COUNCIL DECISION (EU) 2019/425
of 12 March 2019
on the position to be taken on behalf of the European Union within the Joint Committee established by the Agreement between the European Union and the Kingdom of Norway on administrative cooperation, combating fraud and recovery of claims in the field of value added tax
Article 1
Article 2
DECISION No 1/2019 OF THE JOINT COMMITTEE ESTABLISHED BY THE AGREEMENT BETWEEN THE EUROPEAN UNION AND THE KINGDOM OF NORWAY ON ADMINISTRATIVE COOPERATION, COMBATING FRAUD AND RECOVERY OF CLAIMS IN THE FIELD OF VALUE ADDED TAX
of …
on the adoption of its Rules of Procedure
Article 1
Article 2
ANNEX
Rules of procedure of the Joint Committee established by the Agreement between the European Union and the Kingdom of Norway on administrative cooperation, combating fraud and recovery of claims in the field of value added tax
Article 1
Composition and chairmanship
Article 2
Observers and experts
Article 3
Convening a meeting
Article 4
Agenda
Article 5
Secretarial support
Article 6
Minutes of the meeting
Article 7
Adoption of decisions and recommendations
Article 8
Expenses
DECISION No 2/2019 OF THE JOINT COMMITTEE ESTABLISHED BY THE AGREEMENT BETWEEN THE EUROPEAN UNION AND THE KINGDOM OF NORWAY ON ADMINISTRATIVE COOPERATION, COMBATING FRAUD AND RECOVERY OF CLAIMS IN THE FIELD OF VALUE ADDED TAX
of …
on standard forms for the communication of information, the transmission of information via the CCN/CSI network and the practical arrangements for the organisation of contacts between central liaison offices and liaison departments
Article 1
Standard forms for the communication of information
Article 2
Transmission of information via the CCN/CSI network
Article 3
Organisation of contacts between central liaison offices and liaison departments
Article 4
DECISION No 3/2019 OF THE JOINT COMMITTEE ESTABLISHED BY THE AGREEMENT BETWEEN THE EUROPEAN UNION AND THE KINGDOM OF NORWAY ON ADMINISTRATIVE COOPERATION, COMBATING FRAUD AND RECOVERY OF CLAIMS IN THE FIELD OF VALUE ADDED TAX
of …
on the procedure for the conclusion of service level agreements
Article 1
Article 2
ANNEX I
Service Level Agreement for the systems and the applications for administrative cooperation and recovery of claims in the area of VAT
1. APPLICABLE ACTS AND REFERENCE DOCUMENTS
1.1. APPLICABLE ACTS
[AD.1.] |
Agreement between the European Union and the Kingdom of Norway on administrative cooperation, combating fraud and recovery of claims in the field of value added tax (‘the Agreement’) (OJ L 195, 1.8.2018, p. 3) |
[AD.2.] |
Decision No 2/2019 of the Joint Committee established by the Agreement between the European Union and the Kingdom of Norway on administrative cooperation, combating fraud and recovery of claims in the field of the value added tax of … [date] on standard forms for the communication of information, the transmission of information via the CCN/CSI network and the practical arrangements for the organisation of contacts between central liaison offices and liaison departments |
1.2. REFERENCE DOCUMENTS
[RD.1.] |
CCN Mail III User Guide for NAs (ITSM Web Portal) |
[RD.2.] |
CCN Intranet – Local Network Administrator Guide (ITSM Web Portal) |
[RD.3.] |
Statistics – Guidelines and instructions (ANNEX rev1) to SCAC No 560 |
[RD.4.] |
VAT e-Forms – Functional Specifications |
[RD.5.] |
VAT e-Forms – Technical Specifications |
[RD.6.] |
Recovery e-Forms – Functional Specifications |
[RD.7.] |
Recovery e-Forms – Technical Specifications |
[RD.8.] |
CCN/CSI General Security Policy (ITSM Web Portal) |
[RD.9.] |
CCN Gateway Management Procedures (ITSM Web Portal) |
[RD.10.] |
CCN/CSI Baseline Security Checklist (ITSM Web Portal) |
2. TERMINOLOGY
2.1. ACRONYMS
ACRONYM |
DEFINITION |
CCN/CSI |
Common Communication Network / Common System Interface |
CET |
Central European Time |
CIRCABC |
Communication and Information Resource Centre Administrator |
DG |
Directorate General |
EoF |
Exchange of Forms |
ITIL(1) |
Information Technology Infrastructure Library |
ITSM |
Information Technology Service Management |
Party |
Within the scope of this SLA, ‘Party’ shall mean either Norway or the Commission. |
VAT |
Value Added Tax |
2.2. DEFINITIONS
EXPRESSION |
DEFINITION |
CET |
Central European Time, GMT+1 and during summer time GMT+2 hours |
Working days and hours (ITSM service desk) |
7:00 to 20:00 (CET), 5 days a week (Monday to Friday including holidays) |
3. INTRODUCTION
3.1. SCOPE OF THE SLA
3.2. AGREEMENT PERIOD
4. RESPONSIBILITIES
4.1. SERVICES PROVIDED BY THE COMMISSION TO NORWAY
4.2. SERVICES PROVIDED BY NORWAY TO COMMISSION
5. SERVICE LEVEL REVIEW
5.1. COMMISSION SERVICE LEVELS
5.1.1. Service desk
5.1.1.1. Agreement
PRIORITY |
REGISTRATION TIME |
RESOLUTION TIME |
P1: Critical |
0,5 h |
4 h |
P2: High |
0,5 h |
13 h (1 day) |
P3: Medium |
0,5 h |
39 h (3 days) |
P4: Low |
0,5 h |
65 h (5 days) |
5.1.1.2. Reporting
5.1.2. Statistical Service
5.1.2.1. Agreement
5.1.2.2. Reporting
5.1.3. Exchange of Forms
5.1.3.1. Agreement
CCN/Mail mailbox |
Form |
Deadline |
||||||||||
VIESCLO |
Exchange of Information under Articles 7, 10, 12 and 18 of the Agreement General exchanges |
The time limit for providing information is as quickly as possible, and no later than 3 months following the date of the request (Article 8 of the Agreement). However when the requested authority is already in possession of the information the time limit shall be reduced to a maximum period of one month (Article 8 of the Agreement). |
||||||||||
VIESCLO |
Exchange of Information under Articles 7, 10, 12 and 18 of the Agreement Request for notification |
Request for notification with immediate answer (Article 12 of the Agreement). |
||||||||||
TAXFRAUD |
Exchange of Information under Articles 7, 10, 12 and 18 of the Agreement Anti-fraud exchanges |
Missing trader information shall be sent as soon as the information becomes available. |
||||||||||
TAXAUTO |
Automatic exchanges |
The categories of information subject to automatic exchange, in accordance with Article 11 of the Agreement, are to be determined by the Joint Committee. |
||||||||||
REC-A-CUST; REC-B-VAT; REC-C-EXCISE; REC-D-INCOME-CAP; REC-E-INSUR; REC-F-INHERIT-GIFT; REC-G-NAT-IMMOV; REC-H-NAT-TRANSP; REC-I-NAT-OTHER; REC-J-REGIONAL; REC-K-LOCAL; REC-L-OTHER; REC-M-AGRI |
Request for information under Art. 22 of the Agreement Request for notification under Art. 25 of the Agreement Request for recovery under Art. 27 of the Agreement Request for precautionary measures under Art. 33 of the Agreement |
Request for information:
Request for notification:
Request for recovery and request for precautionary measures:
|
5.1.3.2. Reporting
5.1.4. Problem Management
5.1.4.1. Agreement
5.1.4.2. Reporting
5.1.5. Security Management
5.1.5.1. Agreement (3)
Name |
Version |
Date |
https security recommendations of CCN /Mail III Webmail access – Ref. CCN /Mail III User Guide for NAs |
3.0 |
15.6.2012 |
Security recommendations of CCN /Mail III Webmail access – Ref. CCN Intranet – Local Network Administrator Guide |
4.0 |
11.9.2008 |
5.1.5.2. Reporting
5.2. NORWAY'S SERVICE LEVELS
5.2.1. All Service Level Management Areas
5.2.1.1. Agreement
5.2.1.2. Reporting
5.2.2. Service desk
5.2.2.1. Agreement
5.2.2.2. Reporting
6. QUALITY MEASUREMENT
6.1. AGREEMENT
6.2. REPORTING
7. APPROVAL OF THE SLA
8. CHANGES TO THE SLA
9. CONTACT POINT
ANNEX II
Service Level Agreement for the Common Communication Network / Common System Interface services (‘CCN/CSI SLA’)
1. APPLICABLE ACTS AND REFERENCE DOCUMENTS
1.1. APPLICABLE ACTS
[AD.1.] |
Agreement between the European Union and the Kingdom of Norway on administrative cooperation, combating fraud and recovery of claims in the field of value added tax (‘the Agreement’) (OJ L 195, 1.8.2018, p. 3) |
[AD.2.] |
Decision No 2/2019 of the Joint Committee established by the Agreement between the European Union and the Kingdom of Norway on administrative cooperation, combating fraud and recovery of claims in the field of the value added tax of … [date] on standard forms for the communication of information, the transmission of information via the CCN/CSI network and the practical arrangements for the organisation of contacts between central liaison offices and liaison departments |
1.2. REFERENCE DOCUMENTS
ID |
REFERENCE |
TITLE |
VERSION |
RD1 |
CCN-COVW-GEN |
CCN/CSI & SPEED2 Systems Overview |
EN18.01 |
RD2 |
CCN-CMPR-GW |
CCN Gateways Management Procedures |
EN19.20 |
RD3 |
CCN-CSEC-POL |
CCN/CSI General Security Policy |
EN05.00 |
RD4 |
CCN-CSEC-BSCK |
CCN/CSI Baseline Security Checklist |
EN03.00 |
RD5 |
CCN-CLST-ROL |
Description of CCN/CSI roles |
EN02.10 |
RD6 |
CCN-CNEX-031 |
External note 031 – Procedure for the Move of a CCN/CSI Site |
EN06.20 |
RD7 |
CCN-CNEX-060 |
External Note 060 – Install new CCN Site |
EN02.20 |
RD8 |
CCN/CSI-PRG-AP/C-01-MARB |
CCN/CSI-PRG-AP/C-01-MARB-Application Programming Guide (C Language) |
EN11.00 |
2. TERMINOLOGY
2.1. ACRONYMS
ACRONYMS |
DEFINITION |
ACT |
Application Configuration Tool |
AIX |
IBM Unix OS |
CCN |
Common Communication Network |
CCN/CSI |
Common Communication Network / Common System Interface |
CCN/WAN |
Framework service for the provision of network services to CCN |
CI |
Configuration Item |
CIRCABC |
Communication and Information Resource Centre for Administrations, Businesses and Citizens |
COTS |
Common Off The Shelf |
CPR |
Customer Premises Router |
CSA |
CCN Security Administrator |
CSI |
Common System Interface |
DG |
Directorate General |
DMZ |
De-Militarised Zone |
EC |
European Commission |
HPUX |
Hewlett Packard Unix Operating System |
HTTP |
Hyper Text Transport Protocol |
HTTPS |
Hyper Text Transport Protocol – Secure |
HVAC |
Heating, Ventilating, and Air-Conditioning |
HW |
Hardware |
ICT |
Information and Communication Technology |
IMAP |
Internet Message Access Protocol |
IP |
Internet Protocol |
ITCAM |
IBM Tivoli Composite Application Manager |
ITSM |
Information Technology Service Management |
LAN |
Local Area Network |
LSA |
Local System Administrator |
MQ |
IBM MQ Series SW |
MVS |
Multiple Virtual Storage |
NA |
National Administration |
OBS |
Orange Business Services |
OS |
Operating System |
OSP |
Obligation of the Service Provider |
OSR |
Obligation of the Service Requester |
PoP |
Point of Presence |
QA |
Quality Assurance |
RAP |
Remote API Proxy |
RD |
Reference Document |
SMTP |
Simple Mail Transport Protocol |
SQI |
Service Quality Indicator |
SSG |
Secure Services Gateways (Juniper Encryption box) |
SW |
Software |
TAXUD |
Taxation and Customs Union |
TCP |
Transmission Control Protocol |
UPS |
Uninterruptible Power Supply |
WAN |
Wide Area Network |
2.2. DEFINITIONS OF TERMS FOR THE PURPOSE OF THE CCN/CSI SLA
TERM |
DESCRIPTION |
Reporting period |
The elapsed time covered is one month. |
Working day |
The working days are the working days of the Service Provider Service Desk. These are 7 days a week including public holidays. |
Working hour |
The working hours are the working hours of the Service Provider SD. These are 24/24 during the working days. |
Duty Period |
The Service Provider's ‘Duty Period’ is the hours of coverage of the Service Desk function. The duty is ensured by Service Provider SD from 24/24, 7 days a week including public holidays. Depending of the CI's Service Window, there is an immediate action (24/7) or the intervention is scheduled for the next day. Letter, fax, e-mails and electronic requests (through the ITSM Portal) are accepted at any moment. Incoming requests are registered as ‘Service Calls’ in the Service Provider Service Desk management system. |
3. INTRODUCTION
3.1. SCOPE OF THE CCN/CSI SLA
3.2. CCN/CSI SERVICE DEFINITION AND CHARACTERISTICS
TRANS-EUROPEAN |
CCN/CSI offers a global WAN access to Service Requesters through a number of Points of Presence (PoP) in every Member State, acceding countries and the Kingdom of Norway. The CCN/CSI network backbone offers the required capacity and resilience to provide the Service Requesters with a high availability rate. |
||||||||||||||||||||
MULTI-PLATFORM |
Allows the interoperability between heterogeneous platforms (Windows, Linux, Solaris, AIX, HPUX, SVR4, IBM MVS, etc.) through a highly portable communication stack (CSI) installed on standard national Application Platforms. |
||||||||||||||||||||
MULTI-PROTOCOL |
Supports various protocols and exchange paradigms:
|
||||||||||||||||||||
SECURE |
Information exchanges over the CCN/CSI network are protected to ensure optimal confidentiality and data integrity. Security services include:
|
||||||||||||||||||||
MANAGED |
The CCN/CSI infrastructure also provides Service Requesters with managed services including:
|
3.3. AGREEMENT PERIOD
4. RESPONSIBILITIES
4.1. OBLIGATIONS OF THE SERVICE PROVIDER (OSP)
[OSP1] |
Operate the CCN/CSI network infrastructure in order to achieve the Service Levels described in section 8. |
||||
[OSP2] |
Select the various CCN/CSI Infrastructure and Software components. |
||||
[OSP3] |
Provide Hardware and Software maintenance for the DG TAXUD CCN infrastructure equipment (e.g. CCN Gateways) installed at the Service Requesters premises as well as the central CCN Mail III servers. |
||||
[OSP4] |
Provide monitoring of the DG TAXUD CCN Infrastructure equipment installed at the Service Requesters premises. |
||||
[OSP5] |
Manage the CCN/CSI audit files. |
||||
[OSP6] |
Manage the CCN/CSI addressing plan. |
||||
[OSP7] |
Respect the rules and recommendations put forward in the ‘Security documents’:
|
||||
[OSP8] |
From time to time, the Service Requester needs to make sure that the network availability will not be reduced due to maintenance or other expected unavailability's. In that case, the Service Requester will notify the Service Provider at least 1 month in advance. If the Service Requester cannot respect this delay, DG TAXUD will arbitrate the situation. |
||||
[OSP9] |
All software licenses running on the CCN gateways will be provided by DG TAXUD. |
||||
[OSP10] |
Respect the CCN/CSI site backup policy (cfr. RD2). |
||||
[OSP11] |
Audit the system as defined in RD2. |
||||
[OSP12] |
Regularly proceed with the System Security Checkup as defined in RD2. |
4.2. OBLIGATIONS OF THE SERVICE REQUESTER (OSR)
Technical and Infrastructure level |
|||||||
[OSR1] |
House the DG TAXUD CCN Infrastructure equipment provided by the DG TAXUD and provide appropriate:
|
||||||
[OSR2] |
Make sure that the CCN/CSI components are ‘electrically’ connected to the UPS. Specific adaptations to local standards (e.g. plug adapters) have to be provided by the Service Requester. |
||||||
Operational and Organisation level |
|||||||
[OSR3] |
Assign personnel in charge of the roles listed in RD5. |
||||||
[OSR4] |
Ensure presence outside of normal working hours whenever deemed necessary and requested by the Service Provider. For some operations performed by the backbone carrier or by the Service Provider, the coordination and/or the presence of the LSA from the Service Consumer may be required. There will be at least one-month notice in order to plan these activities; full cooperation is necessary in order to respect the complex planning due to the number of sites. |
||||||
[OSR5] |
Never stop any of the DG TAXUD CCN Infrastructure equipment without formal authorisation from the Service Provider. |
||||||
[OSR6] |
Ask for the formal authorisation from the Service Provider before installing on the DG TAXUD CCN Infrastructure equipment additional hardware or software components that do not belong to the standard delivery package. |
||||||
[OSR7] |
Provide a clear description of the perceived/reported incidents, reported by the service requester. |
||||||
[OSR8] |
Collaborate actively with the Service Provider and/or his representatives when required for the delivery of services. |
||||||
Communication level |
|||||||
[OSR9] |
Use exclusively the contact points at the Service Provider and inside their own organisation. |
||||||
[OSR10] |
Notify the Service Provider of any absence of the contact points during the opening hours of the Service Provider, or, at least, provide a backup able to replace the contact points. |
||||||
[OSR11] |
Notify the Service Provider of any modification of its own contact points, at least 5 working days before this modification becomes effective. |
||||||
[OSR12] |
Notify the Service Provider of any scheduled INFRASTRUCTURE maintenance potentially affecting the DG TAXUD CCN Infrastructure equipment hosted at the Service Consumer premises (at least one week in advance for all equipment). e.g.: planned power or network infrastructure outages, DC move, IP-address changes, …. |
||||||
[OSR13] |
Notify the Service Provider of any external problem such as power failure affecting the good running of the CCN Gateways and application platforms. |
||||||
[OSR14] |
Notify Service Provider, through a formal request, at least six months in advance for any moving of DG TAXUD CCN Infrastructure equipment. The Service Requester takes in charge the costs of the moving operations. Refer to RD6 for more details about the procedure. |
||||||
[OSR15] |
Notify the Service Provider of any outage of the secured links between the DG TAXUD CCN Infrastructure and the Service Requester (NA or peer DG). |
||||||
[OSR16] |
Notify the Service Provider of any outage of the Application Platforms. |
||||||
[OSR28] |
The service requester is requested to communicate any planned local DC/Computer room outage (incl. WAN) 1 (one) working week upfront. This in order for DG TAXUD to be able to put in place the necessary communication to any other involved stakeholders. |
||||||
Security and User Management level |
|||||||
[OSR17] |
Manage the local user accounts on the CCN Gateway (cf. RD2). |
||||||
[OSR18] |
Grant physical access permission to the equipment and staff mandated by the Service Provider when required. |
||||||
[OSR19] |
Authorise the appropriate TCP ports in the Service Consumer network (National Domain) (cfr. RD2). |
||||||
[OSR20] |
Ensure that the Network Encryption Devices (currently Juniper SSG) at the Service Requester site is located in an access-controlled area. |
||||||
[OSR21] |
Restrict access to all devices of the DG TAXUD CCN Infrastructure to authorised personnel. The access shall be allowed only on request from the CSA. Unwanted access to these devices can jeopardise the security or at least cause network outages. |
||||||
[OSR22] |
Respect the rules and recommendations put forward in the ‘Security documents’:
|
||||||
Application Management Development |
|||||||
[OSR27] |
The Service Requester is sole responsible for the development, support and management of its applications. They must conform to the rules defined in RD8. |
4.3. SERVICES PROVIDED BY THE SERVICE PROVIDER
4.3.1. IT Service Desk
4.3.1.1. Incident and problem management
4.3.2. Tools supporting the Service Management
4.3.3. ICT Infrastructure Management and Operations
4.3.3.1. Availability Management
4.3.3.2. Contingency Management
4.3.3.3. Application Configuration Data Management
4.3.4. Security Management
4.3.5. Documentation management
4.3.6. Reporting and statistics
4.3.7. Training
5. SERVICE LEVEL MEASUREMENT
5.1. SERVICE LEVEL
5.2. APPLICABLE SERVICE QUALITY INDICATORS
5.2.1. Individual CCN/CSI Site Availability
LIMIT |
>= 97,0 % availability |
5.2.2. SQI on the Duty Period
LIMIT |
Service Desk shall not be unreachable during the duty period more than 2 times / month |
5.2.3. SQI on the Notification Service
5.2.4. SQI on the Contingency Management
LIMIT |
Max 5 working hours following the agreement with the Service Requester to perform the switch |
5.2.5. SQI on the Application Configuration Data management
LIMIT |
5 working days |
5.2.6. SQI on the Acknowledgment Delay
LIMIT |
30 minutes |
1 |
CRITICAL |
2 |
HIGH |
3 |
MEDIUM |
4 |
LOW |
5.2.7. SQI on the Resolution Delay
PRIORITY |
RESOLUTION DELAY |
CRITICAL |
5 Working Hours |
HIGH |
13 Working Hours |
MEDIUM |
39 Working Hours |
LOW |
65 Working Hours |
PRIORITY |
LIMIT |
CRITICAL |
>= 95,00 % of CRITICAL incidents must be solved within the agreed resolution delay (5 Working Hours). |
HIGH |
>= 95,00 % of HIGH incidents must be solved within the agreed resolution delay (13 Working Hours). |
MEDIUM |
>= 95,00 % of MEDIUM incidents must be solved within the agreed resolution delay (39 Working Hours). |