Regulation (EC) No 683/2008 of the European Parliament and of the Council of 9 July 2008 on the further implementation of the European satellite navigation programmes (EGNOS and Galileo) (3) provides in the Annex thereto that the specific objectives of the Galileo programme are to ensure that the signals emitted by the system established under that programme can be used in particular to offer a public regulated service (‧PRS‧) restricted to government-authorised users, for sensitive applications which require effective access control and a high level of service continuity.
(2)
While relevant provisions of Regulation (EC) No 683/2008 also apply to the services, including the PRS, listed in the Annex thereto, considering the inter-linkage between the system established under the Galileo programme and the PRS from a legal, technical, operational, financial and ownership perspective, it is appropriate to reproduce the relevant rules on the application of security regulations for the purpose of this Decision.
(3)
The European Parliament and the Council have recalled on several occasions that the system established under the Galileo programme is a civilian system under civilian control, that is, it was created in accordance with civilian standards based on civilian requirements and under the control of the Union institutions.
(4)
The Galileo programme is of strategic importance for the independence of the Union in terms of satellite navigation, positioning and timing services and offers an important contribution to the implementation of the ‧Europe 2020‧ strategy for smart, sustainable and inclusive growth.
(5)
Of the various services offered by European satellite navigation systems, the PRS is both the most secure and the most sensitive and is therefore suitable for services where robustness and complete reliability must be ensured. It must ensure service continuity for its participants, even in the most serious crisis situations. The consequences of infringing the security rules when using this service are not restricted to the user concerned, but could potentially extend to other users. Use and management of the PRS is therefore the joint responsibility of Member States in order to protect the security of the Union and their own security. Consequently, access to the PRS must be strictly limited to certain categories of user which are subject to continuous monitoring.
(6)
It is therefore necessary to define the rules for access to the PRS and the rules for managing it, in particular by specifying the general principles relating to access, the functions of the various management and supervisory bodies, the conditions relating to receiver manufacturing and security, and the export monitoring system.
(7)
With regard to the general principles of access to the PRS, given the actual purpose of the service and its characteristics, its use must be strictly limited, with Member States, the Council, the Commission and the European External Action Service (‧EEAS‧) being granted discretionary, unlimited and uninterrupted access worldwide. Furthermore, each Member State must be in a position to take its own sovereign decision on which PRS users to authorise and which uses may be made of the PRS, including uses relating to security, in accordance with the common minimum standards.
(8)
In order to promote the use of European technology worldwide, it should be possible for certain third countries and international organisations to become PRS participants through separate agreements concluded with them. For secure government satellite radio-navigation applications, the terms and conditions under which third countries and international organisations may use the PRS should be laid down in international agreements, it being understood that compliance with security requirements should always be compulsory. In the context of such agreements, it should be possible to allow the manufacturing of PRS receivers under specific conditions and requirements, provided that these are of a level that is at least equivalent to the conditions and requirements applying to Member States. However, such agreements should not include particularly security-sensitive matters such as the manufacturing of security modules.
(9)
Agreements with third countries or international organisations should be negotiated taking full account of the importance of ensuring respect for democracy, the rule of law, the universality and indivisibility of human rights and fundamental freedoms, and freedom of thought, conscience and religion, as well as freedom of expression and information, human dignity, the principles of equality and solidarity, and respect for the principles of the United Nations Charter and international law.
(10)
The security regulations of the European Space Agency should offer a degree of protection at least equivalent to that provided by the rules on security set out in the Annex to Commission Decision 2001/844/EC, ECSC, Euratom (4) and by Council Decision 2011/292/EU of 31 March 2011 on the security rules for protecting EU classified information (5).
(11)
The Union and the Member States must do their utmost to ensure that both the system established under the Galileo programme and PRS technology and equipment are safe and secure, to prevent signals emitted for the PRS from being used by non-authorised natural or legal persons, and to prevent any hostile use of the PRS against them.
(12)
It is important in this connection that Member States determine the system of penalties applicable in the event of non-compliance with the obligations stemming from this Decision, and that they ensure that those penalties are applied. The penalties must be effective, proportionate and dissuasive.
(13)
In the case of management and supervisory bodies, the arrangement whereby PRS participants designate a ‧competent PRS authority‧ responsible for managing and supervising users would appear to be the best way of effectively managing PRS use, by facilitating relations between the various stakeholders responsible for security and ensuring permanent supervision of users, in particular national users, in compliance with the common minimum standards. However, there should be flexibility in order to allow Member States to organise the responsibilities efficiently.
(14)
In the implementation of this Decision, any processing of personal data should be carried out in accordance with Union law, as set out, in particular, in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (6) and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (7).
(15)
Furthermore, one of the tasks of the Galileo Security Centre (the ‧Galileo Security Monitoring Centre‧ or the ‧GSMC‧) referred to in Article 16(a)(ii) of Regulation (EC) No 683/2008 should be to provide an operational interface between the various stakeholders responsible for the security of the PRS.
(16)
The Council and the High Representative of the Union for Foreign Affairs and Security Policy should play a role in managing the PRS, through the application of Council Joint Action 2004/552/CFSP of 12 July 2004 on aspects of the operation of the European satellite radio-navigation system affecting the security of the European Union (8). The Council should approve international agreements authorising a third country or an international organisation to use the PRS.
(17)
With regard to receiver manufacturing and security, security requirements make it necessary for this task to be entrusted only to a Member State which has designated a competent PRS authority or to undertakings established on the territory of a Member State which has designated a competent PRS authority. Furthermore, the receiver manufacturer must have been duly authorised by the Security Accreditation Board for European GNSS systems established by Regulation (EU) No 912/2010 of the European Parliament and of the Council (9) (the ‧Security Accreditation Board‧) and must comply with its decisions. It is the responsibility of the competent PRS authorities to continuously monitor compliance both with that authorisation requirement and those decisions and with specific technical requirements stemming from the common minimum standards.
(18)
A Member State which has not designated a competent PRS authority should in any event designate a point of contact for the management of any detected harmful electromagnetic interference affecting the PRS. That point of contact should be a natural or legal person that has the role of reporting point, or an address, which the Commission can contact in the event of potentially harmful electromagnetic interference in order to remedy such interference.
(19)
With regard to export restrictions, exports outside the Union of equipment or technology and software relating to PRS use and relating to the development of and manufacturing for the PRS, regardless of whether that equipment, software or technology is listed in Annex I to Council Regulation (EC) No 428/2009 of 5 May 2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items (10), must be restricted to those third countries which are duly authorised to access the PRS under an international agreement with the Union. A third country on whose territory a reference station housing PRS equipment and forming part of the system established under the Galileo programme is installed is not to be considered to be a PRS participant merely by virtue of that fact.
(20)
The power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of the common minimum standards in the areas set out in the Annex and, if necessary, to update and amend it in order to take into account the developments in the Galileo programme. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.
(21)
In the light of their potential impact on the security of the system established under the Galileo programme, the Union and its Member States, both individually and collectively, it is essential that common rules concerning access to the PRS and manufacturing PRS receivers and security modules be applied uniformly in each Member State. It is therefore necessary that the Commission be empowered to adopt detailed requirements, guidelines and other measures in order to give effect to the common minimum standards. In order to ensure uniform conditions for the implementation of this Decision, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission's exercise of implementing powers (11).
(22)
The audits and inspections to be carried out by the Commission with the assistance of the Member States should, as appropriate, be carried out in a manner similar to that provided for in Part VII of Annex III to Decision 2011/292/EU.
(23)
Rules for access to the PRS offered by the system established under the Galileo programme are a prerequisite for the implementation of the PRS. The Commission should analyse whether a charging policy for the PRS should be put in place, including with regard to third countries and international organisations, and report to the European Parliament and the Council on the outcome of that analysis.
(24)
Since the objective of this Decision — namely, to lay down the rules under which the Member States, the Council, the Commission, the EEAS, Union agencies, third countries and international organisations may access the PRS — cannot be sufficiently achieved by the Member States and can therefore, by reason of the scale of the proposed action, be better achieved at the level of the Union, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Decision does not go beyond what is necessary in order to achieve that objective.
(25)
As soon as the PRS is declared operational, a reporting and review mechanism should be set in place,