Information assurance matters are dealt with by a sub-group of the Council's Security Committee
The Council decision on the security rules for protecting EU classified information (EUCI) stipulates that communication and information systems need to handle EUCI in accordance with the concept of information assurance.
Information assurance in the field of communication and information systems is defined as the confidence that such systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users. Effective information assurance must ensure appropriate levels of confidentiality, integrity, availability, non-repudiation and authenticity.
EU classified information is categorised into 4 levels which are defined by the severity of the impact of disclosure:
- TRÈS SECRET UE/EU TOP SECRET: unauthorised disclosure could cause exceptionally grave prejudice to essential EU or member state interests
- SECRET UE/EU SECRET: unauthorised disclosure could seriously harm essential EU or member state interests
- CONFIDENTIEL UE/EU CONFIDENTIAL: unauthorised disclosure could harm essential EU or member state interests
- RESTREINT UE/EU RESTRICTED: unauthorised disclosure could be disadvantageous to EU or member state interests
Where the protection of EUCI in communication and information systems is provided by cryptographic products, these products need to be approved as follows:
a) cryptographic products protecting the confidentiality of information classified SECRET UE/EU SECRET and above must be approved by the Council upon recommendation by the Security Committee
b) cryptographic products protecting the confidentiality of information classified CONFIDENTIEL UE/EU CONFIDENTIAL or RESTREINT UE/EU RESTRICTED must be approved by the Secretary-General of the Council upon recommendation by the Security Committee
Tempest security measures
In the case of information classified CONFIDENTIEL UE/EU CONFIDENTIAL and above, security measures also need to be applied against the compromise of such information through unintentional electromagnetic emanations. These security measures are known as TEMPEST security measures.
The Council of the European Union, through its General Secretariat, has decided to establish a list of EU accredited TEMPEST companies. This list aims to react to the fast changing technology and to transform the traditionally product-oriented approach into a more company-oriented approach. To support implementation of this point, the Council Security Committee agreed on a series of guidelines for the accreditation of EU TEMPEST companies.
After a TEMPEST company has received the status of "accredited TEMPEST company" by a national TEMPEST authority (NTA), it can be given the authority to exercise a degree of self-certification. This authority allows the company to approve equipment as compliant with the applicable TEMPEST requirements. The degree of self-certification depends on the NTA's assessment of the company and can vary.
For a tempest company to be included in the EU list of accredited TEMPEST companies, the information has to be sent by the NTA to the GSC TEMPEST authority. The GSC TA reserves the right to withhold the publication of an accredited TEMPEST company in case additional information is required.