COMMISSION IMPLEMENTING REGULATION (EU) 2023/2790
of 14 December 2023
laying down functional and technical specifications for the reporting interface module of the Maritime National Single Windows
(Text with EEA relevance)
Article 1
Definitions
Article 2
Article 3
Article 4
ANNEX
PART I
REPORTING INTERFACE MODULE
ARCHITECTURE AND SCOPE
RIM FUNCTIONAL SPECIFICATIONS
ID |
Function |
Description |
LR1 |
Logging and monitoring |
The function shall ensure logging and storage of events (delivery failures, delays, and recipient’s error). |
LR2 |
Metadata storing |
The function shall ensure the storage of metadata of exchanged messages. |
OA1 |
Technical data storage and lookup |
The function shall ensure storage and lookup of technical data required for the configuration and functioning of the RIM through an interface (e.g. technical addresses of the senders’ AS4 access points, message schemas of message implementation guide, etc.). |
OA2 |
Exception handling |
The function shall provide notifications of detected processing errors and/or anomalous conditions through a user interface. |
OA3 |
Access to logging and monitoring information and metadata |
The function shall provide the MNSW-Core access to logging and monitoring information and metadata of exchanged messages through a system-to-system interface. |
OA4 |
Sender authentication |
The function shall trigger the authentication process of a sender using a central or national authentication service. |
OA5 |
Message validation |
The function shall perform the syntax and semantic validation of received messages in accordance with the technical message specifications defined in the message implementation guide. The message implementation guide shall specify which validations shall be done by the RIM. The RIM shall notify errors accordingly. |
MF1 |
Message handling |
The function shall ensure that the content of the messages received (formality or response) is transferred without modifications to the relevant corner if the validations have been successful. |
RIM TECHNICAL SPECIFICATIONS
Integration
ID |
Name |
Description |
IA1. |
Messaging protocol standard |
The RIM shall use AS4 messaging protocol to facilitate interoperability with different technologies and reporting systems of senders. |
Message Exchange
ID |
Name |
Description |
AP1. |
Asynchronous message exchange pattern |
The RIM shall support asynchronous transmission of messages to and from (formality and response) the MNSW-Core by push and pull mechanism. |
Security
ID |
Name |
Description |
SA1. |
Information exchange confidentiality and security |
The RIM shall ensure confidentiality of information and protection of any personal data exchanged by encrypting the information exchanged between senders AS4 Access Point and RIM. The RIM shall decrypt and make the messages sent by a sender available to the MNSW-Core. The RIM shall use a Web Service Security (WSS) as standard to allow the secure exchange of messages between sender’s AS4 Access Point and RIM. |
SA2. |
Non-repudiation of messages |
The communication and validation of messages via the RIM shall include security measures to ensure message authenticity and avoid repudiation of messages. |
SA3. |
Integrity |
Technical measures shall be put in place to ensure the integrity of data exchanged. |
SA4. |
Application Security |
The RIM shall rely on software development best practices that enable the detection of malicious activities, and the secure transfer of sensitive information. |
SA5. |
Service Availability |
For reliable communication and distribution of information between senders and Maritime National Single Windows, the RIM shall implement mechanisms that ensures messages exchanged with the RIM are not lost in case of service unavailability. |
Performance and Scalability
ID |
Name |
Description |
PS1. |
Performance and scalability |
The RIM shall be able to meet existing and future performance targets such as response time, number of concurrent senders and amount/size of exchanged messages. |
Portability and Deployment
ID |
Name |
Description |
PD1. |
Platform independence |
The RIM shall be compatible with the most common hardware architecture and operating systems where the RIM would be deployed. The RIM should not require proprietary hardware or software for installation or configuration. |
PD2 |
Self-installing application |
The RIM shall be provided as a package of software that includes all the application components required by the RIM. The provided and required dependencies shall be listed in each RIM release note. |
PART II
EMSWE USER REGISTRY AND ACCESS MANAGEMENT SYSTEM
CENTRAL REGISTRY
CENTRAL AUTHENTICATION SERVICE
URAM TECHNICAL SPECIFICATIONS
Integration
ID |
Name |
Description |
URAM.01 |
Interoperable standards |
The URAM software shall adhere to standard protocols and employ robust security features when exposing its interfaces and integrating with other components. |
URAM.02 |
eIDAS compliance |
The URAM software shall make use of open EU standards and solutions and shall implement necessary control mechanisms to check sender’s certificates against the trusted lists published by Member States in accordance with Article 22 of Regulation (EU) No 910/2014 and Commission Implementing Decision (EU) 2015/1505(2) including information related to qualified trust service providers issuing certificates used for electronic seals. |
Security
ID |
Name |
Description |
||||
URAM.03 |
Information exchange confidentiality |
To ensure the security of URAM software and exchange of any personal data, the following protocols and encryption methods shall be implemented:
|
||||
URAM.04 |
Application security |
The URAM software shall guarantee the detection of malicious activities and the secure transfer of sensitive information. |
||||
URAM 05 |
Personal data protection |
Access rights shall be granted to the authorities of the Member States as per Article 12(2) of Regulation (EU) 2019/1239 for the purpose of registering senders. The URAM software shall implement access control mechanisms to ensure the protection of user information that is personal data, which shall be processed solely for the purpose of creating user accounts and managing the corresponding access rights. The central authentication service shall retain personal data of the senders no longer than it is needed for the purpose of the authentication. The central registry shall retain personal data of the senders no longer than necessary for the management of the account. |
Sustainability & portability
ID |
Name |
Description |
URAM.06 |
Technology independence |
The URAM software shall allow interactions with the RIM and other relevant services without the need of proprietary software or hardware and shall allow for integration with the RIM regardless of the technological environment in which the RIM is deployed. |
URAM.07 |
Independent deployment |
The URAM software shall not enforce a specific deployment requirement on the RIM. The RIM should only ensure an internet connectivity and the respect of standards related to security and protocols of the URAM software. |
Central authentication service functions
ID |
Name |
Description |
URAM.08 |
Authentication service |
The central authentication service shall be responsible for the authentication of senders by verifying the validity of the certificate, the EORI number and the association between senders’ EORI number and its certificate. It shall process authentication requests sent by the RIM and provide responses indicating successful or unsuccessful authentication. |
Central Registry specifications
ID |
Name |
Description |
URAM.09 |
Sender Registration |
The central registry shall provide a graphical user interface to the Member States for registering sender’s data. Once registered in the central registry, the sender shall be registered in all Member States. |
URAM.10 |
Sender view and search |
The central registry shall allow a Member State to view all data of the senders that it has previously registered. It shall also provide a search functionality for retrieving its registered senders’ data based on various search criteria. |
URAM.11 |
Sender update |
The central registry shall allow a Member State to modify all its previously registered senders’ data to ensure data accuracy and validity. |
URAM.12 |
Sender deactivation |
The central registry shall allow a Member State to deactivate its previously registered senders. |
URAM.13 |
Audit and reporting |
The central registry shall offer reporting capabilities enabling a Member State to analyse its previously registered specific senders’ data, such as registration date and certificate validity. |
URAM.14 |
Notifications |
The central registry shall offer Member States the possibility to receive a notification from the central registry each time a sender previously registered by that Member State is registered, updated or deactivated as well as when its certificate expires. |