CHAPTER VIIU.K.SECURITY REQUIREMENTS, AUTHENTICATION AND ACCESS RIGHTS
Article 78U.K.Security requirements
Each registry and the CITL shall comply with the security requirements set out in the Data Exchange Format referred to in Article 9.
Article 79U.K.Authentication
1.The identity of each registry and the CITL shall be authenticated using digital certificates and usernames and passwords as indicated in the Data Exchange Format referred to in Article 9.
2.Chapter VI registries shall be authenticated to the CITL through the Community registry using digital certificates and usernames and passwords as specified in the Data Exchange Format referred to in Article 9.
3.The Commission, or an entity designated by it, shall act as the certification authority for all digital certificates referred to under paragraph 1 used for the purposes of establishing the direct communication link referred to in Article 6 and shall distribute the usernames and passwords.
4.The Member States and the Community shall use the digital certificates issued by the Secretariat to the UNFCCC, or an entity designated by it, to authenticate their registries to the ITL for the purposes of establishing the indirect communication link referred to in Article 7.
5.Chapter VI registries shall be authenticated to the ITL through the Community registry with the digital certificates issued by the Secretariat to the UNFCCC, or an entity designated by it.
Article 80U.K.Access to registries
1.An authorised representative shall only have access to the accounts within a registry which he is authorised to access and shall only be able to request the initiation of processes which he is authorised to request pursuant to Article 19.
2.That access or request shall take place through a secure area of the website for that registry.
3.The registry administrator shall issue each authorised representative with a username and password to permit the level of access to accounts or processes to which he is authorised. Registry administrators may apply additional or more stringent security requirements if they are compatible with the provisions of this Regulation.
4.The registry administrator may assume that a user who has entered a matching username and password is the authorised representative registered under that username and password, unless the authorised representative informs the registry administrator that the security of his password has been compromised and requests a replacement.
5.The registry administrator shall issue such replacement passwords without undue delay.
6.The registry administrator shall ensure that the secure area of the registry website is accessible to any computer using a widely available Internet browser. Communications between the authorised representatives and the secure area of the registry website shall be encrypted in accordance with the security requirements described in the Data Exchange Format referred to in Article 9.
7.The registry administrator shall take all necessary steps to ensure that unauthorised access to the secure area of the registry website does not occur.
Article 81U.K.Suspension of access to accounts
1.The Central Administrator and each registry administrator may only suspend an authorised representative's password to accounts or processes to which that authorised representative would otherwise have access if the authorised representative has, or that administrator has reasonable grounds to believe the authorised representative has:
(a)attempted to access accounts or processes which he is not authorised to access;
(b)repeatedly attempted to access an account or a process using a non-matching username and password; or
(c)attempted, or is attempting, to undermine the security of the registry or the registries system.
2.Where access to an operator holding account has been suspended pursuant to paragraph 1 between 28 April and 30 April, the registry administrator shall, if so requested by the account holder and following submission of his authorised representative's identity by means of supporting evidence, surrender the number of allowances and ERUs and CERs specified by the account holder using the allowance surrender process and the surrender of CERs and ERUs process.