EN
17.12.2009 Official
Journal
of
the
European
Union L
332/17
III
(Acts adopted under the EU Treaty)
ACTS ADOPTED UNDER TITLE VI OF THE EU TREATY
COUNCIL DECISION 2009/968/JHA
of 30 November 2009
adopting the rules on the confidentiality of Europol information
THE COUNCIL OF THE EUROPEAN UNION,
(d) ‘Security Coordinator’ means the Deputy Director to whom
the Director — in pursuance of Article 38(2) of the Europol
Having regard to Council Decision 2009/371/JHA of 6 April
Decision — assigns, alongside his other tasks, the function
2009 establishing the European Police Office (Europol) (
of coordination and control in matters of security;
1 ) (the
Europol Decision) and in particular Article 40 thereof,
(e) ‘Security Officers’ means the Europol staff, appointed by the
Having regard to the draft rules submitted by the Management
Director, responsible for security issues in accordance with
Board,
Article 6;
Having regard to the Opinion of the European Parliament,
(f) ‘Security Manual’ means the manual implementing these
rules, to be established in accordance with Article 7;
Whereas in accordance with the Europol Decision, it is for the
Council, acting by qualified majority after consulting the
European Parliament, to adopt implementing rules on the confi
(g) ‘classification level’ means a security marking assigned to a
dentiality of information which is obtained by, or exchanged
document processed by or through Europol, as referred to
with, Europol (hereinafter the rules),
in Article 10;
HAS DECIDED AS FOLLOWS:
(h) ‘security package’ means a specified combination of security
measures to be applied to information subject to a Europol
CHAPTER I
classification level as referred to in Article 10;
DEFINITIONS AND SCOPE
Article 1
(i) ‘basic protection level’ means the level of protection which
shall be applied to all information processed by or through
Definitions
Europol, except information which is expressly marked or is
For the purposes of these rules,
clearly recognisable as being public information, as referred
to in Article 10(1);
(a) ‘processing of information’ or ‘processing’ means any
operation or set of operations which is performed on
(j) ‘staff’ means temporary staff and contract staff as defined in
personal or non-personal data, whether or not by
Article 39(4) of the Europol Decision;
automatic means, such as collection, recording, organi
sation, storage, adaptation or alteration, retrieval, consult
ation, use, disclosure by transmission, dissemination or
(k) ‘Europol classified information’ means any information and
otherwise making available, alignment or combination,
material in any form, an unauthorised disclosure of which
blocking, erasure or destruction;
could cause varying degrees of prejudice to the essential
interests of Europol or of one or more Member States,
(b) ‘third party’ means an entity referred to in Articles 22(1)
and that requires the application of appropriate security
and 23(1) of the Europol Decision;
measures as defined in Article 7(2)(b).
(c) ‘Security Committee’ means the Committee consisting of
Article 2
representatives of the Member States and Europol, as
described in Article 4;
Scope
1. These
rules
establish
the
security
measures
to
be
applied
( 1 ) OJ L 121, 15.5.2009, p. 37.
to all information which is processed by or through Europol.
L 332/18
EN
Official Journal of the European Union
17.12.2009
2. Communication
channels
between
Europol
and
the Security Coordinator shall monitor the enforcement of
national units of the Member States, referred to in Article 8
security provisions and inform the Director of all breaches of
of the Europol Decision, shall provide a level of protection
security. In serious cases, the Director shall inform the
which is equivalent to the level offered by these measures. A
Management Board. If such breaches risk compromising the
common standard for these communication channels shall be
interests of a Member State, that Member State shall also be
approved by the Security Committee.
informed.
3. The Annex sets out an overview of the Europol classifi
2. The
Security
Coordinator
shall
be
directly
answerable
to
cation levels, as referred to in Article 10, and the equivalent
the Director of Europol.
markings currently applied by the Member States to
information subject to those classification levels. When a
Member State informs the other Member States and Europol
3. The
Security
Coordinator
shall
be
security
cleared
to
the
of any changes in its national provisions on classification
highest level in accordance with the laws and regulations
levels or in the equivalent markings, Europol shall elaborate a
applicable in the Member State of which the Security Coor
revised version of the overview reproduced in the Annex. At
dinator is a national.
least once a year the Security Committee shall ascertain whether
the overview is up to date.
Article 6
Security Officers
CHAPTER II
1. Security Officers shall support the Director in the imple
SECURITY RESPONSIBILITIES
mentation of the security measures laid down in these rules and
Article 3
in the Security Manual. Security Officers shall be directly
answerable to the Security Coordinator. The specific tasks of
Member States' Responsibilities
the Security Officers shall be:
1. Member
States
shall
undertake
to
ensure
that,
within
their
territory, Europol information receive a level of protection
(a) to instruct, assist and advise all persons at Europol — as
which is equivalent to the level of protection offered by the
well as any other person involved in Europol-related
security measures established under these rules.
activities who is under a particular obligation of discretion
or confidentiality — as to their duties under these rules and
under the Security Manual;
2. Member
States
shall
undertake
to
inform
the
Security
Coordinator of all security breaches that may compromise the
interests of Europol or of a Member State. In the latter case, the
(b) to enforce security provisions, investigate breaches thereof
Member State concerned shall also be informed directly through
and report on them immediately to the Security Coor
the national unit.
dinator;
Article 4
(c) to regularly review the adequacy of security measures on the
basis of risk assessments; to that end, they shall report to
Security Committee
the Security Coordinator as a rule at least once a month
1. A
Security
Committee
shall
be
set
up,
consisting
of
repre
and, in exceptional cases, whenever it is deemed necessary
sentatives of the Member States and of Europol, which shall
and shall provide appropriate recommendations and advice;
meet at least twice a year.
(d) to perform the tasks assigned to them under these rules or
under the Security Manual; and
2. The
Security
Committee
shall
have
as
its
task
to
advise
the
Management Board and Director of Europol on issues relating
to security policy, including the application of the Security
(e) to perform any other tasks assigned to them by the Security
Manual.
Coordinator.
3. The
Security
Committee
shall
establish
its
rules
of 2. Security
Officers
shall
be
security
cleared
to
the
appro
procedure. The meetings of the Security Committee shall be
priate level required by their duties and in accordance with
chaired by the Security Coordinator.
the laws and regulations applicable in the Member States of
which they are a national.
Article 5
Article 7
Security Coordinator
Security Manual, procedure and content
1. The
Security
Coordinator
shall
have
general
responsibility
for all issues relating to security, including the security measures
1. The
Security
Manual
shall
be
adopted
by
the
Management
laid down in these rules and in the Security Manual. The
Board after having consulted the Security Committee.
EN
17.12.2009 Official
Journal
of
the
European
Union L
332/19
2. The
Security
Manual
shall
provide
management
direction rules and of the Security Manual in accordance with
and support for security in accordance with business
paragraph 1.
requirements and shall set out Europol’s approach to
managing security. The Security Manual shall contain:
CHAPTER III
(a) detailed rules on the security measures to be applied within
GENERAL PRINCIPLES
Europol in order to provide for the basic protection level
Article 10
referred to in Article 10(1) of these rules, such measures
being based on Articles 35 and 41(2) of the Europol
Basic protection level, classification levels and security
Decision and taking account of Article 40(3) thereof; and
packages
1. All
information
processed
by
or
through
Europol,
with
the exception of information which is expressly marked or is
(b) detailed rules on the security measures associated with the
clearly recognisable as being public information, shall be subject
different Europol classification levels and the corresponding
to a basic protection level within Europol and in Member States.
security packages referred to in Article 10(2) and 10(3); the
Security Manual shall also take account of Article 46 of the
Europol Decision.
2. In
accordance
with
Article
3,
Member
States
shall
ensure
the application of the basic protection level referred to in
paragraph 1, by a variety of measures in accordance with
3. The
Security
Manual
shall
be
reviewed
at
regular
intervals, national legislation and regulations, including the obligation of
or when significant changes occur, in order to ensure its
discretion and confidentiality, limiting access to information to
continuing suitability, adequacy, and effectiveness.
authorised personnel, data protection requirements as far as
personal data are concerned and general technical and
procedural measures to safeguard the security of the
information, taking into account Article 41(2) of the Europol
4. Amendments
to
the
Security
Manual
shall
be
adopted
in Decision.
accordance with the procedure set out in paragraph 1.
3. Information
requiring
additional
security
measures
shall
be
Article 8
subject to a Europol classification level, which shall be indicated
by a specific marking. Information shall be subject to a security
Security accreditation of systems
level only where strictly necessary and only for the time
1. All
Europol
systems
used
to
process
Europol
classified necessary.
information shall be accredited by the Management Board
after having consulted the Security Committee and after
having obtained assurance of the effective implementation of
4. The
following
Europol
classification
levels
shall
be
used:
the required security measures deriving from the system
specific security requirements (SSSR), Information Risk
Register and any other relevant documentation. Subsystems
and remote terminals or workstations shall be accredited as
(a) ‘RESTREINT UE/EU RESTRICTED’: this classification shall be
part of all the systems to which they are connected.
applied to information and material the unauthorised
disclosure of which could be disadvantageous to the
interests of Europol, the EU or one or more Member States;
2. The
SSSR
shall
be
adopted
and
amended
by
the
Management Board after having consulted the Security
(b) ‘CONFIDENTIEL UE/EU CONFIDENTIAL’: this classification
Committee. This SSSR shall comply with the relevant provisions
shall be applied to information and material the un
of the Security Manual.
authorised disclosure of which could harm the essential
interests of Europol, the EU or one or more Member States;
Article 9
Observance
(c) ‘SECRET UE/EU SECRET’: this classification shall be applied
to information and material the unauthorised disclosure of
1. The
security
measures
laid
down
in
these
rules
and
in
the
which could seriously harm the essential interests of
Security Manual shall be observed by all persons at Europol, as
Europol, the EU or one or more Member States;
well as by any other person involved in Europol-related
activities who is under a particular obligation of discretion or
confidentiality.
(d) ‘TRÈS SECRET UE/EU TOP SECRET’: this classification shall
be applied to information and material the unauthorised
disclosure of which could cause exceptionally grave
2. The
Director,
the
liaison
bureaus
and
Europol
national
prejudice to the essential interests of Europol, the EU or
units shall be responsible for ensuring observance of these
one or more Member States.
L 332/20
EN
Official Journal of the European Union
17.12.2009
Such classified information and material shall bear an additional
on an appropriate classification level. Europol shall not
marking (‘EUROPOL’) under the classification marking to
specify, change, add or remove a classification level without
indicate that it originates in Europol.
such agreement.
Each Europol classification level shall relate to a specific security
4. Where
information
generated
by
Europol
is
based
upon,
package, to be applied within Europol. The security packages
or contains, information supplied by a Member State, Europol
shall offer different levels of protection, depending on the
shall determine, in agreement with the Member State concerned,
content of the information, and taking account of the detri
whether the basic protection level is sufficient or whether the
mental effect which unauthorised access, dissemination or use
application of a Europol classification level is required.
of the information might have on the interests of Europol or
the Member States.
5. Where
information
is
generated
by
Europol
itself,
and
such information is not based upon, nor contains, information
When information classified at different levels is gathered, the
supplied by a Member State, Europol shall determine any appro
classification level to be applied shall be at least as high as that
priate classification level for such information, using criteria laid
applicable to the information protected at the highest level. In
down by the Security Committee. Where necessary, Europol
any event, a group of information may be given a higher
shall mark the information accordingly.
protection level than that of each of its parts.
6. Member
States
and
Europol
shall,
where
information
also
The translation of a classified document shall be given the same
concerns the essential interests of another Member State,
classification level, and shall be subject to the same protection,
consult that Member State on whether any classification level
as the original document.
should be applied to that information and, if so, which classifi
cation level should be applied.
5. A
caveat
marking
may
be
used
for
specifying
additional
Article 12
conditions such as distribution of the information is limited to
specific information exchange channels, embargo and a
Changing the classification level
particular distribution on a need-to-know basis. Such caveat
markings shall be defined in the Security Manual.
1. A
Member
State
which
has
supplied
information
to
Europol may, at any time, require that the selected classification
level be changed, including by removing or adding a classifi
cation level. Europol shall be obliged to remove, amend or add
6. The
security
packages
shall
consist
of
various
measures
of a classification level in accordance with the wishes of the
a physical, technical, organisational or administrative nature, as
Member State concerned.
laid down in the Security Manual.
2. The Member State concerned shall, as soon as circum
Article 11
stances allow, request that the classification level in question
Choice of classification level
be downgraded or removed altogether.
1. The
Member
State
supplying
information
to
Europol
shall
be responsible for the choice of any appropriate classification
3. A
Member
State
supplying
information
to
Europol
may
level for such information in accordance with Article 10. Where
specify the time period for which the choice of classification
applicable, when supplying information to Europol, the Member
level will apply, and any possible amendments to the classifi
State shall mark it with a Europol classification level as referred
cation level thereafter.
to in Article 10(4).
4. Where the basic protection level or classification level has
2. In
choosing
a
classification
level,
Member
States
shall
take been determined by Europol in accordance with Article 11(4),
account of the classification of the information under their
Europol shall only change the basic protection or classification
national regulations, the need for the operational flexibility
level in agreement with the Member States concerned.
required for Europol to function adequately and the requirement
that classification of law enforcement information should be the
exception and that, if such information has to be classified, the
5. Where
the
classification
level
has
been
determined
by
lowest possible level should be assigned.
Europol in accordance with Article 11(5), Europol may
change or remove the classification level at any time it is
deemed necessary.
3. If
Europol,
on
the
basis
of
information
already
in
its
possession, comes to the conclusion that the choice of a clas
sification level needs changing (for instance removing or adding
6. Where
information,
the
classification
level
of
which
is
a classification level, or adding a classification level to a
changed in accordance with this Article, has already been
document previously subject to the basic protection level), it
supplied to other Member States, Europol shall inform the
shall inform the Member State concerned and seek to agree
recipients of the change to the classification level.
EN
17.12.2009 Official
Journal
of
the
European
Union L
332/21
Article 13
national competent authorities concerned of the granting
of such temporary authorisation. The granting of this
Processing, access and security clearance
temporary authorisation shall not give access to information
1. Access
to,
and
possession
of,
information
shall
be
classified as ‘SECRET UE/EU SECRET’ and above.
restricted within the Europol organisation to those persons
who, by reason of their duties or obligations, need to be
4. Such
authorisation
shall
not
be
granted
where
a
Member
acquainted with such information or need to handle it.
State, when supplying the information concerned, has specified
Persons entrusted with the processing of information shall
that the discretion afforded to the Security Coordinator under
have obtained an appropriate security clearance and shall
paragraph 3 shall not be exercised in relation to that
further receive special training.
information.
2. All
persons
who
may
have
access
to
information
subject
Article 14
to a classification level processed by Europol shall undergo
security clearance in accordance with Article 40(2) of the
Third parties
Europol Decision and the Security Manual. The Security Co
ordinator shall, on the basis of the result of the security
When concluding confidentiality agreements with third parties,
clearance procedure, subject to the provisions of the Security
or when concluding agreements in accordance with Articles
Manual, grant authorisation to those persons cleared at the
22(4) and 23(7) of the Europol Decision, Europol shall take
appropriate national level, who by reason of their duties or
account of the principles laid down in these rules and in the
obligations, need to be acquainted with information subject to
Security Manual, which should be applied accordingly to
a Europol classification level. The authorisation is subject to
information exchanged with such third parties.
regular review by the Security Coordinator. Authorisation may
be withdrawn immediately by the Security Coordinator on
CHAPTER IV
justifiable grounds. The Security Coordinator shall also be
FINAL PROVISIONS
responsible for ensuring the implementation of paragraph 3.
Article 15
3. No
person
shall
have
access
to
information
subject
to
a
classification level without having been granted security
Review of the rules
clearance at the appropriate level. Exceptionally, however, the
Any proposals for amendments to these rules shall be
Security Coordinator may, after consultation of a Security
considered by the Management Board with a view to their
Officer,
adoption by the Council in accordance with the procedure
provided for in Article 40(1) of the Europol Decision.
(a) give a specific and limited authorisation to persons cleared
at ‘CONFIDENTIEL UE/EU CONFIDENTIAL’ level to have
Article 16
access to specific information classified up to ‘SECRET
UE/EU SECRET’ level, if, by reason of their duties or obli
Entry into force
gations in a specific case, they need to be acquainted with
information subject to a higher Europol classification level;
These rules shall enter into force on 1 January 2010.
or
(b) grant temporary authorisation to access classified
Done at Brussels, 30 November 2009.
information for a period not exceeding six months,
pending the outcome of the security clearance referred to
in paragraph 2, if it is in the interest of Europol, and after
For the Council
giving the national competent authorities notification and
provided there is no reaction from them within three
The President
months; the Security Coordinator shall inform the
B. ASK
L 332/22
EN
Official Journal of the European Union
17.12.2009
ANNEX
TABLE OF EQUIVALENCE OF CLASSIFICATION LEVELS
Equivalence of classification levels
Europol (
RESTREINT UE/EU
1 )
TRÈS SECRET UE/EU
TOP SECRET
SECRET UE/EU SECRET
CONFIDENTIEL UE/EU
CONFIDENTIAL
RESTRICTED
Belgium Très
Secret
Secret
Confidentiel
Diffusion restreinte
Zeer Geheim
Geheim
Vertrouwelijk
Beperkte verspreiding
Bulgaria
СТРОГО СЕКРЕТНО
СЕКРЕТНО
ПОВЕРИТЕЛНО
ЗА СЛУЖЕБНО
ПОЛЗВАНЕ
Czech Republic
Přísně tajné Tajné
Důvěrné Vyhrazené
Denmark Yderst
hemmeligt Hemmeligt Fortroligt Til
tjenestebrug
Germany Streng
geheim Geheim VS
—
Vertraulich VS
—
Nur
für
den
Dienstgebrauch
Estonia Täiesti
Salajane Salajane Konfidentsiaalne Piiratud
Ireland Top
Secret Secret Confidential Confidential
Greece
Άκρως Απόρρητο
Απόρρητο
Εμπιστευτικό
Περιορισμένης Χρήσης
Spain Secreto Reservado Confidencial Difusión
Limitada
France Très
Secret
Défense Secret
Défense Confidentiel
Défense
Italy Segretissimo Segreto Riservatissimo Riservato
Cyprus
Άκρως Απόρρητο
Απόρρητο
Εμπιστευτικό
Περιορισμένης Χρήσης
Latvia Sevišķi slepeni Slepeni Konfidenciāli Dienesta
vajadzībām
Lithuania Visiškai
slaptai Slaptai Konfidencialiai Riboto
naudojimo
Luxembourg Très
secret Secret Confidentiel Diffusion
restreinte
Hungary Szigorúan
titkos! Titkos! Bizalmas! Korlátozott
terjesztésű!
Malta L-Ghola
Segretezza Sigriet Kunfidenzjali Ristrett
Netherlands BE
Zeer
geheim STG
Zeer
geheim STG
Confidentieel Vertrouwelijk
Austria Streng
geheim Geheim Vertraulich Eingeschränkt
Poland
Ściśle Tajne Tajne Poufne Zastrzeżone
Portugal Muito
Secreto Secreto Confidencial Reservado
Romania Strict
secret
de
Strict secret Secret Secret
de
serviciu
importanță deosebită
Slovenia Strogo
tajno Tajno Zaupno Interno
Slovakia Prísne
tajné Tajné Dôverné Vyhradené
Finland Erittäin
salainen Salainen Luottamuksellinen Viranomaiskäyttö
Sweden Kvalificerat
hemlig Hemlig Hemlig Hemlig
United Kingdom Top
Secret Secret Confidential Restricted
( 1 ) The marking ‘Europol’ shall be inserted under the classification marking.