Over the past years, the EU-ETS has been confronted with fraud and theft of emission units. Several measures have been taken in order to prevent future theft or fraud from happening in the registry. Thus the IT-security of the Union Registry has been increased over the past years, international emission trading is closely watched by law enforcement and tax authorities and the requirements to open a user account have been strengthened a lot.
Like any other similar IT system (ex. banking application), the users of the system need to take several measures and precautions as well when accessing the registry. The common minimum security requirements are the following :
- Operating System (OS) and other software installed in the machine should be updated with the latest security patches released by their software editor.
- Mobile Operating System (mobile OS) where Soft token mobile app is installed should be updated with the latest security patches released by its software editor.
- Soft token mobile app should always be updated to the latest version available in relevant (Google or Apple) application store.
Administrators' privileges restriction
- Administrator accounts should be used by trusted people and only to install programs authorized by their organisation (see point 6 below). In general the machine should be as-well-protected-as-possible.
- To connect to the Union Registry and to the Internet, the users shall use a machine where they log in as a “user”, never as an “administrator”.
Antimalware / Antivirus policy
- It is an obligation of the user to use and update anti-virus software and firewall software regularly, as a minimum on a weekly basis.
- Full and in depth scanning for malicious virus/spyware check shall be configured so that it is performed automatically at least every two weeks using up to date antivirus and anti malware software.
- Computers shall have a lockscreen configured, so that, after no more than 15 minutes of inactivity the workstation shall be locked down. A policy shall also apply of not leaving a computer unattended without applying a lockscreen – this ensures that a lockscreen is always applied when a user is not at their desk.
Removable media control
- The users should connect to their PC only USB devices provided or authorized by their organisation.
- Computers shall be configured to deactivate the use of USB port. At least they shall monitor and log when a non-authorized USB device has been connected.
Application White Listing
- It is recommended that an exhaustive list of authorised software installed on users' computers be defined.
- It is recommended that administrators make sure that no others software are installed on the user's computer, by carrying out monitoring or scanning.
- It is recommended that any unauthorised software be removed.
Audit and Logging
- External access, computer access events should be logged and analysed frequently by the administrators. Every anomaly, even basic, should lead to an investigation.
Secure Internet Connection
- Any use of the Registry shall be done through a secure Internet connection.
- The secure connection shall include logical (firewall based) protection between the internal network where the user computer is located and Internet including an Intrusion Detection System at the Network and the Host (HIDS) level, and an antivirus capability.
- The secure internet connection shall restrict access to Internet using whitelisting/blacklisting functionalities.
- Users shall be trained to use the Union Registry and have been sensibilised to information security issues.
- The users shall avoid sharing the computer used to connect to the Union Registry with other people.
- Links in emails to access the Union Registry shall never be used.
- The Commission, the Central Administrator, the National Administrator or the National Administration Helpdesk will never ask the users for their password and / or any kind of software.
- The users shall avoid to open attachments to emails that do not come from the Union Registry and, if absolutely necessary, to open it after careful consideration of their source and content, and never open any attachments with e.g. in Microsoft Windows a .com, .bat, .vbs, .wsh or .exe extension on the filename.
- If the users have any cause for suspicion regarding received emails, they shall contact the national administration Helpdesk.
- On the users’ devices where Soft token mobile app is installed, they shall abide to the rules of security and mobile device hygiene described in Chapter XX of General Terms and Conditions of EU Login mobile app.
- The Registry helpdesk sends all emails from firstname.lastname@example.org.
- If the users have any cause for suspicion, they shall immediately contact the national administration Helpdesk.
- National administration Helpdesk contact:
- Email : email@example.com
- Phone : +32 (0) 2 524 96 32 on working days 10h-12h CET & 14h-16h CET.
Users computer configuration
- Computers shall be configured so that the "auto log-in" function is not used. After OS boot or software start, the log in password for the service should always be asked.
- Browsers shall be configured so that credentials are not stored by the browser and all temporary stored navigation information (such as history, passwords, cookies) are automatically deleted when closing the browser.
- Booting from CD/DVD and/or USB devices (by BIOS configuration) shall be avoided. Users must not be able to access BIOS set-up configurator (locked by a strong password and different from the log in password).
- Computers shall be configured so that no resources can be shared with external entities outside of the end user's Organisation (e.g. using file sharing software such as BitTorrent) in the PC used to connect to the Union Registry.
- Computer shall be configured so that the user is not connecting to the Internet having "administrator" privileges but restricted rights. Users must not have the possibility to install software using the account with which they are connecting to the Internet and the Union Registry.
Union Registry usage
- Password for logging in to the Union Registry is strictly personal. Any action in the Union Registry performed with a given e-mail address and password is deemed under the liability of the user of this e-mail address and password.
- All authorised users of the Union Registry shall ensure that the email address password and SMS one-time login codes do not become known to other people, including other account holders in the Union Registry. National Administrators or the helpdesk may only ask users to communicate their e-mail address by phone but neither the Commission nor National Administrators will ever ask end-users to communicate their password.
- To access the Union Registry website, it is recommended to always type the website directly into the address box of the browser. For the Union Registry, this is https://unionregistry.ec.europa.eu/euregistry/BE/index.xhtml. If the users do not type the address, each time they connect, they shall check that the SSL connection is set ("https" and not "http" appears in the browser's address bar) and that the SSL certificate which appears when clicking on the lock icon of the browser :
- Is issued by "GlobalSign Extended Validation CA – SHA 256 – G2" to "*.unionregistry.ec.europa.eu",
- Is valid until 14 September 2021 and
- has the following fingerprint (SHA-256 algorithm value): "51:47:E6:75:E6:81:8C:B5:86:61:3E:82:E0:DE:4E:00:47:EA:80:E1:49:96:C1:D4:89:5A:81:98:52:9E:E9:20”
- When leaving their computer, the users shall log out of the Union Registry so that unauthorised persons cannot gain access to their account in the Union Registry.
- The users shall take reasonable precautions to prevent the unauthorised use of the mobile devices, the numbers of which are used in Registry communication.
- The mobile device that receives the SMS one-time login codes and/or the mobile device where the Soft token mobile app is installed must not be used for transactions on the Internet at the same time.