditors must be appropriate for the nature and type of information concerned;
Whereas Article 10(10) of Decision No 41-2021 provides that the Administrative Committee shall adopt a delegated decision laying down implementing rules for this Decision; pursuant to Articles 8(1) and 10(1) of Decision No 41-2021 these shall govern issues such as handling and storing EUCI as well as breaches of security;
Whereas the Annex to Decision No 41-2021 sets out the physical security measures that shall apply in Administrative Areas where RESTREINT UE/EU RESTRICTED information is handled and stored;
Whereas security measures taken to implement this Decision are to comply with the principles for security at the Court of Auditors set out in Article 3 of Decision No 41-2021;
Whereas the Court of Auditors ensured through Decision No 41-2021 that its security measures to guarantee a high level of protection for EUCI are equivalent to those established by the rules on the protection of EUCI adopted by the other EU institutions, agencies and bodies;
Whereas a lightweight administrative agreement between the Court of Auditors and the Commission, the Council and the EEAS was agreed and entered into force on 27 January 2023,
HAS DECIDED:

CHAPTER 1

GENERAL PROVISIONS

Article 1

Subject matter and scope

1.   This Decision sets out the handling conditions for EU classified information (EUCI) of RESTREINT UE/EU RESTRICTED level (3) in compliance with Decision No 41-2021.
2.   This Decision shall apply to all the departments and the premises of the Court of Auditors. It also applies to its Chambers and Committees, which are included in the term ‘departments’ for the purposes of this Decision.

Article 2

Criteria for access to RESTREINT UE/EU RESTRICTED information

1.   Access to information classified as RESTREINT UE/EU RESTRICTED may be granted after:
(a) the need for an individual to have access to certain RESTREINT UE/EU RESTRICTED information in order to be able to perform a professional function or task for the Court of Auditors has been determined;
(b) the individual has been briefed on the rules and the relevant security standards and guidelines for protecting RESTREINT UE/EU RESTRICTED information; and
(c) the individual has acknowledged their responsibilities for protecting the information concerned.
2.   Court of Auditors trainees shall not be given duties that require them to have access to RESTREINT UE/EU RESTRICTED information.
3.   Access shall be withheld or granted for other categories of staff in accordance with the table set out in the Annex.

CHAPTER 2

CREATING RESTREINT UE/EU RESTRICTED INFORMATION

Article 3

Originator

While the originator within the meaning of Article 2 of Decision No 41-2021 is the Union institution, agency or body, Member State, third state or international organisation under whose authority classified information has been created and/or introduced into the Union’s structures, the drafter of RESTREINT UE/EU RESTRICTED information will not necessarily be the same.

Article 4

Assigning a classification level

1.   Staff drafting a document on the basis of information within the meaning of Article 1, in the context of Article 3 paragraph 6 of Decision No 41-2021 or otherwise, shall always consider whether their document needs to be classified. Classifying a document as EUCI shall involve an assessment and a decision by the originator as to whether the disclosure of the document to unauthorised persons would cause prejudice to the interests of the European Union or of one or more of the Member States. If drafters are in any doubt as to whether the document they are drafting warrants being classified as RESTREINT UE/EU RESTRICTED, they should consult the Principal Manager or Director responsible.
2.   A document shall be classified as at least RESTREINT UE/EU RESTRICTED if its unauthorised disclosure could, inter alia:
(a) adversely affect diplomatic relations;
(b) cause substantial distress to individuals;
(c) make it more difficult to maintain the operational effectiveness or security of Member States’ or other contributors’ assigned personnel;
(d) breach undertakings to maintain the confidence of information provided by third parties;
(e) prejudice the investigation of or facilitate crime;
(f) disadvantage the Union or Member States in commercial or policy negotiations with others;
(g) impede the effective development or operation of Union policies;
(h) undermine the proper management of the Union and its missions in general; or
(i) lead to the discovery of information classified at a higher level.
3.   Originators may decide to attribute a standard classification level to categories of information that they create on a regular basis. However, they shall ensure that individual pieces of information are assigned the appropriate classification level.

Article 5

Working with drafts

1.   Information shall be classified as soon as it is produced. Personal notes, preliminary drafts or messages containing information that warrant classification at the level of RESTREINT UE/EU RESTRICTED shall be marked as such from the outset, and shall be produced and handled in accordance with this Decision.
2.   If the final document no longer warrants the RESTREINT UE/EU RESTRICTED classification level, it shall be declassified.

Article 6

Record of source material

In order to enable the exercise of originator control in accordance with Article 13, originators of RESTREINT UE/EU RESTRICTED documents shall, to the extent possible, keep a record of any classified sources used for producing classified documents, including details of sources originally from EU Member States, international organisations or third countries. Where appropriate, aggregated classified information shall be marked in such a way as to preserve the identification of the originators of the classified source materials used.

Article 7

Classifying parts of a document

1.   In accordance with Article 3(1) of Decision No 41-2021, the overall classification level of a document shall be at least as high as that of its most highly classified component. When information from various sources is collated, the final aggregated document shall be reviewed to determine its overall security classification level, since it may warrant a higher classification than that of its component parts.
2.   Documents containing classified and non-classified parts shall be structured and marked so that components with different classification and/or sensitivity levels can be easily identified and detached if necessary. This shall enable each part to be handled appropriately when it is detached from the other components.

Article 8

Full classification marking

1.   Information that warrants classification shall be marked and handled as such, regardless of its physical form. The classification level shall be clearly communicated to recipients, either by a classification marking, if the information is delivered in written form, whether this is on paper, on removable storage media or in a Communication and Information System (CIS), or by an announcement, if the information is delivered in oral form, such as in a conversation or a presentation. Classified material shall be physically marked so as to allow for easy identification of its security classification.
2.   On documents, the full classification marking RESTREINT UE/EU RESTRICTED shall be written in block capitals, in full in French and English (French first), in accordance with paragraph 3. The marking shall not be translated into other languages.
3.   The RESTREINT UE/EU RESTRICTED classification marking shall be affixed as follows:
(a) centred at the top and bottom of every page of the document;
(b) the complete classification marking on one line, with no spaces either side of the forward slash;
(c) in capitals, black, font Times New Roman 16, bold, and surrounded by a border on each side.
4.   When creating a RESTREINT UE/EU RESTRICTED document:
(a) each page shall be clearly marked with the classification level;
(b) each page shall be numbered;
(c) the document shall bear a reference number and a subject, which itself shall not be classified information unless it is marked as such;
(d) all the annexes and enclosures shall be listed, whenever possible on the first page; and
(e) the document shall have its date of creation on it.

Article 9

Abbreviated R-UE/EU-R classification marking

The abbreviation R-UE/EU-R may be used to indicate the classification level of individual parts of a RESTREINT UE/EU RESTRICTED document, or where the full classification marking cannot be inserted, for example on a small removable storage medium. It may be used in the body of text where repeated use of the full classification marking is cumbersome. The abbreviation shall not be used instead of the full classification markings in the header and footer of the document.

Article 10

Other security designators

1.   RESTREINT UE/EU RESTRICTED documents may bear other markings, or ‘security designators’, specifying, for example, the field to which the document relates, or indicating a particular distribution on a need-to-know basis. An example is:
RELEASABLE TO LIECHTENSTEIN
2.   RESTREINT UE/EU RESTRICTED documents may bear a security caveat that provides specific instructions on how to handle and manage the documents.
3.   Whenever possible, any indications for declassifying shall be affixed on the first page of the document at the time it is created. For example, the following marking may be used:
RESTREINT UE/EU RESTRICTED
until [dd.mm.yyyy]

Article 11

Electronic processing

1.   RESTREINT UE/EU RESTRICTED documents shall be created using electronic means, where these are available.
2.   The staff of the Court of Auditors shall use accredited communication and information systems (hereafter ‘CIS’) for creating RESTREINT UE/EU RESTRICTED level information (see Article 6 of Decision No 41-2021). Staff shall consult the Information Security Officer (ISO) if there is any doubt as to which CIS may be used. In consultation with the ISO, specific procedures may be applied in emergencies or in specific technical configurations.
3.   RESTREINT UE/EU RESTRICTED documents, including drafts, as required by Article 5, shall not be sent by ordinary open email, printed or scanned on standard printers or scanners, or handled on the personal devices of members of staff. Only printers or copiers connected to standalone computers or to an accredited system shall be used to print out RESTREINT UE/EU RESTRICTED documents.

Article 12

Distribution

The sender of RESTREINT UE/EU RESTRICTED documents shall decide who to distribute the information to, based on their need-to-know. If required, a distribution list shall be drawn up in order to further enforce the need-to-know principle.

CHAPTER 3

WORKING WITH EXISTING RESTREINT UE/EU RESTRICTED INFORMATION

Article 13

Originator control

1.   The originator shall have ‘originator control’ over RESTREINT UE/EU RESTRICTED information which it has created. The originator’s prior written consent shall be sought before the information can be:
(a) declassified;
(b) used for purposes other than those established by the originator;
(c) released to a third country or international organisation;
(d) disclosed to a party outside the Court of Auditors, but within the EU; or
(e) disclosed to a contractor or prospective contractor located in a third country.
2.   Holders of RESTREINT UE/EU RESTRICTED information have been given access to the classified information in order to be able to perform their duties. They are responsible for the correct handling, storage and protection of it, in accordance with Decision No 41-2021. Unlike originators of classified information, holders shall not be authorised to decide on the declassification or onward release of RESTREINT UE/EU RESTRICTED information to third countries or international organisations.
3.   If the originator of a piece of RESTREINT UE/EU RESTRICTED information cannot be identified, the Court of Auditors department holding that classified information shall exercise originator control. In the event that the release of RESTREINT UE/EU RESTRICTED information to a third country or international organisation is considered necessary by the information holder, the Court of Auditors shall seek advice from one of the Parties to a Security of Information Agreement with that same third country or international organisation.

Article 14

CIS suitable for handling RESTREINT UE/EU RESTRICTED information

RESTREINT UE/EU RESTRICTED information shall be handled and transmitted by electronic means, where these are available. In line with Article 6 of Decision No 41-2021, only CIS and equipment that has been accredited by another EU institution, body, agency or the Court of Auditors shall be used.

Article 15

Specific measures for RESTREINT UE/EU RESTRICTED information on removable storage media

1.   The use of removable storage media shall be controlled and accounted for. Only removable storage media provided by the Court of Auditors or provided by another EU institution, body or agency and approved by the ISO of the Court of Auditors, and encrypted by a product approved by the ISO of the Court of Auditors shall be used. Personal removable storage media and those given freely at conferences, seminars, etc. shall not be used for transferring classified information. Where possible, TEMPEST-proof removable storage media should be used, in accordance with guidance from the ISO.
2.   Where a classified document is handled or stored electronically on removable storage media, such as USB sticks, USB hard drives, CDs, DVDs or memory cards (including SSD (4)), the classification marking shall be clearly visible on the displayed information itself, as well as in the filename and on the removable storage medium.
3.   Staff shall bear in mind that when large amounts of classified information are stored on removable storage media, the device may warrant a higher classification level.
4.   Only CIS that have been appropriately accredited shall be used to transfer RESTREINT UE/EU RESTRICTED information onto or from removable storage media.
5.   When downloading RESTREINT UE/EU RESTRICTED information on removable storage media, particular care shall be taken to ensure that the media does not contain viruses or malware prior to the data transfer.
6.   Where applicable, removable storage media shall be handled in accordance with any security operating procedures relating to the encryption system used.
7.   Documents on removable storage media that are either no longer required, or that have been transferred onto an appropriate CIS, shall be securely removed or deleted using approved products or methods. Unless stored in appropriate locked office furniture, removable storage media shall be destroyed when they are no longer needed. Any destruction or deletion shall use a method that is in accordance with the Court of Auditors security rules. An inventory shall be kept of the removable media, and their destruction shall be recorded.

Article 16

Handling and storage of RESTREINT UE/EU RESTRICTED information

1.   In accordance with Articles 5(8) and 6(9) of Decision No 41-2021, RESTREINT UE/EU RESTRICTED information may be handled in an Administrative Area (5), or in a Secured Area at the Commission (6) for the use of which the Court of Auditors has concluded a service level agreement, as follows:
— staff shall close the office door when handling RESTREINT UE/EU RESTRICTED information;
— staff shall stow any RESTREINT UE/EU RESTRICTED information away or cover it, should they receive a visitor;
— staff shall not leave RESTREINT UE/EU RESTRICTED information visible when the office is unoccupied;
— screens displaying RESTREINT UE/EU RESTRICTED information shall be permanently turned away from windows and doors to prevent potential overlooking.
2.   RESTREINT UE/EU RESTRICTED information may be handled temporarily outside a Secured Area or an Administrative Area, provided the holder has undertaken to comply with compensatory measures to protect it from access by unauthorised persons. The compensatory measures shall include at least the following:
— RESTREINT UE/EU RESTRICTED information shall not be read in public places;
— the EUCI shall be kept under the personal control of the holder at all times;
— the documents shall be stowed in appropriate locked furniture when they are not being read or discussed;
— the doors to the room shall be closed while the document is being read or discussed;
— the details of the document shall not be discussed over the phone on a non-secured line, or in an unencrypted email;
— the document may only be photocopied or scanned on stand-alone or accredited equipment;
— the document shall only be handled and temporarily held outside an Administrative or Secured Area for the minimum time necessary;
— the holder shall not throw the classified document away but shall return it for storage in an Administrative or Secured Area, or ensure it is destroyed in an approved shredder (7).
3.   Hard copy RESTREINT UE/EU RESTRICTED information shall be stored in locked office furniture in an Administrative Area or in a Secured Area. It may be temporarily stored outside a Secured Area or an Administrative Area, provided the holder has undertaken to comply with compensatory measures.
4.   Further advice can be sought from the ISO.
5.   Any suspected or actual security incidents involving the document shall be reported to the ISO as soon as possible.

Article 17

Copying and translating RESTREINT UE/EU RESTRICTED information

1.   RESTREINT UE/EU RESTRICTED information may be copied or translated on instruction from the holder, provided the originator has not imposed any caveats. However, no more copies shall be made than are strictly necessary.
2.   Where only part of a classified document is reproduced, the same conditions shall apply as for copying the full document. Extracts shall also be classified as RESTREINT UE/EU RESTRICTED, unless the originator has specifically marked them as unclassified.
3.   The security measures applicable to the original information shall also be applied to copies and translations thereof.

Article 18

General principles for carrying RESTREINT UE/EU RESTRICTED information

1.   Whenever possible, RESTREINT UE/EU RESTRICTED information that needs to be taken outside Secured Areas or Administrative Areas shall be sent electronically by appropriately accredited means and/or protected by approved cryptographic products.
2.   Depending on the means available or the particular circumstances, RESTREINT UE/EU RESTRICTED information may be physically carried by hand in the form of paper documents or on removable storage media. The use of removable storage media to transfer RESTREINT UE/EU RESTRICTED information shall be given preference to sending paper documents.
3.   Only removable storage media that are encrypted by a product approved by the Court of Auditors ISO may be used. RESTREINT UE/EU RESTRICTED information on removable storage media that is not protected by an encryption product that has been approved by the ISO shall be handled in the same manner as paper copy.
4.   A consignment may contain more than one piece of RESTREINT UE/EU RESTRICTED information, provided the need-to-know principle is respected.
5.   The packaging used shall ensure that the contents are hidden from view. RESTREINT UE/EU RESTRICTED information shall be carried in opaque packaging, such as an envelope, an opaque folder, or a briefcase. The outside of the packaging shall not bear any indication of the nature or classification level of its contents. If used, the inner layer of packaging shall be marked as RESTREINT UE/EU RESTRICTED. Both packaging layers shall state the intended recipient’s name, job title and address, as well as a return address in case delivery cannot be made.
6.   Any security incidents involving RESTREINT UE/EU RESTRICTED information that is carried by staff or couriers shall be reported, for subsequent investigation to the Director of Human Resources, Finance and General Services, via the ISO.

Article 19

Hand carriage of removable storage media

1.   Removable storage media that are used to transport RESTREINT UE/EU RESTRICTED information shall be accompanied by a dispatch note, detailing the removable storage media containing the classified information, as well as all files contained on them, to allow the recipient to make the necessary verifications.
2.   Only the documents to be provided shall be stored on the media. All the classified information on a single USB stick, for instance, would have to be intended for the same recipient. The sender shall bear in mind that large amounts of classified information stored on such devices may warrant a higher classification level for the device as a whole.
3.   Only removable storage media bearing the appropriate classification marking shall be used to carry RESTREINT UE/EU RESTRICTED information.

Article 20

Carriage of RESTREINT UE/EU RESTRICTED documents within Court of Auditors buildings

1.   Staff may carry RESTREINT UE/EU RESTRICTED documents within a Court of Auditors building or between Union institutions, agencies or bodies, but the documents shall not leave the possession of the bearer, or be read in public.
2.   RESTREINT UE/EU RESTRICTED documents may be sent through internal mail to other Court of Auditors offices in a single ordinary opaque envelope, but with no indication on the outside that the contents are classified.

Article 21

Carriage of RESTREINT UE/EU RESTRICTED documents within the Union

1.   RESTREINT UE/EU RESTRICTED information may be carried by staff or couriers of the Court of Auditors or of another EU institution, body or agency anywhere within the Union, provided they comply with the following instructions:
(a) an opaque envelope or packaging shall be used to convey RESTREINT UE/EU RESTRICTED information. The outside shall not bear any indication of the nature or classification level of the contents;
(b) the RESTREINT UE/EU RESTRICTED information shall not leave the possession of the bearer; and
(c) the envelope or package shall not be opened
en route
, and the information shall not be read in public places.
2.   Staff wishing to send RESTREINT UE/EU RESTRICTED information to other locations in the Union may arrange for it to be conveyed by one of the following means:
— by national postal services that track the consignment or certain commercial courier services that guarantee personal hand carriage, provided that they meet the requirements set out in Article 23 of this Decision; or
— by military, government or diplomatic courier, in coordination with Records Office staff.

Article 22

Carriage of RESTREINT UE/EU RESTRICTED information from or to the territory of a third country

1.   Information classified as RESTREINT UE/EU RESTRICTED may be hand-carried by staff between the territory of the Union and the territory of a third country.
2.   Records Office staff may arrange for one of the following:
— carriage by postal services that track the consignment or commercial courier services that guarantee personal hand carriage; or
— carriage by military or diplomatic courier.
3.   When hand-carrying either paper documents or removable storage media classified as RESTREINT UE/EU RESTRICTED, staff shall comply with all of the following additional measures:
— when travelling by public transport, the classified information shall be placed in a briefcase or bag that is kept in the bearer’s personal custody. It shall not be consigned to a baggage hold;
— the RESTREINT UE/EU RESTRICTED information shall be conveyed inside two layers of packaging. The inner layer of packaging shall bear an official seal to indicate that it is an official consignment and is not to undergo security scrutiny;
— the bearer shall carry a courier certificate issued by the Records Office, which certifies that the bearer is authorised to carry the RESTREINT UE/EU RESTRICTED consignment.

Article 23

Carriage by commercial couriers

1.   For the purposes of this Decision, ‘commercial couriers’ include national postal services and commercial courier companies that offer a service where information is delivered for a fee and is either personally hand carried or tracked.
2.   Commercial couriers may use the services of a sub-contractor. However, responsibility for complying with this Decision shall remain with the courier company.
3.   If the intended recipient is outside the EU, two layers of packaging shall be used. When classified consignments are being prepared, the sender shall bear in mind that commercial courier services shall only deliver RESTREINT UE/EU RESTRICTED consignments to the intended recipient, a duly authorised substitute, the registry control officer or his/her duly authorised substitute, or a receptionist. To mitigate the risk that the consignment may not reach the intended recipient, the outer and, where applicable, the inner layer of the consignment’s packaging shall bear a return address.
4.   Services offered by commercial couriers providing electronic transmission of registered delivery documents shall not be used for RESTREINT UE/EU RESTRICTED information.

Article 24

Other specific handling conditions

1.   Any carriage conditions set out in a security of information agreement or in administrative arrangements shall be complied with. If in doubt, staff shall consult the ISO or the Records Office.
2.   The double packaging requirement can be waived for classified information that is protected by approved cryptographic products. However, for addressing purposes, and also as the removable storage medium bears an explicit security classification marking, the medium shall be carried at least in an ordinary envelope, but may require additional physical protection measures, such as a bubble wrap envelope.

CHAPTER 4

CLASSIFIED MEETINGS

Article 25

Preparing for a RESTREINT UE/EU RESTRICTED meeting

1.   Meetings where RESTREINT UE/EU RESTREINT information is due to be discussed shall only be held in a meeting room that has been accredited at the appropriate level or higher. Where these are not available, staff shall seek the advice of the ISO.
2.   As a general rule, agendas should be not classified. If the agenda of a meeting mentions classified documents, the agenda itself shall not automatically be classified. Agenda items shall be worded in a way that avoids jeopardising the protection of the Union, or one or more of the Member States’ interests.
3.   If electronic files containing RESTREINT UE/EU RESTRICTED information are to be attached to the agenda, it is mandatory to protect them with cryptographic products approved by the ISO of the Court of Auditors.
4.   Meeting organisers shall remind participants that any comments sent in on a RESTREINT UE/EU RESTRICTED agenda item must not be sent through ordinary open emails, or through other means that have not been appropriately accredited in accordance with Article 11 of this Decision.
5.   Meeting organisers shall endeavour to group RESTREINT UE/EU RESTRICTED items consecutively on the agenda in order to facilitate smooth functioning of the meeting. Only persons with a need-to-know may be present during discussions of classified items.
6.   The invitation itself shall forewarn the participants that the meeting will discuss classified topics, and that corresponding security measures will apply.
7.   The invitation or note on the agenda itself shall remind participants that portable electronic devices are to be switched off during the discussion of RESTREINT UE/EU RESTRICTED items.
8.   Meeting organisers shall prepare a complete list of external participants prior to the meeting.

Article 26

Electronic equipment in a RESTREINT UE/EU RESTRICTED meeting room

1.   Only IT systems accredited in accordance with Article 11 of this Decision may be used where RESTRICTED EU/EU RESTRICTED information is conveyed, for example in the course of a presentation or videoconference.
2.   The Chair shall ensure that unauthorised portable electronic devices have been switched off.

Article 27

Procedures to be followed during a RESTREINT UE/EU RESTRICTED meeting

1.   At the start of the classified discussion, the Chair shall announce to the meeting that it is moving to classified mode. The doors and blinds shall be closed.
2.   Only the necessary number of documents shall be given to participants and interpreters, as appropriate, at the start of the discussion.
RESTREINT UE/EU RESTRICTED documents shall not be left unattended during any breaks in the meeting.
3.   At the end of the meeting, the participants and interpreters shall be reminded not to leave any classified documents or classified notes they might have made lying unattended in the room. Classified documents or notes not taken away by the participants at the end of the meeting shall be collected by the meeting organisers and shredded in appropriate shredders.
4.   The list of participants and an outline of any classified information shared with Member States and released orally to third countries or international organisations shall be noted down during the meeting in order to be recorded in the outcome of proceedings.

Article 28

Interpreters and translators

Only interpreters and translators who are subject to the Staff Regulations or the Conditions of Employment of other servants of the European Union, or those who have a contractual link to the Court of Auditors, shall have access to RESTREINT UE/EU RESTRICTED information.

CHAPTER 5

SHARING AND EXCHANGING RESTREINT UE/EU RESTRICTED INFORMATION

Article 29

Originator consent

If the Court of Auditors is not the originator of the classified information for which release or sharing is desired, or of the source material it may contain, the department of the Court of Auditors that holds this classified information shall first seek the originator’s written consent for release. If the originator cannot be identified, the department of the Court of Auditors holding that classified information shall exercise originator control.

Article 30

Sharing RESTREINT UE/EU RESTRICTED information with other Union entities

1.   RESTREINT UE/EU RESTRICTED information shall only be shared with another Union institution, agency, body or office if the recipient has a need-to-know and the entity has a corresponding legal arrangement with the Court of Auditors.
2.   Within the Court of Auditors, the Records Office set up in the Secretariat of the Court shall, as a general rule, be the main point of entry and exit for information classified as RESTREINT UE/EU RESTRICTED which the Court of Auditors exchanges with other Union institutions, agencies, bodies and offices. However, RESTREINT UE/EU RESTRICTED information may be shared directly with intended recipients after informing the Court of Auditors ISO and the Records Office.

Article 31

Exchanging RESTREINT UE/EU RESTRICTED information with Member States

1.   RESTREINT UE/EU RESTRICTED information may be shared with Member States if the recipient has a need-to-know.
2.   Member States’ classified information that bears an equivalent national classification marking (8) and has been provided to the Court of Auditors shall be afforded the same level of protection as RESTREINT UE/EU RESTRICTED information.

Article 32

Exchanging RESTREINT UE/EU RESTRICTED information with third countries and international organisations

1.   RESTREINT UE/EU RESTRICTED information shall only be released to a third country or international organisation if the recipient has a need-to-know and the country or international organisation has an appropriate legal or administrative framework in place, such as a security of information agreement or an administrative arrangement with the Court of Auditors. The provisions of such an agreement or arrangement shall prevail over the provisions of this Decision.
2.   The Records Office in the Secretariat of the Court shall, as a general rule, be the main point of entry and exit for all information classified as RESTREINT UE/EU RESTRICTED that is exchanged between the Court of Auditors, third countries and international organisations.
3.   To ensure traceability, RESTREINT UE/EU RESTRICTED information shall be recorded by the Records Office:
— when it arrives in or leaves an organisational entity; and
— when it arrives in or leaves a CIS.
4.   Such recording may be carried out either on paper or in electronic logbooks.
5.   Recording procedures for classified information handled within an accredited CIS may be performed by processes within the CIS itself. In that case, the CIS shall include measures to guarantee the integrity of the log records.
6.   Classified information received from third countries or international organisations shall be afforded an equivalent level of protection as EUCI, bearing the equivalent classification marking as set out in the respective security of information agreement or administrative arrangement.

Article 33

Exceptional ad hoc release of RESTREINT UE/EU RESTRICTED information

1.   Where the Court of Auditors or one of its departments determines that there is an exceptional need to release RESTREINT UE/EU RESTRICTED information to a third country, international organisation or an EU entity, but no security of information agreement or administrative arrangement is in place, the exceptional ad hoc release procedure shall be followed.
2.   Court of Auditors departments shall contact the ISO and the originator. The Court of Auditors shall seek advice from one of the Parties to a Security of Information Agreement with that same EU entity, third country or international organisation.
3.   After this consultation, the College of the Court of Auditors may, on the basis of a proposal by the Secretary-General, authorise release of the information concerned.

CHAPTER 6

END OF LIFE FOR RESTREINT UE/EU RESTRICTED INFORMATION

Article 34

When to declassify

1.   Information shall remain classified only for as long as it requires protection. Declassification means that the information shall no longer be considered as classified at all. At the time of its creation, the originator shall indicate, where possible, whether the EUCI can be declassified on a given date or following a specific event. Otherwise, the originator shall regularly review RESTREINT UE/EU RESTRICTED information to determine whether classification is still appropriate.
2.   Information classified RESTREINT UE/EU RESTRICTED that has originated in the Court of Auditors shall be declassified after thirty years, in accordance with Regulation (EEC, Euratom) No 354/83 (9) as amended by Council Regulation (EC, Euratom) No 1700/2003 (10) and Council Regulation (EU) 2015/496 (11).
3.   Court of Auditors documents may also be declassified on an ad hoc basis, for example following a request for access from the public.

Article 35

Responsibility for declassifying

1.   RESTREINT UE/EU RESTRICTED information shall not be declassified without the permission of the originator.
2.   The Court of Auditors department that creates a classified document shall be responsible for deciding whether it can be declassified. Within the Court of Auditors, all requests for declassifying shall be subject to consultation of the Principal Manager or Director of the originating department, or the head of task. If the department has compiled classified information from various sources, it shall first seek the consent of any other parties that provided source material, including in Member States, other EU bodies, third countries or international organisations.
3.   Where the originating Court of Auditors department no longer exists and its responsibilities have been taken on by another department, the decision regarding declassifying shall be taken by this department. Where the originating department no longer exists and its responsibilities have not been taken on by another department, the decision to declassify shall be taken jointly by the directors of the Court of Auditors.

Article 36

Sensitive non-classified information

When reviewing a document results in a decision to declassify, consideration shall be given as to whether the document should bear a sensitive non-classified information distribution marking within the meaning of point 16 of the Court of Auditors information classification policy and point 4 of the Guidelines on classifying and handling non-EU-classified information (12).

Article 37

How to indicate that a document has been declassified

1.   The original classification marking at the top and bottom of every page shall be visibly crossed out (not removed) using the ‘strikethrough’ function for electronic formats, or manually for print-outs.
2.   The first (cover) page shall be stamped as declassified and completed with the details of the authority responsible for declassifying and the corresponding date.
3.   The original recipients of the RESTREINT UE/EU RESTRICTED information shall be informed of the declassification. The initial recipients shall be responsible for informing any subsequent addressees to whom they have sent or copied the original RESTREINT UE/EU RESTRICTED information.
4.   The Court of Auditors Archives Service shall be informed of all declassification decisions taken.
5.   All translations of classified information shall be subject to the same declassification procedures as the original language version.

Article 38

Partial declassification of RESTREINT UE/EU RESTRICTED information

1.   Partial declassification shall also be possible (e.g. annexes, some paragraphs only). The procedure shall be identical to that for declassifying an entire document.
2.   Upon partial declassification (‘sanitising’) of RESTREINT UE/EU RESTRICTED information, a declassified extract shall be produced.
3.   The parts that remain classified shall be replaced by:
PART NOT TO BE DECLASSIFIED
either in the body of the text itself, if the part that remains classified is a part of a paragraph, or as a paragraph, if the part that remains classified is a specific paragraph or more than one paragraph.
4.   Specific mention shall be made in the text if a complete annex cannot be declassified and has therefore been withheld from the extract.

Article 39

Routine destruction and deletion of RESTREINT UE/EU RESTRICTED information

1.   The Court of Auditors shall not amass large quantities of classified information.
2.   Originating departments shall routinely review small amounts for destruction or deletion at short intervals. A review shall take place both for information stored on paper and for information stored in CIS at regular intervals.
3.   Staff shall destroy or securely delete any RESTREINT UE/EU RESTRICTED documents that are no longer required, subject to any archiving requirements for the original document.
4.   Staff shall not be required to inform the originator if they destroy or delete copies of RESTREINT UE/EU RESTRICTED documents.
5.   Draft material containing classified information shall be subject to the same disposal methods as finalised classified documents.
6.   Only approved shredders shall be used for destroying RESTREINT UE/EU RESTRICTED documents. Level 4 of DIN 32757 and Level 5 of DIN 66399 shredders are suitable for destroying RESTREINT UE/EU RESTRICTED documents.
7.   The shred from approved shredders may be disposed of as normal office waste.
8.   All media and devices containing RESTREINT UE/EU RESTRICTED information shall be properly sanitised when they reach the end of their lifetime. The electronic data shall be destroyed or erased from information technology resources and associated storage media (including backup) in a manner that gives reasonable assurance that the information cannot be recovered. Sanitisation shall remove data from the storage device, and also remove all labels, markings and activity logs.
9.   Computer storage media shall be given to the ISO for destruction and disposal.

Article 40

Evacuation and destruction of RESTREINT UE/EU RESTRICTED information in an emergency

1.   The Director of Human Resources, Finance and General Services together with the ISO shall develop, approve, and if necessary activate emergency evacuation and destruction plans to safeguard RESTREINT UE/EU RESTRICTED information that is at significant risk of falling into unauthorised hands during a crisis. In order of priority, and depending on the nature of the emergency, consideration shall be given to:
(1) moving EUCI to an alternative safe place, where possible an Administrative Area or the Records Office within the Court of Auditors’ premises;
(2) evacuating EUCI to an alternative safe place, where possible an Administrative or Secured Area in a different building, and where possible the Secured Area at the Commission, for the use of which the Court of Auditors has concluded a service level agreement;
(3) destroying EUCI, where possible using the approved means of destruction.
2.   When emergency plans have been activated, priority shall be given to moving or destroying higher levels of information first.
3.   The operational details of emergency evacuation and destruction plans shall themselves be classified as RESTREINT UE/EU RESTRICTED.

Article 41

Archiving

1.   Decisions on whether and when to archive, and the corresponding practical measures to be taken, shall be in accordance with the Court of Auditors information security policy, information classification policy and archives policy;
2.   RESTREINT UE/EU RESTRICTED documents shall not be sent to the Historical Archives of the European Union in Florence.

CHAPTER 7

FINAL PROVISIONS

Article 42

Transparency

This Decision shall be brought to the attention of Court of Auditors staff and to all individuals to whom it applies, and shall be published in the
Official Journal of the European Union
.

Article 43

Entry into force

After adoption by the Administrative Committee, this Decision shall enter into force on the day following that of its publication in the
Official Journal of the European Union
.
Done at Luxembourg, 1 March 2023.
For the Administrative Committee of the Court of Auditors
The President
Tony MURPHY
(1)  
OJ L 256, 19.7.2021, p. 106
.
(2)  Available at https://www.eca.europa.eu/en/Pages/LegalFramework.aspx
(3)  Pursuant to Article 1(2) of Decision No 41-2021, RESTREINT UE/EU RESTRICTED information shall mean ‘information and material the unauthorised disclosure of which could be disadvantageous to the interests of the European Union or of one or more of the Member States’.
(4)  SSD meaning semiconductor storage device, a solid-state device or a solid-state disk.
(5)  As defined in the Annex to Decision No 41-2021.
(6)  As defined in Article 18 of Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting EU classified information (
OJ L 72, 17.3.2015, p. 53
).
(7)  See Article 39 below for further details.
(8)  The table of equivalence for Member State markings is set out in Annex I to Decision (EU, Euratom) 2015/444.
(9)  Council Regulation (EEC, Euratom) No 354/83 of 1 February 1983 concerning the opening to the public of the historical archives of the European Economic Community and the European Atomic Energy Community (
OJ L 43, 15.2.1983, p. 1
).
(10)  Council Regulation (EC, Euratom) No 1700/2003 of 22 September 2003, amending Regulation (EEC, Euratom) No 354/83 concerning the opening to the public of the historical archives of the European Economic Community and the European Atomic Energy Community (
OJ L 243, 27.9.2003, p. 1
).
(11)  Council Regulation (EU) 2015/496 of 17 March 2015, amending Regulation (EEC, Euratom) No 354/83 as regards the deposit of the historical archives of the institutions at the European University Institute in Florence (
OJ L 79, 25.3.2015, p. 1
).
(12)  Staff Notice 123/20, available at: https://www.eca.europa.eu/Documents/Information_Classification_Policy_EN.pdf

ANNEX

Categories of staff who may have access to RESTREINT UE/EU RESTRICTED information if needed in order to perform their professional tasks

Categories of Court of Auditors’ personnel

Access to R-UE/EU-R information

Conditions

Officials

Yes

Briefing + acknowledge + need-to-know

Temporary agents

Yes

Briefing + acknowledge + need-to-know

Contractual agents

Yes

Briefing + acknowledge + need-to-know

Seconded national experts (SNEs) from EU Member States

Yes

Briefing (by the Court of Auditors) + acknowledge + need-to-know

Trainees

No

No exceptions possible

Any other category of personnel (interim, intra-muros externals, etc.)

No

Consult the ISO for any exceptions

Markierungen
Leseansicht