We are one of the few entities accepted by the European Commission that can conduct and report security audits of information processed as part of maintaining the repository of the primary Track & Trace (T&T) System by manufacturers and importers of tobacco products.

​

Track & Trace System

The Track and Trace (T&T) System for tobacco products in the European Union was introduced to combat the illicit tobacco trade, which poses a serious threat to both public health and the economies of the Member States. The aim of the system is to ensure a high level of transparency and control over the flow of tobacco products from producer to consumer, which makes it possible to effectively combat illicit tobacco trade and product counterfeiting.

Legal basis

The legal basis for the T&T System is the Tobacco Products Directive (2014/40/EU), which was adopted by the European Parliament and the Council of the European Union. This directive obliges Member States to implement a track and trace system for tobacco products in order to limit access to illicit products on the European market. The implementation of the T&T System in the European Union began in May 2019.

How does the T&T system work?

The Track and Trace System works on the principle of unique identifiers that are assigned to each package of tobacco products at the production stage. These identifiers contain a number of information, such as: date and place of production, place of destination, as well as detailed data on the transport and distribution of the product. This makes it possible to trace each package from the moment of production to final sale, which makes it significantly more difficult to put illegal products into circulation.

Terms

The European Union’s Tobacco Directive (2014/40/EU), which introduces the T&T system for tobacco products, sets deadlines and milestones for its implementation. The most important of them are:

20 May 2019 – This deadline was a key moment for the T&T System when it came into effect for cigarettes and self-rolling tobacco. From this date, all new packaging for these products must be equipped with unique identifiers to enable them to be tracked at every stage of the supply chain – from the manufacturer to the final retail outlet.

20 May 2024 – This is an extended deadline by which all other tobacco products (e.g. cigars, cigarillos) must be included in the T&T System.

The Directive requires Member States to ensure that the IT systems used for traceability are compatible and interoperable at international level, so that tobacco products can be traced effectively throughout the EU and beyond.

​

Information security audit

Each primary repository contracted by the manufacturer is subject to an annual audit process. Where the same third-party provider operates two or more primary repositories, a separate audit should be carried out for each repository and a separate audit report should be submitted.

Each manufacturer or importer must notify the Commission of its proposed auditor to audit its primary repository and of the relevant third-party supplier. All proposed auditors are subject to approval by the Commission.

Each manufacturer or importer must notify the Commission of its proposed auditor to audit its primary repository and of the relevant third-party supplier. All proposed auditors are subject to approval by the Commission.

We are a European Commission approved audit provider!

We carry out audits of the primary repository of the Track & Trace System in accordance with the Guidelines on annual audit reports to be submitted in accordance with Article 15(8) of Directive 2014/40/EU in the context of the EU Tobacco Products Traceability System.

We conduct audits in accordance with a checklist specifying the required domains and control points in accordance with the ISO/IEC 27001:2013 standard for Information Security Management Systems, including in particular:

• Organisational and physical security
• Operational safety
• Access control (users and applications)
• Communication security
• Business continuity
• Assets and data integrity

We prepare a report on the audit activities carried out, containing findings, conclusions and recommendations regarding the issue of non-compliance or other identified risks. We also provide recommendations specifying the actions necessary to remove the problems and shortcomings identified during the audit. In accordance with the requirements, the report is submitted to the European Commission in electronic form. PLEASE NOTE! The audited entity, as well as the entity commissioning the audit, does not receive the report.