COMMISSION DECISION (EU, Euratom) 2019/1963
of 17 October 2019
laying down implementing rules on industrial security with regard to classified procurement contracts
CHAPTER 1
GENERAL PROVISIONS
Article 1
Subject matter and scope
Article 2
Responsibility within the Commission
CHAPTER 2
HANDLING OF CALLS FOR TENDER FOR CLASSIFIED CONTRACTS
Article 3
Basic principles
Article 4
Subcontracting in classified contracts
CHAPTER 3
LETTING COMMISSION CLASSIFIED CONTRACTS
Article 5
Basic principles
Article 6
Access to EUCI by personnel of contractors and subcontractors
CHAPTER 4
VISITS IN CONNECTION WITH CLASSIFIED CONTRACTS
Article 7
Basic principles
Article 8
Requests for visits
Article 9
Visit procedures
Article 10
Visits arranged directly
CHAPTER 5
TRANSMISSION AND CARRIAGE OF EUCI IN PERFORMANCE OF CLASSIFIED CONTRACTS
Article 11
Basic principles
Article 12
Electronic handling
Article 13
Transport by commercial couriers
Article 14
Hand carriage
CHAPTER 6
BUSINESS CONTINUITY PLANNING
Article 15
Contingency plans and recovery measures
Article 16
Entry into force
ANNEX I
STANDARD INFORMATION IN PROCUREMENT CONTRACT NOTICES
(to be adapted to the contract notices used)
For contracts involving information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET
The performance of the contract is subject to particular conditions |
[Bild bitte in Originalquelle ansehen] yes |
[Bild bitte in Originalquelle ansehen] no |
For contracts involving information classified RESTREINT UE/EU RESTRICTED
The performance of the contract is subject to particular conditions |
[Bild bitte in Originalquelle ansehen] yes |
[Bild bitte in Originalquelle ansehen] no |
ANNEX II
STANDARD PROCUREMENT CONTRACT CLAUSES
(to be adapted to the contracts used)
ARTICLE XX
SECURITY-RELATED OBLIGATIONS
XX.1 EU classified information
ANNEX III
[Annex IV (to the Framework Contract)]
SECURITY ASPECTS LETTER (SAL)
[Model]
Appendix A
SECURITY REQUIREMENTS
GENERAL CONDITIONS
[
N.B.: applicable to all classified contracts
]
CONTRACTS REQUIRING ACCESS TO INFORMATION CLASSIFIED RESTREINT UE/EU RESTRICTED
HANDLING OF INFORMATION CLASSIFIED RESTREINT UE/EU RESTRICTED IN COMMUNICATION AND INFORMATION SYSTEMS (CIS)
CONDITIONS UNDER WHICH THE CONTRACTOR MAY SUBCONTRACT
VISITS
ASSESSMENT VISITS
SECURITY CLASSIFICATION GUIDE
Appendix B
SECURITY CLASSIFICATION GUIDE
[specific text to be adjusted depending on the subject of the contract]
Appendix C
REQUEST FOR VISIT
(MODEL)
Detailed instructions for completion of request for visit
(The application must be submitted in English only)
HEADING |
Check boxes for visit type, information type, and indicate how many sites are to be visited and the number of visitors. |
||||||
|
To be completed by requesting NSA/DSA. |
||||||
|
Give full name and postal address. Include city, state and post code as applicable. |
||||||
|
Give full name and postal address. Include city, state, post code, telex or fax number (if applicable), telephone number and email. Give the name and telephone/fax numbers and email of your main point of contact or the person with whom you have made the appointment for the visit. Remarks:
|
||||||
|
Give the actual date or period (date-to-date) of the visit in the format ‘day — month — year’. Where applicable, give an alternate date or period in brackets. |
||||||
|
Specify whether the visit has been initiated by the requesting organisation or facility or by invitation of the facility to be visited. |
||||||
|
Specify the full name of the project, contract or call for tender using commonly used abbreviations only. |
||||||
|
Give a brief description of the reason(s) for the visit. Do not use unexplained abbreviations. Remarks: In the case of recurring visits this item should state ‘Recurring visits’ as the first words in the data element (e.g. Recurring visits to discuss_____) |
||||||
|
State SECRET UE/EU SECRET (S-UE/EU-S) or CONFIDENTIEL UE/EU CONFIDENTIAL (C-UE/EU-C), as appropriate. |
||||||
|
Remark: when more than two visitors are involved in the visit, Annex 2 should be used. |
||||||
|
This item requires the name, telephone number, fax number and email of the requesting facility’s Security Officer. |
||||||
|
This field is to be completed by the certifying authority. Notes for the certifying authority:
|
||||||
|
This field is to be completed by the NSA/DSA. Note for the NSA/DSA:
|
REQUEST FOR VISIT (MODEL) To: _______________________________________ |
||||||||
|
|
|
||||||
☐ Single ☐ Recurring ☐ Emergency ☐ Amendment
For an amendment, insert the NSA/DSA original RFV Reference No_____________ |
☐ C-UE/EU-C ☐ S-UE/EU-S |
No of sites: _______ No of visitors: _____ |
||||||
|
||||||||
Requester: To: |
NSA/DSA RFV Reference No________________ Date (dd/mm/yyyy): _____/_____/_____ |
|||||||
|
||||||||
NAME: POSTAL ADDRESS: E-MAIL ADDRESS: FAX NO: |
TELEPHONE NO: |
|||||||
|
||||||||
|
||||||||
☐ Initiated by requesting organisation or facility ☐ By invitation of the facility to be visited |
||||||||
|
||||||||
|
||||||||
|
||||||||
|
||||||||
NAME: TELEPHONE NO: E-MAIL ADDRESS: SIGNATURE: |
||||||||
|
||||||||
NAME: ADDRESS: TELEPHONE NO: E-MAIL ADDRESS: |
[Bild bitte in Originalquelle ansehen] |
|||||||
SIGNATURE: |
DATE (dd/mm/yyyy): _____/_____/_____ |
|||||||
|
||||||||
NAME: ADDRESS: TELEPHONE NO: E-MAIL ADDRESS: |
[Bild bitte in Originalquelle ansehen] |
|||||||
SIGNATURE: |
DATE (dd/mm/yyyy): _____/_____/_____ |
|||||||
|
ANNEX 1 to RFV FORM
ORGANISATION(S) OR INDUSTRIAL FACILITY(IES) TO BE VISITED |
1. NAME: ADDRESS: TELEPHONE NO: FAX NO: NAME OF POINT OF CONTACT: E-MAIL: TELEPHONE NO: NAME OF SECURITY OFFICER OR SECONDARY POINT OF CONTACT: E-MAIL: TELEPHONE NO: |
2. NAME: ADDRESS: TELEPHONE NO: FAX NO: NAME OF POINT OF CONTACT: E-MAIL: TELEPHONE NO: NAME OF SECURITY OFFICER OR SECONDARY POINT OF CONTACT: E-MAIL: TELEPHONE NO: (Continue as required) |
ANNEX 2 to RFV FORM
PARTICULARS OF VISITOR(S) |
1. SURNAME: FIRST NAMES (as per passport): DATE OF BIRTH (dd/mm/yyyy): ____/____/____ PLACE OF BIRTH: NATIONALITY: SECURITY CLEARANCE LEVEL: PP/ID NUMBER: POSITION: COMPANY/ORGANISATION: |
2. SURNAME: FIRST NAMES (as per passport): DATE OF BIRTH (dd/mm/yyyy): ____/____/____ PLACE OF BIRTH: NATIONALITY: SECURITY CLEARANCE LEVEL: PP/ID NUMBER: POSITION: COMPANY/ORGANISATION: (Continue as required) |
Appendix D
FACILITY SECURITY CLEARANCE INFORMATION SHEET (FSCIS)
(MODEL)
1.
Introduction
Procedures and Instructions for the use of the Facility Security Clearance Information Sheet (FSCIS)
HEADER |
The requester inserts full NSA/DSA and country name. |
||||||||
|
The requesting contracting authority selects the appropriate checkbox for the type of FSCIS request. Include the level of security clearance requested. The following abbreviations should be used: SECRET UE/EU SECRET = S-UE/EU-S CONFIDENTIEL UE/EU CONFIDENTIAL = C-UE/EU-C CIS = Communication and information systems for processing classified information |
||||||||
|
Fields 1 to 6 are self-evident. In field 4 the standard two-letter country code should be used. Field 5 is optional. |
||||||||
|
Give the specific reason for the request, provide project indicators, number of contract or invitation to tender. Please specify the need for storage capability, CIS classification level, etc. Any deadline/expiry/award dates which may have a bearing on the completion of an FSC should be included. |
||||||||
|
State the name of the actual requester (on behalf of the NSA/DSA) and the date of the request in number format (dd/mm/yyyy). |
||||||||
|
Fields 1-5: select appropriate fields. Field 2: if an FSC is in progress, it is recommended to give the requester an indication of the required processing time (if known). Field 6:
|
||||||||
|
May be used for additional information with regard to the FSC, the facility or the foregoing items. |
||||||||
|
State the name of the providing authority (on behalf of the NSA/DSA) and the date of the reply in number format (dd/mm/yyyy). |
FACILITY SECURITY CLEARANCE INFORMATION SHEET (FSCIS)
(MODEL)
REQUEST FOR A FACILITY SECURITY CLEARANCE ASSURANCE To: ____________________________________ (NSA/DSA Country name) |
|||||||||||||||
Please complete the reply boxes, where applicable: [ ] Provide an FSC assurance at the level of: [ ] S-UE/EU-S [ ] C-UE/EU-C for the facility listed below
[ ] Initiate, directly or upon a corresponding request of a contractor or subcontractor, the process of obtaining an FSC up to and including the level of … with … level of safeguarding and … level of CIS, if the facility does not currently hold these levels of capabilities. Confirm accuracy of the details of the facility listed below and provide corrections/additions as required. |
|||||||||||||||
|
Corrections/Additions: |
||||||||||||||
… |
… |
||||||||||||||
|
|||||||||||||||
… |
… |
||||||||||||||
|
|||||||||||||||
… |
… |
||||||||||||||
|
|||||||||||||||
… |
… |
||||||||||||||
|
|||||||||||||||
… |
… |
||||||||||||||
|
|||||||||||||||
… |
… |
||||||||||||||
|
|||||||||||||||
… |
|||||||||||||||
Requesting NSA/DSA/Commission contracting authority: Name: … Date: (dd/mm/yyyy) … |
|||||||||||||||
REPLY (within ten working days) |
|||||||||||||||
This is to certify that:
|
Appendix E
Minimum requirements for protection of EUCI in electronic form at RESTREINT UE/EU RESTRICTED level handled in the contractor’s CIS
General
Physical security
Access to CIS
Accounting, audit and incident response
Networking and interconnection
Configuration management
Sanitisation and destruction
ANNEX IV
Facility and personnel security clearance for contractors involving RESTREINT UE/EU RESTRICTED information and NSAs/DSAs requiring notification of classified contracts at RESTREINT UE/EU RESTRICTED level (1)
Member State |
FSC |
Notification of contract or subcontract involving R-UE/EU-R information to NSA/DSA |
PSC |
|||
YES |
NO |
YES |
NO |
YES |
NO |
|
Belgium |
|
X |
|
X |
|
X |
Bulgaria |
|
X |
|
X |
|
X |
Czechia |
|
X |
|
X |
|
X |
Denmark |
X |
|
X |
|
X |
|
Germany |
|
X |
|
X |
|
X |
Estonia |
X |
|
X |
|
|
X |
Ireland |
|
X |
|
X |
|
X |
Greece |
X |
|
|
X |
X |
|
Spain |
|
X |
X |
|
|
X |
France |
|
X |
|
X |
|
X |
Croatia |
|
X |
X |
|
|
X |
Italy |
|
X |
X |
|
|
X |
Cyprus |
|
X |
X |
|
|
X |
Latvia |
|
X |
|
X |
|
X |
Lithuania |
X |
|
X |
|
|
X |
Luxembourg |
X |
|
X |
|
X |
|
Hungary |
|
X |
|
X |
|
X |
Malta |
|
X |
|
X |
|
X |
Netherlands |
X (for defence-related contracts only) |
|
X (for defence-related contracts only) |
|
|
X |
Austria |
|
X |
|
X |
|
X |
Poland |
|
X |
|
X |
|
X |
Portugal |
|
X |
|
X |
|
X |
Romania |
|
X |
|
X |
|
X |
Slovenia |
X |
|
X |
|
|
X |
Slovakia |
X |
|
X |
|
|
X |
Finland |
|
X |
|
X |
|
X |
Sweden |
X (for defence-related contracts only) |
|
X (for defence-related contracts only) |
|
X (for defence-related contracts only) |
|
United Kingdom |
|
X |
|
X |
|
X |