23.3.2005   

EN

Official Journal of the European Union

L 77/6


COMMISSION REGULATION (EC) No 465/2005

of 22 March 2005

amending Regulation (EC) No 1663/95 laying down detailed rules for the application of Council Regulation (EEC) No 729/70 regarding the procedure for the clearance of the accounts of the EAGGF Guarantee Section

THE COMMISSION OF THE EUROPEAN COMMUNITIES,

Having regard to the Treaty establishing the European Community,

Having regard to Council Regulation (EC) No 1258/1999 of 17 May 1999 on the financing of the common agricultural policy (1), and in particular Article 4(8) thereof,

Whereas:

(1)

Commission Regulation (EC) No 1663/95 (2) provides in particular for guidelines for criteria for accreditation of the paying agencies of the Member States.

(2)

The responsibility for checking the European Agricultural Guidance and Guarantee Fund (EAGGF) Guarantee Section expenditure lies in the first place with the Member States. In carrying out this task, Member States must ensure that a high level of security is attained in the paying agencies’ information systems. To this end, procedures for ensuring the security of information systems should be in place when a paying agency is first accredited and afterwards.

(3)

During the clearance of the accounts, the Commission is able to determine the total expenditure to be entered against the Guarantee Section in the general account only if it has satisfactory assurance that national controls are adequate and transparent, including those regarding the security of the paying agencies’ information systems. Provision should therefore be made for a security statement to be drawn up by the certifying bodies in the framework of the attestation on annual accounts on the basis of internationally accepted security standards.

(4)

A reasonable period of time should be afforded to Member States to adapt internal rules and procedures for providing a security statement for the paying agencies’ information systems.

(5)

Provision should be made for the paying agencies to send to the Commission the accounts and all related documents in an electronic format, in order to facilitate further analysis of that information.

(6)

The practice of delegating information systems management to third parties is becoming increasingly common and paying agencies should be allowed to provide for such delegations under the same conditions as the authorisation function and/or the technical service may be delegated.

(7)

Regulation (EC) No 1663/95 should therefore be amended accordingly.

(8)

The measures provided for in this Regulation are in accordance with the opinion of the Fund Committee.

HAS ADOPTED THIS REGULATION:

Article 1

Regulation (EC) No 1663/95 is amended as follows:

1.

Article 1 is amended as follows:

(a)

In the second phrase of the second subparagraph of paragraph 3, the terms ‘the security of computer systems’ are replaced by the terms ‘the security of information system’.

(b)

In the first subparagraph of paragraph 7, the following indent is added:

‘—

the provisions concerning the security of information systems’.

2.

In Article 3(1), the following subparagraphs are added:

‘As of financial year 2008 at the latest, the certifying body shall further provide, before the date referred to in the third subparagraph, a statement as to the information systems security measures put in place by the paying agency. The statement shall be based on a version applicable in the financial year concerned of the chosen internationally accepted security standards referred to in point 6(vi) of the Annex to this Regulation, serving as the basis for the security measures, and shall indicate whether, for the financial year concerned, effective security measures were in place.

For the financial years preceding that for which the first statement on the security of the paying agency’s information systems is drawn up, the certifying body shall, in its report of its findings, include comments and provisional conclusions, using a scoring mechanism, as to the information systems security measures put in place by the paying agency. The report shall be based on a version applicable in the financial year concerned of the chosen internationally accepted security standards referred to in point 6(vi) of the Annex to the present Regulation, serving as the basis for the security measures, and shall indicate as to what extent, for the financial year concerned, effective security measures were in place’.

3.

Article 4(2) is replaced by the following:

‘2.   The documents and the accounting information referred to in paragraph 1 shall be sent to the Commission by 10 February of the year following the end of the financial year which it concerns. The documents referred to in points (a) and (b) of paragraph 1 shall be sent in one copy together with an electronic copy’.

4.

The Annex is amended in accordance with the Annex to this Regulation.

Article 2

This Regulation shall enter into force on the seventh day following that of its publication in the Official Journal of the European Union.

It shall apply for the first time in respect of the financial year beginning 16 October 2004.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 22 March 2005.

For the Commission

Mariann FISCHER BOEL

Member of the Commission


(1)  OJ L 160, 26.6.1999, p. 103.

(2)  OJ L 158, 8.7.1995, p. 6. Regulation as last amended by Regulation (EC) No 2025/2001 (OJ L 274, 17.10.2001, p. 3).


ANNEX

The Annex to Regulation (EC) No 1663/95 is amended as follows:

1.

Point 2(iii) is replaced by the following:

‘(iii)

Accounting for payment: the objective of this function is the recording of the payment in the agency’s separate books of account of EAGGF expenditure, which will normally be in the form of an information system, and the preparation of periodic summaries of expenditure, including the monthly and annual declarations to the Commission. The books of account also record the assets financed by the Fund, in particular concerning intervention stocks, uncleared advances and debtors.’

2.

In the introductory phrase of point 4, the terms ‘and/or the technical service’ are replaced by the terms ‘, technical service, and/or information systems management’.

3.

Point 6(vi) is replaced by the following:

‘(vi)

Information systems security shall be based on the criteria laid down in a version applicable in the financial year concerned of one of the following internationally accepted standards:

International Standards Organisation 17799/British Standard 7799: Code of practice for Information Security Management (BS ISO/IEC 17799),

Bundesamt für Sicherheit in der Informationstechnik: IT-Grundschutzhandbuch/IT Baseline Protection Manual (BSI),

Information Systems Audit and Control Foundation: Control Objectives for Information and related Technology (COBIT).

The paying agency shall choose one of the international standards referred to in the first subparagraph as the basis for its information systems security.

Security measures should be adapted to the administrative structure, staffing and technological environment of each individual paying agency. The financial and technological effort should be in proportion to the actual risks presented.’