FantasticSearch

SFC2021: electronic data exchange system between the Member States and the Commission – Article 69(9) 1. Responsibilities of the Commission 1.1. Ensuring the operation of an electronic data exchange system (‘SFC2021’) for all official exchanges of information between the Member State and the Commission. SFC2021 shall contain at least the information specified in the templates established in accordance with this Regulation.

1.2. Ensuring the following characteristics of SFC2021:

(a) interactive forms or forms pre-filled by the system on the basis of the data already recorded in the system previously;

(b) automatic calculations, where they reduce the encoding effort of users;

(c) automatic embedded controls to verify internal consistency of transmitted data and consistency of this data with applicable rules;

(d) system generated alerts warning SFC2021 users that certain actions can or cannot be performed;

(e) online status tracking of the treatment of information entered into the system;

(f) availability of historical data in respect of all information entered for a programme;

(g) availability of a compulsory electronic signature within the meaning of Regulation (EU) No 910/2014 which will be recognised as evidence in legal proceedings.

1.3. Ensuring an information technology security policy for SFC2021 applicable to the personnel using the system in accordance with relevant Union rules, in particular Commission Decision (EU, Euratom) 2017/46 () and its implementing rules.

1.4. Designating a person or persons responsible for defining, maintaining and ensuring the correct application of the security policy to SFC2021.

2. Responsibilities of Member States 2.1. Ensuring that the programme authorities of the Member State identified in accordance with Article 71(1) as well as the bodies identified to carry out certain tasks under the responsibility of the managing authority or the audit authority in accordance with Article 71(2) and (3) enter into SFC2021 the information for the transmission of which they are responsible and any updates thereto.

2.2. Ensuring the verification of information submitted by a person other than the person who entered the data for that transmission.

2.3. Providing arrangements for the separation of the above tasks through the Member State’s management and control information systems connected automatically with SFC2021.

2.4. Appointing a person or persons responsible for managing access rights to fulfil the following tasks:

(a) identifying users requesting access, making sure those users are employed by the organisation;

(b) informing users about their obligations to preserve the security of the system;

(c) verifying the entitlement of users to the required privilege level in relation to their tasks and their hierarchical position;

(d) requesting the termination of access rights when those access rights are no longer needed or justified;

(e) promptly reporting suspicious events that may bring prejudice to the security of the system;

(f) ensuring the continued accuracy of user identification data by reporting any changes;

(g) taking the necessary data protection and commercial confidentiality precautions in accordance with Union and national rules;

(h) informing the Commission of any changes affecting the capacity of the Member State authorities or users of SFC2021 to carry out the responsibilities referred to in point 2.1 or their personal capacity to carry out responsibilities referred to in points (a) to (g).

2.5. Providing arrangements for the respect of the protection of privacy and of personal data for individuals, and of commercial confidentiality for legal entities in accordance with Directive 2002/58/EC, Regulation (EU) 2016/679 and Regulation (EU) 2018/1725.

2.6. Adopting national, regional or local information security policies on access to SFC2021 based on a risk assessment applicable to all authorities using SFC2021 and addressing the following aspects:

(a) the IT security aspects of the work performed by the person or persons responsible for managing the access rights referred to in point 2.4 of section II in case of application of direct use;

(b) for national, regional or local computer systems connected to SFC2021, through a technical interface referred to in point 2.3 the security measures for those systems allowing to be aligned with SFC2021 security requirements and covering:

(i) physical security;

(ii) data media and access control;

(iii) storage control;

(iv) access and password control;

(v) monitoring;

(vi) interconnection with SFC2021;

(vii) communication infrastructure; (viii) human resources management prior to employment, during employment and after employment;

(ix) incident management.

2.7. Making the document referred to in point 2.6 available to the Commission upon request.

2.8. Appointing a person or persons responsible for maintaining and ensuring the application of the national, regional or local IT security policies and acting as a contact point with the person or persons designated by the Commission and referred to in point 1.4.

3. Joint responsibilities of the Commission and the Member States

3.1. Ensuring accessibility either directly through an interactive user-interface (i.e. a web-application) or via a technical interface using pre-defined protocols (i.e. web-services) that allows for automatic synchronisation and transmission of data between Member States information systems and SFC2021.

3.2. Providing for the date of electronic transmission of the information by the Member State to the Commission and vice-versa in electronic data exchange, which constitutes the date of submission of the document concerned.

3.3. Ensuring that official data is exchanged exclusively through SFC2021, except where force majeure occurs, and that information provided in the electronic forms embedded in SFC2021 (hereinafter referred to as ‘structured data’) is not replaced by non-structured data and, in the event of inconsistency, that structured data prevails over non-structured data.

In the event of force majeure, a malfunctioning of SFC2021 or a lack of a connection with SFC2021 exceeding one working day in the last week before a regulatory deadline for the submission of information or in the period from 18 to 26 December, or five working days at other times, the information exchange between the Member State and the Commission may take place in paper form using the templates set out in this Regulation in which case the date of submission of the document is the date stamped by the post. When the cause of the force majeure ceases, the party concerned enters in SFC2021 without delay the information already provided in paper form.

3.4. Ensuring compliance with the IT security terms and conditions published in the SFC2021 portal and the measures that are implemented in SFC2021 by the Commission to secure the transmission of data, in particular in relation to the use of the technical interface referred to in point 2.3.

3.5. Implementing and ensuring the effectiveness of the security measures adopted to protect the data stored and transmitted through SFC2021.

3.6. Updating and reviewing annually the SFC2021 IT security policy and the relevant national, regional and local IT security policies in the event of technological changes, the identification of new threats or other relevant developments.