Legal base
IT security standard is based on Commission Decision (EU, Euratom) 2017/46 on the security of communication and information systems in the European Commission and on the Commission Decision that sets out implementing rules for Articles 3, 5, 7-15 of Decision 2017/46, C (2017) 8841, in particular its Article 12.
UDB is governed by EDPR and security standards defined by EC. All connections to UDB shall be made only via eDelivery, a secure exchange infrastructure.
Data Protection
Data Privacy
Privacy registry can be found here
https://ec.europa.eu/dpo-register/detail/DPR-EC-20608.1
Data Security and access.
The IT security standards of the European Commission are public and can be found here.
UDB implementation is governed by by the commissions services ranging from application to infrastructure. For any incident reporting please send to EC-UDB-SUPPORT@ec.europa.eu
eDelivery
eDelivery is a secure exchange data transfer between UDB & external IT Systems. Please, refer to the following public link on how to use eDelivery:
https://ec.europa.eu/digital-building-blocks/sites/display/DIGITAL/eDelivery
Who can see Economic Operators related data:
View Organisation | View Transactions | Certificate ID and validity | Certificate Site/Scope/Material | |
EC Admin/User | Y | Y (authorised personnel only) | Y | Y |
MS Lead User & User | Y | Y (authorised personnel only) | Y | Y |
VS Lead User & User | Y | N | Y | Y |
EO Lead User & User | Y | Y | Y | Y |
Other EO Lead user & user | N | N | Y(planned) | N |
TSO/DSO/LSO | N | N | Y | N |
CB Lead User & User | Y | Y ( As part of audit) | Y | Y ( As part of audit) |
Service Provider | Y (SP appointed by EO only) | Y (SP appointed by EO only) | Y (No restrictions, for all EO) | Y (SP appointed by EO only) |
Access Control and Authentication security standard. Determining Access rights:
Requirement | Implementation (M=mandatory, R=recommended) |
Access to system functionalities and data shall be restricted to authorized users on the basis of the ‘need to know’ principle. | M |
Authorization mechanisms in the system shall ensure that access is:
| M |
The system owner shall determine access rights associated with differentiated levels of authorization to access the system data and functionalities. | M |
The access rights shall be determined on the basis of a risk assessment that considers at least: Information sensitivity and level of classification – the need to limit access to system data, in line with data classification, general data sensitivity and applicable regulation; and | M |
Determined access rights shall be reviewed periodically to check that they continue to ensure the protection of sensitive non-classified information, the enforcement of process controls and the segregation of incompatible duties. | M |
Access decisions (both positive and negative) following a user access request during a login process shall be logged in order to provide an audit trail. | M |
Authentication service: EU Login