‘Accountable’ means to be answerable for actions, decisions and performance.

‘CERT-EU’ is the Computer Emergency Response Team for the EU institutions and agencies. Its mission is to support the European Institutions to protect themselves against intentional and malicious attacks that would hamper the integrity of their IT assets and harm the interests of the EU. The scope of CERT-EU's activities covers prevention, detection, response and recovery.

‘Commission department’ means any Commission Directorate-General or service, or any Cabinet of a Member of the Commission.

‘Commission Security Authority’ refers to the role laid down in Decision (EU, Euratom) 2015/444.

‘Communication and information system’ or ‘CIS’ means any system enabling the handling of information in electronic form, including all assets required for its operation, as well as infrastructure, organisation, personnel and information resources. This definition includes business applications, shared IT services, outsourced systems, and end-user devices.

‘Corporate Management Board’ (CMB) provides the highest level of corporate management oversight for operational and administrative issues in the Commission.

‘Data owner’ means the individual responsible for ensuring the protection and use of a specific data set handled by a CIS.

‘Data set’ means a set of information which serves a specific business process or activity of the Commission.

‘Emergency procedure’ means a predefined set of methods and responsibilities for responding to urgent situations in order to prevent a major impact on the Commission.

‘Information security policy’ means a set of information security objectives, which are or have to be established, implemented and checked. It comprises, but is not limited to, Decisions (EU, Euratom) 2015/444 and (EU, Euratom) 2015/443.

‘Information Security Steering Board’ (ISSB) means the governance body that supports the Corporate Management Board in its IT-security-related tasks.

‘Internal IT service provider’ means a Commission department providing shared IT services.

‘IT security’ or ‘security of CIS’ means the preservation of confidentiality, integrity and availability of CISs and the data sets that they process.

‘IT security guidelines’ consist of recommended but voluntary measures that help support IT security standards or serve as a reference when no applicable standard is in place.

‘IT security incident’ means an event that could adversely affect the confidentiality, integrity or availability of a CIS.

‘IT security measure’ means a technical or organisational measure aimed at mitigating IT security risks,

‘IT security need’ means a precise and unambiguous definition of the levels of confidentiality, integrity and availability associated with a piece of information or an IT system with a view to determining the level of protection required.

‘IT security objective’ means a statement of intent to counter specified threats and/or satisfy specified organisational security requirements or assumptions.

‘IT security plan’ means the documentation of the IT security measures required to meet the IT security needs of a CIS.

‘IT security policy’ means a set of IT security objectives, which are or have to be established, implemented and checked. It comprises this decision and its implementing rules.

‘IT security requirement’ means a formalised IT security need through a predefined process.

‘IT security risk’ means an effect that an IT security threat might induce on a CIS by exploiting a vulnerability. As such, an IT security risk is characterised by two factors: (1) uncertainty, i.e. the likelihood of an IT security threat to cause an unwanted event; and (2) impact, i.e. the consequences that such an unwanted event may have on a CIS.

‘IT security standards’ means specific mandatory IT security measures that help enforce and support the IT security policy.

‘IT security strategy’ means a set of projects and activities which are designed to achieve the objectives of the Commission and which have to be established, implemented and checked.

‘IT security threat’ means a factor that can potentially lead to an unwanted event which may result in harm to a CIS. Such threats may be accidental or deliberate and are characterised by threatening elements, potential targets and attack methods.

‘Local Informatics Security Officer’ or ‘LISO’ means the officer who is responsible for IT security liaison for a Commission department.

‘Personal data’, ‘processing of personal data’, ‘controller’ and ‘personal data filing system’ shall have the same meaning as in Regulation (EC) No 45/2001, and in particular Article 2 thereof.

‘Processing of information’ means all functions of a CIS with respect to data sets, including creation, modification, display, storage, transmission, deletion and archiving of information. Processing of information can be provided by a CIS as a set of functionalities to users and as IT services to other CIS.

‘Professional secrecy’ means the protection of business data information of the kind covered by the obligation of professional secrecy, in particular information about undertakings, their business relations or their cost components as laid down in Article 339 of the TFEU.

‘Responsible’ means having the obligation to act and take decisions to achieve required outcomes.

‘Security in the Commission’ means the security of persons, assets and information in the Commission, and in particular the physical integrity of persons and assets, the integrity, confidentiality and availability of information and communication and information systems, as well as the unobstructed functioning of Commission operations.

‘Shared IT service’ means the service a CIS provides to other CISs in the processing of information.

‘System owner’ is the individual responsible for the overall procurement, development, integration, modification, operation, maintenance, and retirement of a CIS.

‘User’ means any individual who uses functionality provided by a CIS, whether inside or outside the Commission.

assure alignment between the IT security policy and the Commission's information security policy;

establish a framework for the authorisation of the use of encrypting technologies for the storage and communication of information by CISs;

inform the Directorate-General for Informatics about specific threats which could have a significant impact on the security of CISs and the data sets that they process;

perform IT security inspections to assess the compliance of the Commission's CISs with the security policy, and report the results to the ISSB;

establish a framework for the authorisation of access and the associated appropriate security rules to Commission CISs from external networks and develop the related IT security standards and guidelines in close cooperation with the Directorate-General for Informatics;

propose principles and rules for the outsourcing of CISs in order to maintain appropriate control of security of the information;

develop the related IT security standards and guidelines set out in points (1) to (6), in close cooperation with the Directorate-General for Informatics;

the processes related to the responsibilities and activities set out in points (1) to (7) shall be detailed further in implementing rules in accordance with Article 13.

develop IT security standards and guidelines, except as provided in Article 6, in close cooperation with the Directorate-General for Human Resources and Security, in order to assure consistency between the IT security policy and the Commission's information security policy, and propose them to the ISSB;

assess the IT security risk management methods, processes and outcomes of all Commission departments and report on this regularly to the ISSB;

propose a rolling IT security strategy for revision and approval by the ISSB and further adoption by the Corporate Management Board, and propose a programme, including the planning of projects and activities implementing the IT security strategy;

monitor the execution of the Commission's IT security strategy and report on this regularly to the ISSB;

monitor the IT security risks and IT security measures implemented in CISs and report on this regularly to the ISSB;

report regularly on the overall implementation and compliance with this decision to the ISSB;

after consulting with the Directorate-General for Human Resources and Security, request system owners to take specific IT security measures in order to mitigate IT security risks to Commission's CISs;

ensure that there is an adequate catalogue of the Directorate-General for Informatics IT security services available for the system owners and data owners to fulfil their responsibilities for IT security and to comply with the IT security policy and standards;

provide adequate documentation to system and data owners and consult with them, as appropriate, on the IT security measures implemented for their IT services in order to facilitate compliance with the IT security policy and support the system owners in IT risk management;

organise regular meetings of the LISOs network and supporting LISOs in carrying out their duties;

define the training needs and coordinate training programmes on IT security in cooperation with the Commission departments, and develop, implement and coordinate awareness-raising campaigns on IT security in close cooperation with the Directorate-General for Human Resources;

ensure that system owners, data owners and other roles with IT security responsibilities in Commission departments are made aware of the IT security policy;

inform the Directorate-General for Human Resources and Security on specific IT security threats, incidents and exceptions to the Commission's IT security policy notified by the system owners which could have a significant impact on security in the Commission;

in respect of its role as an internal IT service provider, deliver to the Commission a catalogue of shared IT services that provide defined levels of security. This shall be done by systematically assessing, managing and monitoring IT security risks to implement the security measures in order to reach the defined security level;

the processes related to the responsibilities and activities set out in points (1) to (14) shall be detailed further in implementing rules in accordance with Article 13.

formally appoint a system owner, who is an official or a temporary agent, for each CIS who will be responsible for IT security of that CIS and formally appoint a data owner for each data set handled in a CIS who should belong to the same administrative entity which is the Data Controller for data sets subject to Regulation (EC) No 45/2001;

formally designate a Local Informatics Security Officer (LISO) who can perform the responsibilities independently from system owners and data owners. A LISO can be designated for one or more Commission departments

ensure that appropriate IT security risk assessments and IT security plans have been made and implemented

ensure that a summary of IT security risks and measures is reported on a regular basis to the Directorate-General for Informatics;

ensure, with the support of the Directorate-General for Informatics, that appropriate processes, procedures and solutions are in place to ensure efficient detection, reporting and resolution of IT security incidents relating to their CISs;

launch an emergency procedure in case of IT security emergencies;

hold ultimate accountability for IT security including the responsibilities of the system owner and data owner;

own the risks relating to their CISs and data sets;

resolve any disagreements between data owners and system owners and in case of continued disagreement bring the issue before the ISSB for resolution;

ensure that IT security plans and IT security measures are implemented and the risks are adequately covered;

the processes related to the responsibilities and activities set out in points (1) to (10) shall be detailed further in implementing rules in accordance with Article 13.