protectus s.r.o., anciennement BONUL, s.r.o. v Výbor Národnej rady Slovenskej republiky na preskúmavanie rozhodnutí Národného bezpečnostného úradu.

• Jurisdiction: European Union
• Court: Court of Justice (European Union)
• ECLI: ECLI:EU:C:2024:657
• Docket Number: C-185/23
• Date: 29 July 2024

Provisional text

JUDGMENT OF THE COURT (Grand Chamber)

29 July 2024 (*)

(Reference for a preliminary ruling – Decision 2013/488/EU – Classified information – Facility Security Clearance – Withdrawal of the clearance – Non-disclosure of classified information on which the withdrawal was based – Article 47 of the Charter of Fundamental Rights of the European Union – Obligation to state reasons – Access to the file – Principle of an adversarial process – Article 51 of the Charter of Fundamental Rights – Implementation of EU law)

In Case C‑185/23,

REQUEST for a preliminary ruling under Article 267 TFEU from the Najvyšší správny súd Slovenskej republiky (Supreme Administrative Court of the Slovak Republic), made by decision of 28 February 2023, received at the Court on 22 March 2023, in the proceedings

protectus s. r. o., formerly BONUL s. r. o.

v

Výbor Národnej rady Slovenskej republiky na preskúmavanie rozhodnutí Národného bezpečnostného úradu,

THE COURT (Grand Chamber),

composed of K. Lenaerts, President, L. Bay Larsen (Rapporteur), Vice‑President, A. Prechal, K. Jürimäe, C. Lycourgos, T. von Danwitz, F. Biltgen, Z. Csehi and O. Spineanu‑Matei, Presidents of Chambers, J.‑C. Bonichot, S. Rodin, P.G. Xuereb, J. Passer, D. Gratsias and M. Gavalec, Judges,

Advocate General: J. Richard de la Tour,

Registrar: I. Illéssy, Administrator,

having regard to the written procedure and further to the hearing on 30 January 2024,

after considering the observations submitted on behalf of:

– protectus s. r. o., by M. Mandzák, M. Para et M. Pohovej, advokáti,

– the Výbor Národnej rady Slovenskej republiky na preskúmavanie rozhodnutí Národného bezpečnostného úradu, by L’. Mičinský, M. Nemky and M. Rafajová, advokáti,

– the Slovak Government, by E.V. Larišová, A. Lukáčik and S. Ondrášiková, acting as Agents,

– the Estonian Government, by M. Kriisa, acting as Agent,

– the French Government, by R. Bénard and O. Duprat‑Mazaré, acting as Agents,

– the Council of the European Union, by I. Demoulin, N. Glindová, J. Rurarz and T. Verdi, acting as Agents,

– the European Commission, by Ș. Ciubotaru, A.‑C. Simon, A. Tokár and P.J.O. Van Nuffel, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 16 May 2024,

gives the following

Judgment

1 This request for a preliminary ruling concerns the interpretation of Article 47 and Article 51(1) and (2) of the Charter of Fundamental Rights of the European Union (‘the Charter’).

2 The request has been made in proceedings between protectus s. r. o., formerly BONUL s. r. o., and the Výbor Národnej rady Slovenskej republiky na preskúmavanie rozhodnutí Národného bezpečnostného úradu (Committee of the National Parliament of the Slovak Republic for the Review of Decisions of the National Security Authority; ‘the Committee’) concerning the dismissal, by the latter, of the appeal lodged by protectus against the decision of the Národný bezpečnostný úrad (National Security Authority, Slovakia; ‘the NBÚ’) to revoke the industrial security clearance and to withdraw the industrial security certificate formerly held by protectus.

Legal context

European Union law

3 Recital 3 of Council Decision 2013/488/EU of 23 September 2013 on the security rules for protecting EU classified information (OJ 2013 L 274, p. 1) states:

‘In accordance with national laws and regulations and to the extent required for the functioning of the Council [of the European Union], the Member States should respect this Decision where their competent authorities, personnel or contractors handle [EU classified information (“EUCI”)], in order that each may be assured that an equivalent level of protection is afforded to EUCI.’

4 Article 1(1) and (2) of that decision provides:

‘1. This Decision lays down the basic principles and minimum standards of security for protecting EUCI.

2. These basic principles and minimum standards shall apply to the Council and the [General Secretariat of the Council (“GSC”)] and be respected by the Member States in accordance with their respective national laws and regulations, in order that each may be assured that an equivalent level of protection is afforded to EUCI.’

5 Article 11(2), (5) and (7) of that decision provides:

‘2. The GSC may entrust by contract tasks involving or entailing access to or the handling or storage of EUCI by industrial or other entities registered in a Member State …

…

5. [The National Security Authority (NSA), the Designated Security Authority (DSA)] or any other competent security authority of each Member State shall ensure, in accordance with national laws and regulations, that contractors or subcontractors registered in the respective Member State participating in classified contracts or sub-contracts which require access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET within their facilities, either in the performance of such contracts or during the pre-contractual stage, hold a Facility Security Clearance (FSC) at the relevant classification level.

…

7. Provisions for implementing this Article are set out in Annex V.’

6 Article 15(3)(a) to (c) of that decision states:

‘Member States shall take all appropriate measures, in accordance with their respective national laws and regulations, to ensure that when EUCI is handled or stored, this Decision is respected by:

(a) personnel of Member States’ Permanent Representations to the European Union, and national delegates attending meetings of the Council or of its preparatory bodies, or participating in other Council activities;

(b) other personnel in Member States’ national administrations, including personnel seconded to those administrations, whether they serve on the territory of the Member States or abroad;

(c) other persons in the Member States duly authorised by virtue of their functions to have access to EUCI …’

7 Article 16(3)(a)(i) of Decision 2013/488 is worded as follows:

‘For the purposes of implementing Article 15(3), Member States should:

(a) designate an NSA … responsible for security arrangements for protecting EUCI in order that:

(i) EUCI held by any national department, body or agency, public or private, at home or abroad, is protected in accordance with this Decision’.

8 Annex V to that decision, entitled ‘Industrial security’, provides, in points 8 to 13 thereof:

‘8. An FSC shall be granted by the NSA or DSA or any other competent security authority of a Member State to indicate, in accordance with national laws and regulations, that an industrial or other entity can protect EUCI at the appropriate classification level (CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET) within its facilities. It shall be presented to the GSC, as the contracting authority, before a contractor or subcontractor or potential contractor or subcontractor may be provided with or granted access to EUCI.

9. When issuing an FSC, the relevant NSA or DSA shall, as a minimum:

(a) evaluate the integrity of the industrial or other entity;

(b) evaluate ownership, control, or the potential for undue influence that may be considered a security risk;

(c) verify that the industrial or any other entity has established a security system at the facility which covers all appropriate security measures necessary for the protection of information or material classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET in accordance with the requirements laid down in this Decision;

(d) verify that the personnel security status of management, owners and employees who are required to have access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET has been established in accordance with the requirements laid down in this Decision; and

(e) verify that the industrial or any other entity has appointed a Facility Security Officer who is responsible to its management for enforcing the security obligations within such an entity.

10. Where relevant, the GSC, as the contracting authority, shall notify the appropriate NSA/DSA or any other competent security authority that an FSC is required in the pre-contractual stage or for performing the contract. An FSC … shall be required in the pre-contractual stage where EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET has to be provided in the course of the bidding process.

11. The contracting authority shall not award a classified contract with a preferred bidder before having received confirmation from the NSA/DSA or any other competent security authority of the Member State in which the contractor or subcontractor concerned is registered that, where required, an appropriate FSC has been issued.

12. The NSA/DSA or any other competent security authority which has issued an FSC shall notify the GSC as contracting authority about changes affecting the FSC. In the case of a sub-contract, the NSA/DSA or any other competent security authority shall be informed accordingly.

13. Withdrawal of an FSC by the relevant NSA/DSA or any other competent security authority shall constitute sufficient grounds for the GSC, as the contracting authority, to terminate a classified contract or exclude a bidder from the competition.’

Slovak law

9 Paragraph 46 of Zákon č. 215/2004 Z. z. o ochrane utajovaných skutočností a o zmene a doplnení niektorých zákonov (Law No 215/2004 on the protection of classified information and amending certain laws) of 11 March 2004, in the version applicable to the dispute in the main proceedings (‘Law No 215/2004’), provides:

‘A contractor’s industrial security clearance can be issued solely to a contractor who is …

(c) reliable in terms of security …’

10 Paragraph 49(1) and (2)(a) and (b) of that law states:

‘(1) A contractor in respect of whom a security risk has been identified shall not be considered reliable in terms of security.

(2) The following shall be considered a security risk:

(a) any conduct contrary to the interests of the Slovak Republic in the field of State...