Legal base
IT security standard is based on Commission Decision (EU, Euratom) 2017/46 on the security of communication and information systems in the European Commission and on the Commission Decision that sets out implementing rules for Articles 3, 5, 7-15 of Decision 2017/46, C (2017) 8841, in particular its Article 12.
UDB is governed by EDPR and security standards defined by EC. All connections to UDB shall be made only via eDelivery, a secure exchange infrastructure. Please, refer to the following public link on how to use eDelivery:
https://ec.europa.eu/digital-building-blocks/sites/display/DIGITAL/eDelivery
The IT security standards of the European Commission are public and can be found here.
Data Protection
Data Privacy
Privacy registry can be found here
https://ec.europa.eu/dpo-register/detail/DPR-EC-20608.1
Who can see Economic Operators related data:
View Organisation | View Transactions | Certificate ID and validity | Certificate Site/Scope/Material | |
EC Admin/User | Y | Y (authorised personnel only) | Y | Y |
MS Lead User & User | Y | Y (authorised personnel only) | Y | Y |
VS Lead User & User | Y | N | Y | Y |
EO Lead User & User | Y | Y | Y | Y |
Other EO Lead user & user | N | N | Y(planned) | N |
TSO/DSO/LSO | N | N | Y | N |
CB Lead User & User | Y | Y | Y | Y |
Service Provider | Y (SP appointed by EO only) | Y (SP appointed by EO only) | Y (No restrictions, for all EO) | Y (SP appointed by EO only) |
Access Control and Authentication security standard. Determining Access rights:
Requirement | Implementation (M=mandatory, R=recommended) |
Access to system functionalities and data shall be restricted to authorised users on the basis of the ‘need to know’ principle. | M |
Authorisation mechanisms6 in the system shall ensure that access is: automatically denied unless accounts have been explicitly authorised for the system; and automatically restricted to access rights granted to the account. | M |
The system owner shall determine access rights associated with differentiated levels of authorisation to access the system data and functionalities. | M |
The access rights shall be determined on the basis of a risk assessment that considers at least: · information sensitivity and level of classification – the need to limit access to system data, in line with data classification, general data sensitivity and applicable regulation; and | M |
Determined access rights shall be reviewed periodically to check that they continue to ensure the protection of sensitive non-classified information, the enforcement of process controls and the segregation of incompatible duties. | M |
Access decisions (both positive and negative) following a user access request during a login process shall be logged in order to provide an audit trail. | M |