In relation to IT security in their department, each Head of Commission department shall:

1. (1)

   formally appoint a system owner, who is an official or a temporary agent, for each CIS who will be responsible for IT security of that CIS and formally appoint a data owner for each data set handled in a CIS who should belong to the same administrative entity which is the Data Controller for data sets subject to Regulation (EC) No 45/2001;

2. (2)

   formally designate a Local Informatics Security Officer (LISO) who can perform the responsibilities independently from system owners and data owners. A LISO can be designated for one or more Commission departments

3. (3)

   ensure that appropriate IT security risk assessments and IT security plans have been made and implemented

4. (4)

   ensure that a summary of IT security risks and measures is reported on a regular basis to the Directorate-General for Informatics;

5. (5)

   ensure, with the support of the Directorate-General for Informatics, that appropriate processes, procedures and solutions are in place to ensure efficient detection, reporting and resolution of IT security incidents relating to their CISs;

6. (6)

   launch an emergency procedure in case of IT security emergencies;

7. (7)

   hold ultimate accountability for IT security including the responsibilities of the system owner and data owner;

8. (8)

   own the risks relating to their CISs and data sets;

9. (9)

   resolve any disagreements between data owners and system owners and in case of continued disagreement bring the issue before the ISSB for resolution;

10. (10)

    ensure that IT security plans and IT security measures are implemented and the risks are adequately covered.

The processes related to these responsibilities and activities shall be further detailed in implementing rules.