Legal base

IT security standard is based on Commission Decision (EU, Euratom) 2017/46 on the security of communication and information systems in the European Commission and on the Commission Decision that sets out implementing rules for Articles 3, 5, 7-15 of Decision 2017/46, C (2017) 8841, in particular its Article 12.

UDB is governed by EDPR and security standards defined by EC. All connections to UDB shall be made only via eDelivery, a secure exchange infrastructure.


Data Protection


Data Privacy

Privacy registry can be found here

https://ec.europa.eu/dpo-register/detail/DPR-EC-20608.1


Data Security and access.

The IT security standards of the European Commission are public and can be found here.

https://commission.europa.eu/publications/security-standards-applying-all-european-commission-information-systems_en


UDB implementation is governed by by the commissions services ranging from application to infrastructure. For any incident reporting please send to EC-UDB-SUPPORT@ec.europa.eu


eDelivery

eDelivery is a secure exchange data transfer between UDB & external IT Systems.  Please, refer to the following public link on how to use eDelivery:

https://ec.europa.eu/digital-building-blocks/sites/display/DIGITAL/eDelivery


Who can see Economic Operators related data:


View Organisation

View Transactions

Certificate ID and validity 

 Certificate Site/Scope/Material

EC Admin/User

Y

Y (authorised personnel only)

Y

Y

MS Lead User & User

Y

Y (authorised personnel only)

Y

Y

VS Lead User & User

Y

N

Y

Y

EO Lead User & User

Y

Y

Y

Y

Other EO Lead user & user

N

N

Y(planned)

N

TSO/DSO/LSO

N

N

Y

N

CB Lead User & User

 Y

Y ( As part of audit)

 Y

Y ( As part of audit)

Service Provider

Y (SP appointed by EO only)

Y (SP appointed by EO only)

Y (No restrictions, for all EO)

Y (SP appointed by EO only)


Access Control and Authentication security standard. Determining Access rights:

Requirement

Implementation

(M=mandatory, R=recommended)

Access to system functionalities and data shall be restricted to authorized users on the basis of the ‘need to know’ principle.

M

Authorization mechanisms in the system shall ensure that access is:

  • automatically denied unless accounts have been explicitly authorized for the system; and
  • automatically restricted to access rights granted to the account.


M

The system owner shall determine access rights associated with differentiated levels of authorization to access the system data and functionalities.

M

The access rights shall be determined on the basis of a risk assessment that considers at least:

Information sensitivity and level of classification – the need to limit access to system data, in line with data classification, general data sensitivity and applicable regulation; and


M

Determined access rights shall be reviewed periodically to check that they continue to ensure the protection of sensitive non-classified information, the enforcement of process controls and the segregation of incompatible duties.

M

Access decisions (both positive and negative) following a user access request during a login process shall be logged in order to provide an audit trail.

M

 

Authentication service: EU Login

  • No labels