
Article 1 
The technical specifications referred to in Article 11(5) of Regulation (EU) 2019/788 shall be as set out in the Annex to this Regulation.
Article 2 

1. Organisers shall ensure that their individual online collection system complies with the technical specifications set out in the Annex throughout the collection period.
2. The organisers shall notify without undue delay to the competent authority of the Member State referred to in Article 11(3) of Regulation (EU) 2019/788, changes which are introduced in the system or in the supporting organisational measures after the system has been certified by that authority, when those changes may impact the assessment underlying the certification. Before doing so, the organisers may seek the advice of the competent authority as to whether the change may have such an impact.
Article 3 
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
It shall apply from 1 January 2020.
This Regulation shall be binding in its entirety and directly applicable in all Member States.Done at Brussels, 22 October 2019.
For the Commission
The President
Jean-Claude JUNCKER
ANNEX
1. 
The system shall implement technical measures to ensure that only natural persons can submit statements of support. The technical measures shall not require that more personal data is collected and stored than the one which is listed in Annex III to Regulation (EU) 2019/788.

2. 
Organisers shall put in place adequate and effective technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations, to ensure that the information provided on the initiative in the online collection system and as presented online to the public corresponds to the information published on the initiative in the register that is referred to in Article 6(5) of Regulation (EU) 2019/788.

Organisers shall make sure that:


((a)) the information provided on the initiative in the online collection system corresponds to the information published in the register;
((b)) the system presents the information on the initiative published in the register before the citizen submits the statement of support;
((c)) security measures are in place to ensure that the data entry fields in the statements of support are presented together with the information on the initiative, in order to prevent the risk that statements of support are submitted on a different initiative through a misrepresentation of the initiative;
((d)) the system ensures that after the submission the data in the statements of support are saved together with the information on the initiative;
((e)) security measures are in place to prevent that unauthorised changes can be made to the information provided on the initiative in the online collection system.

3. 
The system shall ensure that statements of support are submitted in accordance with the data fields in Annex III to Regulation (EU) 2019/788.

The system shall ensure that a person can only submit a statement of support after having confirmed that it has read the privacy statement of Annex III to Regulation (EU) 2019/788.

4.  4.1.  4.1.1. The group of organisers shall nominate a security officer who shall be responsible for the security of the system and the secure transmission of the collected statements of support to the competent authority of the responsible Member State. The security officer shall oversee the information assurance processes and the technical and organisational security measures to ensure the secure collection, storage and transmission of the data provided by signatories.
 4.1.2. Organisers may ask the national competent authority referred to in Article 11(3) of Regulation (EU) 2019/788 to provide the applicable security rules and requirements for the certification of individual online collection systems. The competent authority shall provide the security rules and requirements, as a rule within one month upon having received the request. The applicable security rules and requirements shall be in line with existing appropriate national or international security standards.
 4.1.3. The security rules and requirements for the certification of the system shall address the risks defined in section 4.2 and have regard to the specifications in section 4.3.
 4.2.  4.2.1. 
The risk management process shall focus particularly on the risks related to the confidentiality and integrity of the information in the system. These risks can be the result of threats, including:


((a)) user errors;
((b)) system/security administrator errors;
((c)) configuration errors;
((d)) malware infection;
((e)) accidental alteration of information;
((f)) information disclosure or leaks;
((g)) software vulnerabilities;
((h)) unauthorised access;
((i)) interception or eavesdropping of traffic;
((j)) data protection risks.
 4.2.2. 

((a)) have assessed the risks of the system;
((b)) have determined appropriate measures to prevent and mitigate the impact of incidents affecting the security of the system;
((c)) have identified the residual risks;
((d)) have implemented the measures and verified their implementation;
((e)) have provided the organisational means to receive information on new threats and security improvements;
((f)) comply throughout the collection process with the certification requirements laid down in Article 11(4) of Regulation (EU) 2019/788, including having in place the necessary processes to ensure this.
 4.2.3. 

((a)) human resource security;
((b)) access control;
((c)) cryptographic controls;
((d)) physical and environmental security;
((e)) operations security;
((f)) communications security;
((g)) system acquisition, development and maintenance;
((h)) information security incident management;
((i)) compliance.

Application of these security measures may be limited to the parts of the organisation that are relevant for the online collection system. For instance, human resources security may be limited to any staff that has physical or logical access to the online collection system, and physical/environmental security may be limited to the building(s) hosting the system.
 4.2.4. Where organisers make use of a processor for the development or deployment of the online collection systems or parts thereof, the organisers shall provide documentation to allow the certifying authority to ascertain that the necessary security controls are in place.
 4.3. 
The system shall provide for the following encryption of data:


((a)) personal data in electronic format shall be encrypted when stored or transferred to the competent authorities of the Member States in accordance with Regulation (EU) 2019/788, the keys being managed and backed up separately;
((b)) adequate standard algorithms and adequate keys shall be used in line with international standards (such as the ETSI standard). Key management shall be in place;
((c)) all keys and passwords shall be protected from unauthorised access.
