ANNEX I
Technical specifications, measures and objectives of the decentralised it system
1. Introduction and scope
This Annex sets out the technical specifications, measures and objectives of the decentralised IT system in accordance with Regulation (EU) 2023/2844 for the legal acts listed in points 3 and 4 of Annex I, the legal acts listed in points 1, 10 and 11 of Annex II to that Regulation, and the procedure established by Article 24(3) of Regulation (EU) 2023/2844 for the electronic service of documents through the European electronic access point.
2. Definitions
2.1.
‘Data exchange’ means the exchange of messages and documents through the decentralised IT system;
2.2.
‘Hypertext Transfer Protocol Secure’ or ‘HTTPS’ means encrypted communication and secure connection channels;
2.3.
‘Non-repudiation of origin’ means the measures providing the proof of the integrity and proof of origin of the data through methods such as digital certification, public key infrastructure and electronic signatures and electronic seals;
2.4.
‘Non-repudiation of receipt’ means the measures providing the proof of the receipt of the data to the originator by the intended recipient of the data through methods such as digital certification, public key infrastructure, and electronic signatures and electronic seals;
2.5.
‘REST’ (REpresentational State Transfer) is an architectural style for designing networked applications. It relies on a stateless, client-server communication model and uses standard methods to perform operations on resources, which are typically represented in structured formats;
2.6.
‘SOAP’ means, as per the standards of the World Wide Web Consortium, a messaging protocol specification for exchanging structured information in the implementation of web services in computer networks;
2.7.
‘Web service’ means a software system designed to support interoperable machine-to-machine interaction over a network; it has an interface described in a machine-processable format.
3. Methods of communication by electronic means
The decentralised IT system shall use service-based methods of communication, such as web services or other reusable components and software solutions for the purpose of exchanging messages and documents.
Specifically, it shall involve communication through e-CODEX access points, as set out in Article 5(2) of Regulation (EU) 2022/850.
4. Communication protocols
The decentralised IT system shall use secure internet protocols, such as HTTPS, for communication within the decentralised IT system, and standards-based communication protocols, such as SOAP or methods, such as REST, for the transmission of structured data and metadata.
5. Information security objectives and relevant technical measures
5.1.
For the exchange of information via the decentralised IT system, the technical measures for ensuring minimum information technology security standards shall include:
(a)
measures to ensure confidentiality of information, including by using secure channels of communication (such as HTTPS);
(b)
measures to ensure the integrity of data at rest and in transit;
(c)
measures to ensure the non-repudiation of origin of the sender of information within the decentralised IT system and the non-repudiation of receipt of information;
(d)
measures to ensure logging of security events in line with recognised international recommendations for information technology security standards ( 1 ) ;
(e)
measures to ensure user authentication and authorisation and measures to verify the identity of systems connected to the decentralised IT system;
5.2.
Where TLS is employed in the context of the decentralised IT system, the latest stable version of the protocol shall be used, or, failing that, a version without known security vulnerabilities. Only key lengths that ensure an adequate level of cryptographic security shall be permitted, and cipher suites known to be insecure or deprecated shall not be used;
5.3.
To the extent possible, Public Key Infrastructure (PKI) digital certificates used for the purposes of operation of the decentralised IT system shall be issued by Certification Authorities recognised as Qualified Trust Service Providers in accordance with Regulation (EU) No 910/2014. Measures shall be implemented to ensure that such certificates are used solely for their intended purposes, at the required level of trust, and in compliance with the applicable requirements of Regulation (EU) No 910/2014;
5.4.
The components of the decentralised IT system shall be developed in accordance with the principle of data protection by design and by default and the appropriate administrative, organisational, and technical measures shall be implemented to ensure a high level of cybersecurity;
5.5.
The Commission shall design, develop and maintain the reference implementation software in compliance with the data protection requirements and principles laid down in Regulation (EU) 2018/1725. The reference implementation software provided by the Commission shall allow Member States to comply with their obligations pursuant to respectively Regulation (EU) 2016/679 of the European Parliament and of the Council ( 2 ) and Directive (EU) 2016/680 of the European Parliament and of the Council ( 3 ) , as applicable;
5.6.
Member States which use a national IT system different than the reference implementation software shall implement the necessary measures to ensure that it complies with the requirements of Regulation (EU) 2016/679 and Directive (EU) 2016/680, as applicable;
5.7.
Having regard to their participation in the decentralised IT system, Eurojust and the European Public Prosecutor’s Office shall implement the necessary measures to ensure that their respective IT systems comply with the requirements of Regulation (EU) 2018/1725 and their founding acts;
5.8.
For the IT systems part of the decentralised IT system under their responsibility, Member States, Eurojust and the European Public Prosecutor’s Office shall establish robust mechanisms for threat detection and incident response to ensure timely identification, mitigation, and recovery from security incidents, in accordance with their relevant policies.
6. Minimum availability objectives
6.1.
Member States shall ensure 24 hours, 7 days a week availability of the components of the decentralised IT system under their responsibility, with a target technical availability rate of at least 98 % on annual basis, excluding scheduled maintenance;
6.2.
The Commission shall ensure 24 hours, 7 days a week availability of the Competent courts (authorities) database (CDB), with a target technical availability rate of more than 99 % on annual basis, excluding scheduled maintenance;
6.3.
To the extent possible, maintenance operations shall be planned outside of working days or during working days between 20:00h-7:00h CET;
6.4.
Member States shall notify the Commission and the other Member States of maintenance activities as follows:
(a)
5 working days in advance for maintenance operations that may cause an unavailability period of up to 4 hours;
(b)
10 working days in advance for maintenance operations that may cause an unavailability period between 4 and 12 hours;
(c)
30 working days in advance for maintenance operations that may cause an unavailability period of more than 12 hours.
6.5.
Where Member States have fixed regular maintenance windows, they shall inform the Commission and the other Member States of the time and day(s) when such fixed regular windows are planned. Without affecting the obligations set out in point 6.4, if components of the decentralised IT system under Member States’ responsibility become unavailable during such a regular fixed window, Member States may choose not to notify the Commission on each occasion;
6.6.
In case of unexpected technical failure of the components of the decentralised IT system under Member States’ responsibility, Member States shall inform the Commission and the other Member States about it without delay, and, if known, of the projected recovery timeframe;
6.7.
In case of unexpected technical failure of the Competent courts (authorities) database (CDB), the Commission shall inform the Member States without delay of the unavailability, and if known, of the projected recovery timeframe;
6.8.
Member States shall ensure the availability of data, including personal data, processed within the components of the decentralised IT system under their responsibility. Appropriate technical and organisational measures shall be implemented to prevent data loss and to ensure the timely restoration of access to data in case of an incident. Such measures may include, as appropriate, a backup and recovery policy, regular testing of backup integrity and restoration procedures, and data storage redundancy mechanisms.
7. Competent courts (authorities) database (CDB) ( 4 )
7.1.
In accordance with Article 3(1) of Regulation (EU) 2023/2844, the decentralised IT system shall enable electronic communication between the competent authorities, as defined in Article 2(1) thereof, of different Member States and between a national competent authority and a Union body or agency. Pursuant to Article 3(6) of that Regulation, a Member State may also decide to use the decentralised IT system for communication between its national authorities. Moreover, the decentralised IT system shall, pursuant to Article 4 of Regulation (EU) 2023/2844, enable direct electronic communication between natural or legal persons or their representatives, and the competent authorities in the context of Regulations (EC) No 1896/2006 and (EC) No 861/2007.
Therefore, taking into account Member States’ obligations to notify and update the list of their competent authorities as set out in the relevant provisions of the legal acts referred to in Article 1 of this Regulation, and in accordance with Article 17(1), point (e), of Regulation (EU) 2023/2844, it is essential to establish an authoritative database of information regarding those authorities for the purposes of the decentralised IT system;
7.2.
The authoritative database of the competent authorities shall include the following information in a structured format:
(a)
for the purposes of Article 4(2), point (a), and, where applicable, Article 3(6) of Regulation (EU) 2023/2844, information on the competent authorities pursuant to Regulation (EC) No 1896/2006, notably Article 29(1) thereof, as well as those subject to additional notifications under Article 17(1), point (e), of Regulation (EU) 2023/2844;
(b)
for the purposes of Article 4(2), point (a), and, where applicable, Article 3(6) of Regulation (EU) 2023/2844, information on the competent authorities pursuant to Regulation (EC) 861/2007, notably Article 25(1) thereof, as well as those subject to additional notifications under Article 17(1), point (e), of Regulation (EU) 2023/2844;
(c)
for the purposes of Article 3(1) and, where applicable, Article 3(6) of Regulation (EU) 2023/2844, information on the authorities notified pursuant to Council Framework Decision 2002/584/JHA, notably Articles 6(3), Article 7(2) and 25(2) thereof, as well as those subject to additional notifications under Article 17(1), point (e), of Regulation (EU) 2023/2844;
(d)
for the purposes of Article 3(1) and, where applicable, Article 3(6) of Regulation (EU) 2023/2844, information on the authorities notified pursuant to Directive 2014/41/EU, notably Article 33(1), points (a) and (c), thereof, as well as those subject to additional notifications under Article 17(1), point (e), of Regulation (EU) 2023/2844;
(e)
for the purposes of Article 3(1) and, where applicable, Article 3(6) of Regulation (EU) 2023/2844, information on the authorities notified pursuant to Regulation (EU) 2018/1805, notably Article 24(1) and (2) thereof, as well as those subject to additional notifications under Article 17(1), point (e), of Regulation (EU) 2023/2844;
(f)
for the purposes of Article 4(4) and Article 24(3) of Regulation (EU) 2023/2844 information on the competent authorities subject to additional notifications under Article 17(1), point (e), of Regulation (EU) 2023/2844 for the purposes of Article 19a of Regulation (EU) 2020/1784;
(g)
The authorities referred to in points (c) to (e) shall include:
(i)
Eurojust national members, including with regard to where, pursuant to Article 8(3) and (4) of Regulation (EU) 2018/1727 of the European Parliament and of the Council ( 5 ) , in accordance with national law they may issue or execute a request for mutual legal assistance or mutual recognition, or order, request or execute investigative measures, as provided for in Directive 2014/41/EU;
(ii)
With regard to Council Framework Decision 2002/584/JHA, the European Delegated Prosecutors, in the meaning of Article 33(2) of Regulation (EU) 2017/1939 of the European Parliament and of the Council ( 6 ) ;
(iii)
The European Delegated Prosecutors and the European Prosecutors, where notified by Member States in accordance with Article 105(3) of Regulation (EU) 2017/1939 as competent issuing or executing authorities (or both).
(h)
the necessary information to enable communication with the EPPO’s Central Office via the decentralised IT system, where applicable;
(i)
where relevant, information necessary to determine the geographical areas of the authorities’ competence or other relevant criteria necessary to establish their competence;
(j)
information necessary for the correct technical message routing within the decentralised IT system.
7.3.
The Commission shall be responsible for the development, maintenance, operation and support of the authoritative database.
7.4.
The Competent courts (authorities) database (CDB) shall enable Member States to update the information therein and the authorities participating in the decentralised IT system to programmatically access and retrieve information.
7.5.
Access to the Competent courts (authorities) database (CDB) shall be possible via a common communication protocol, regardless of whether the authorities connected to the decentralised IT system operate a back-end system or a deployment of the reference implementation software.
7.6.
Member States shall ensure that the information on their authorities in the authoritative database set out in point 7.2 is complete, accurate and maintained up to date.
( 1 ) Without prejudice to logging for security purposes, the logging mechanisms employed by the components of the decentralised IT system shall, as appropriate, allow to ensure compliance with the requirements set out in Article 88 of Regulation (EU) 2018/1725 and, where applicable, Article 25 of Directive (EU) 2016/680, and support data controllers in fulfilling their accountability obligations.
( 2 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ( OJ L 119, 4.5.2016, p. 1 , ELI: http://data.europa.eu/eli/reg/2016/679/oj ).
( 3 ) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA ( OJ L 119, 4.5.2016, p. 89 , ELI: http://data.europa.eu/eli/dir/2016/680/oj ).
( 4 ) For historical reasons, the system is named the ‘Competent Courts Database’. However, to provide better clarity, the authoritative database will also include information on other types of authorities, such as prosecution offices, bailiffs and ministries of justice.
( 5 ) Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA ( OJ L 295, 21.11.2018, p. 138 , ELI: http://data.europa.eu/eli/reg/2018/1727/oj ).
( 6 ) Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’) ( OJ L 283, 31.10.2017, p. 1 , ELI: http://data.europa.eu/eli/reg/2017/1939/oj ).