Implemented security measures and control mechanisms

​​The establishing regulation of the Agency spells out a number of security measures that mandate the Security to develop the system-specific security plans, as well as the Agency business continuity and disaster recovery plans in order to ensure the continuous service of the Agency.

Security measures in practice: Exclusive ownership of Agency's encryption keys

The safety of eu-LISA's communication network requires the Agency's encryption keys never to be outsourced to any external entity. Therefore, the Security must assure that the cryptographic equipment will remain under the full operational management of the Agency.


The Agency receives also recommendations from an informal network composed by security experts from the Member States and the security experts present in the Advisory Groups. The fora where the security experts meet allow for an effective communication of the mutually beneficial security measures.

The application of the Commission security principles is the responsibility of the Security Officer, who is appointed by the Agency's Management Board. The Security Officer has, on the part of the accountability mechanism, the obligation to report to the Advisory Groups of the three systems, to the Management Board and to the Executive Director of the Agency on incidents and activities, and to the Council and the Commission on the functioning and the security of the systems.


eu-LISA operates a video surveillance system, monitoring its buildings and perimeter. The system is used for the safety and security of its buildings, assets, staff and visitors. The Agency's Video-surveillance Policy, designed in accordance with the European Data Protection Supervisor guidelines, describes the video-surveillance system, the principles for its use and the safeguards that the Agency implements to protect the personal data, privacy and other fundamental rights and legitimate interests of those persons and assets caught by the cameras.