It follows from the combined provisions of Article 14 of Regulation (EU) No 1285/2013 of the European Parliament and of the Council (3) and Article 2 of Regulation (EU) No 912/2010 of the European Parliament and of the Council (4) that the European GNSS Agency (the ‘Agency’) is to ensure the security accreditation of the European satellite navigation systems (the ‘systems’) and, to that end, initiate and monitor the implementation of security procedures and the performance of security audits.
(2)
The systems are defined in Article 2 of Regulation (EU) No 1285/2013. They are complex systems and their establishment and operation involve numerous stakeholders with different roles. In this context, it is crucial that EU classified information be handled and protected by all the stakeholders involved in the implementation of the Galileo and EGNOS programmes (the ‘programmes’) in accordance with the basic principles and minimum standards set out in the Commission’s and the Council’s security rules on the protection of EU classified information and that Article 17 of Regulation (EU) No 1285/2013, which guarantees an equivalent level of protection for EU classified information, apply, where appropriate, to all stakeholders involved in implementing the programmes.
(3)
The stakeholders participating in and affected by the security accreditation process are Member States, the Commission, relevant Union Agencies and the European Space Agency (ESA) and the parties involved in Council Joint Action 2004/552/CFSP (5).
(4)
Considering the specificity and complexity of the systems, the different bodies involved in their implementation and the variety of potential users, security accreditation should be facilitated by appropriate consultation of all relevant parties, such as national authorities of Member States and of third countries operating networks connected to the system established under the Galileo programme for the provision of the Public Regulated Service (PRS), other relevant authorities of Member States, ESA or, if provided for in an international agreement, third countries hosting the ground stations of the systems.
(5)
In order to enable the appropriate performance of tasks relating to security accreditation, it is crucial that the Commission provide all the information necessary to perform these tasks. It is also important for security accreditation activities to be coordinated with the work of the bodies responsible for managing the programmes in accordance with Regulation (EU) No 1285/2013 and other entities responsible for implementing security provisions.
(6)
The risk assessment and management approach to be applied should follow best practices. It should include applying security measures in accordance with the concept of defence-in-depth. It should take into consideration the likelihood of the occurrence of a risk or feared event. It should also be proportionate, appropriate and cost-effective, taking into account the cost of implementing measures to mitigate risk compared to the subsequent security benefit. Defence-in-depth aims to enhance the security of the systems by implementing technical and non-technical security measures organised as multiple layers of defence.
(7)
The development, including the relevant associated research activities, and the manufacture of PRS receivers and PRS security modules, constitute particularly sensitive activities. It is therefore essential that procedures be established to authorise the manufacturers of PRS receivers and PRS security modules.
(8)
Moreover, given the potentially high number of networks and equipment connected to the system established under the Galileo programme, in particular for the use of PRS, principles for the security accreditation of those networks and equipment should be defined in the security accreditation strategy, in order to ensure the homogeneity of the accreditation without encroaching on the competence of national entities of the Member States competent in security matters. The application of those principles would allow for consistent risk management and reduce the need to escalate all mitigation actions at system level, which would have a negative impact on cost, schedule, performance and service provision.
(9)
Products and measures which protect against electromagnetic emanations (i.e. against electronic eavesdropping) and cryptographic products used to provide security for the systems should be evaluated and approved by the national entities competent in security matters of the country where the company manufacturing such products is established. In relation to cryptographic products, that evaluation and approval should be complemented in accordance with the principles set out in points 26 to 30 of Annex IV to Council Decision 2013/488/EU (6). The authority responsible for the security accreditation of the systems should endorse the selection of those approved products and measures taking into account the overall security requirements of the systems.
(10)
Regulation (EU) No 912/2010, and in particular Chapter III thereof, expressly lays down the terms under which the Agency must perform its task concerning security accreditation of the systems. In particular, it stipulates, as a principle, that security accreditation decisions must be taken independently of the Commission and the bodies responsible for implementing the programmes and that the systems’ security accreditation authority should be an independent body within the Agency, that makes decisions independently.
(11)
In accordance with that principle, Regulation (EU) No 912/2010 establishes the Security Accreditation Board for European GNSS systems (the ‘Security Accreditation Board’) which, alongside the Administrative Board and the Executive Director, is one of the three bodies of the Agency. The Security Accreditation Board performs the tasks entrusted to the Agency concerning security accreditation and is authorised to make security accreditation decisions on behalf of the Agency. It should adopt its rules of procedure and appoint its chairperson.
(12)
Given that the Commission, in accordance with Regulation (EU) No 1285/2013, is to ensure the security of the programmes, including the security of the systems and their operation, the activities of the Security Accreditation Board should be limited to the security accreditation activities of the systems and should be without prejudice to the tasks and responsibilities of the Commission. This should apply in particular in relation to the tasks and responsibilities of the Commission under Article 13 of Regulation (EU) No 1285/2013 and Article 8 of Decision No 1104/2011/EU of the European Parliament and of the Council (7), including the adoption of any document relating to security by means of a delegated act, an implementing act or otherwise in accordance with those Articles. Without prejudice to those tasks and responsibilities of the Commission, in the light of its particular expertise, the Security Accreditation Board should however, within its field of competence, be entitled to advise the Commission on the drawing-up of the draft texts for the acts referred to in those Articles.
(13)
It should also be ensured that activities relating to security accreditation are carried out without prejudice to the national competences and prerogatives of Member States as regards security accreditation.
(14)
In relation to security, the terms ‘audits’ and ‘tests’ may include security assessments, inspections, reviews, audits and tests.
(15)
In order for it to carry out its activities efficiently and effectively, the Security Accreditation Board should be able to set up appropriate subordinate bodies acting on its instructions. It should in particular set up a panel that will assist in preparing its decisions.
(16)
A group of experts of the Member States should be set up under the supervision of the Security Accreditation Board to perform the tasks of the Crypto Distribution Authority (CDA) relating to the management of EU cryptographic material. That group should be established on a temporary basis to ensure the continuity of the management of communications security items during the deployment phase of the Galileo programme. A sustainable solution for performing such operational tasks should be applied in the longer term when the system established under the Galileo programme is fully operational.
(17)
Regulation (EU) No 1285/2013 defines the public governance arrangements for the programmes during the years 2014-2020. It confers overall responsibility for the programmes on the Commission. In addition, it extends the tasks entrusted to the Agency and provides, in particular, for the Agency to play a major role in the exploitation of the systems and in maximising their socioeconomic benefits.
(18)
In this new context, it is essential to ensure that the Security Accreditation Board be able to perform the tasks entrusted to it with complete independence, in particular vis-à-vis the other bodies and activities of the Agency and to avoid any conflicts of interest. It is therefore essential to further separate, within the Agency itself, the activities associated with security accreditation from its other activities, such as management of the Galileo Security Monitoring Centre, contribution to the commercialisation of the systems and any activities that the Commission might entrust to the Agency by way of delegation, in particular those associated with exploitation of the systems. To that end, the Security Accreditation Board and the Agency staff under its control should carry out their work in a manner ensuring their autonomy and independence with regard to the Agency’s other activities. A tangible and effective structural division should be set up within the Agency between its various activities by 1 January 2014. The Agency’s internal rules on staff should also ensure the autonomy and independence of the staff performing the security accreditation activities vis-à-vis staff carrying out other Agency activities.
(19)
Regulation (EU) No 912/2010 should therefore be amended in order to increase the independence and powers of the Security Accreditation Board and its chairperson and broadly to align that independence and those powers to the independence and powers of the Administrative Board and of the Executive Director of the Agency respectively, while providing for a cooperation requirement between the various bodies of the Agency.
(20)
When appointing members of the Boards and electing their Chairpersons and Deputy Chairpersons, the importance of balanced gender representation should be taken into account, where appropriate. Furthermore, relevant managerial, administrative and budgetary skills should also be taken into account.
(21)
The Security Accreditation Board, rather than the Administrative Board, should prepare and approve that part of the Agency’s work programmes describing the operational activities associated with the security accreditation of the systems, as well as that part of the annual report concerning the activities and prospects of the Agency with regard to the systems’ security accreditation activities. It should submit them in good time to the Administrative Board so that they can be incorporated in the Agency’s work programme and annual report. It should also exercise disciplinary authority over its Chairperson.
(22)
It is desirable to assign a role in relation to security accreditation activities to the Chairperson of the Security Accreditation Board comparable to that of the Executive Director in other Agency activities. Therefore, in addition to the function of representing the Agency, already provided for under Regulation (EU) No 912/2010, the Chairperson of the Security Accreditation Board should manage the security accreditation activities under the direction of the Security Accreditation Board and ensure the implementation of that part of the Agency’s work programmes associated with accreditation. At the request of the European Parliament or the Council, the Chairperson of the Security Accreditation Board should also submit a report on the performance of the tasks of the Security Accreditation Board and make a declaration before them.
(23)
Appropriate procedures should be established for the eventuality that the Administrative Board does not approve the Agency’s work programmes, in order to ensure that the security accreditation process is not affected and can be carried out without discontinuity.
(24)
Given the involvement of a number of third countries and the potential involvement of international organisations in the programmes, including in security matters, express provision should be made for representatives of international organisations and of third countries, in particular Switzerland — with which a cooperation agreement should be concluded (8) - to be able to participate, on an exceptional basis and under certain conditions, in the work of the Security Accreditation Board. Such conditions should be specified in an international agreement in accordance with Article 218 of the Treaty on the Functioning of the European Union (TFEU) to be concluded with the Union, taking into account security matters and, in particular, the protection of EU classified information. The Cooperation Agreement on Satellite Navigation between the European Union and its Member States and the Kingdom of Norway (9), as well as Protocols 31 and 37 to the EEA Agreement, already provide a framework for the participation of Norway. Considering its particular expertise, it should be possible to consult the Security Accreditation Board, within its field of competence, before or during the negotiation of such international agreements.
(25)
Regulation (EU) No 912/2010 should be aligned with the principles contained in the common approach of the European Parliament, the Council and of the Commission to the decentralised agencies, adopted by the three institutions on 5 July, 26 June and 12 June 2012 respectively, particularly with regard to the rules for adopting decisions of the Administrative Board, the terms of office of the members of the Administrative Board and of the Security Accreditation Board and those of their chairpersons, the existence of a multiannual work programme, the powers of the Administrative Board concerning staff management, assessment and revision of that Regulation, prevention and management of conflicts of interest and handling of non-classified but sensitive information. The process for the adoption of the multiannual work programme should be carried out in full compliance with the principles of sincere cooperation and taking into account the time constraints relating to such work programme.
(26)
With reference to the prevention and management of conflicts of interest, it is essential that the Agency establish and maintain a reputation for impartiality, integrity and high professional standards. There should never be any legitimate reason to suspect that decisions might be influenced by interests conflicting with the role of the Agency as a body serving the Union as a whole or by the private interests or affiliations of any member of the Agency staff, any seconded national expert or observer, or of any member of the Administrative Board or the Security Accreditation Board, which would create, or have the potential to create, a conflict with the proper performance of the official duties of the person concerned. The Administrative Board and the Security Accreditation Board should therefore adopt comprehensive rules on conflicts of interest that cover the entire Agency. Those rules should take account of the recommendations issued by the Court of Auditors in its Special Report No 15 of 2012 which was prepared at the request of the European Parliament, and of the need to avoid conflicts of interest between the Members of the Administrative Board and of the Security Accreditation Board.
(27)
In order to ensure the transparent operation of the Agency, its rules of procedure should be published. However, by way of exception, certain public and private interests should be protected. In order to ensure the smooth running of the programmes, the multiannual and the annual work programmes and the annual report should be as detailed as possible. As a consequence, they might contain material that is sensitive from the point of view of security or contractual relations. It would therefore be appropriate to publish only an executive summary of those documents. In the interests of transparency, those summaries should nevertheless be as complete as possible.
(28)
It should also be emphasised that the Agency’s work programmes should be established on the basis of a performance management process, including performance indicators, for effective and efficient assessment of the results achieved.
(29)
The work programmes of the Agency should also contain resource programming, including the human and financial resources assigned to each activity and taking into account the fact that the expenditure associated with the new staff requirements of the Agency should be partially offset by an appropriate reduction in the Commission’s establishment plan during the same period, that is from 2014 to 2020.
(30)
Without prejudice to the political decision regarding Union agencies’ seats, to the desirability of geographical spread and to the objectives set by Member States as regards new agencies’ seats, as contained in the conclusions of the Representatives of the Member States, meeting at Head of State or Government level in Brussels on 13 December 2003, and recalled in the European Council conclusions of June 2008, objective criteria should be taken into account in the decision-making process for choosing a location for the Agency’s local offices. Those criteria include the accessibility of the premises, the existence of suitable educational infrastructure for the children of members of staff and seconded national experts, access to the employment market, the social security system and healthcare for the families of members of staff and seconded national experts, as well as implementation and operating costs.
(31)
The hosting States should provide, through specific arrangements, the necessary conditions for the smooth operation of the Agency, such as appropriate education and transport facilities.
(32)
By Decision 2010/803/EU (10), the Representatives of the Governments of the Member States decided that the Agency would have its seat in Prague. The Host Agreement between the Czech Republic and the Agency was concluded on 16 December 2011 and entered into force on 9 August 2012. It is considered that the Host Agreement and other specific arrangements fulfil the requirements of Regulation (EU) No 912/2010.
(33)
The financial interests of the Union are to be protected using proportionate measures throughout the expenditure cycle, in particular, by means of prevention and detection of irregularities, carrying out surveys, recovering lost, unduly paid or poorly administered funds and, if necessary, applying penalties.
(34)
Given that Article 8 of Regulation (EU) No 1285/2013 allows the Member States to contribute extra funds in order to finance certain programme features, the Agency should be permitted to award contracts jointly with the Member States when appropriate for the performance of its tasks.
(35)
The Agency should apply the Commission’s rules as regards the security of EU classified information. It should also be able to establish rules for the handling of non-classified but sensitive information. Those rules should apply only to the handling of such information by the Agency. Non-classified but sensitive information is information or material that the Agency should protect because of legal obligations laid down in the Treaties and/or because of its sensitivity. It includes, but is not limited to, information or material covered by the obligation of professional secrecy, as referred to in Article 339 TFEU, information relating to issues referred to in Article 4 of Regulation (EC) No 1049/2001 of the European Parliament and of the Council (11) or information within the scope of Regulation (EC) No 45/2001 of the European Parliament and of the Council (12).
(36)
Regulation (EU) No 912/2010 should therefore be amended accordingly,
