The Commission websites must assure adequate protection of data, including personal data, sent over the Internet against various types of risks, including risks to the data’s confidentiality and integrity.
All Commission websites must use the Transport Layer Security (TLS/SSL) protocol (over which internet protocols like HTTP can work) to protect the communication between client and server side. The combination of the HTTP protocol over SSL/TLS protocol is known as HTTPS, therefore a connection to a secure website is recognised by its URL starting with https:// instead of simply http://.
- all pages within any given website must be available under HTTPS
- the secure connection to the website must be enforced by automatically redirecting web browsers from the http:// to the https:// version of the website
- special care should be applied to cover and verify the secured connection especially on transactional pages containing data in transit, for example contact forms
- the TLS/SSL encryption level of the secure connection must be TLS 1.1 or higher.
Further good practice include:
- couple the use of TLS with a secure management of the relevant cryptographic keys
- oblige the web client to use HTTPS through HTTP Strict Transport Security
- mitigate the consequences of a compromise of cryptographic keys through Forward Secrecy.
Any personal data that is processed as part of any task relating to the development of the European Commission's web presence must be done so in compliance with the Regulation on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (EU 2018/1725). Please refer to this guide's section on data protection for more information.
Contact and support
Need further assistance on this topic? Please contact the team in charge of Europa Domain Management (EU Login required).