Transcript Explanation of the Draft Regulation on Electronic Signature by Ms

European Commission’s proposal for a
Regulation on
Electronic identification and trust services for
electronic transactions in the internal market
Alessandra SBORDONI
European Commission - DG CONNECT
[email protected]
1
What is the legislative proposal's ambition?
• To strengthen EU Single Market by boosting TRUST and
CONVENIENCE in secure and seamless cross-border and
cross-sector electronic TRANSACTIONS
• To stimulate new business opportunities
What is the scope of the proposed
Regulation?
1. Mutual recognition of electronic identification
2. Electronic trust services:
• Electronic signatures interoperability and usability
• Electronic seals interoperability and usability
• Cross-border dimension of:
1. Time stamping,
2. Electronic delivery service,
3. Electronic documents admissibility,
4. Website authentication.
3
Provisions of the proposed Regulation
• Ch 1: General Provisions
• Ch 2: Electronic identification
• Ch 3: Trust services
• Sec 1: General Provisions
• Sec 2: Supervision
• Sec 3: Electronic signature
• Sec 4: Electronic seals
• Sec 5: Electronic time stamp
• Sec 6: Electronic documents
• Sec 7: Qualified electronic delivery service
• Sec 8: Website authentication
• Ch 4: Delegated acts
• Ch 5: Implementing acts
• Ch 6: Final provisions
• Annexes I, III, IV: Qualified certificates
• Annex II: Qualified eSig creation devices
4
General Provisions
• Legal basis: Art 114 TFEU (internal market)
• Subject matter and scope:
• Cover mutual recognition & acceptance of eID"
• « Toolbox » of trust services: usage is NOT mandatory
• Definitions
•
•
•
•
Trust services do not encompass eID (subsidiarity)
Qualified = matching the requirements of the Regulation
Qualified trust service providers (QTSP) and trust services (QTS)
eSig creation device: SW or HW used to create an eSig
• Internal market
•
•
Free “movement” of trust services and related products
Mutual recognition and acceptance of trust services
5
Electronic identification
•
Legal effect
• Mutual recognition and acceptance of “notified” e-identification schemes
• Natural and legal persons
•
Notification mechanism
A Member State:
1. May ‘notify’ to Commission the ‘national’ electronic identification
scheme(s) used at home, at least, for access to public services;
2. Must recognise and accept ‘notified’ eIDs of other Member States for
cross-border access to its online services requiring e-identification
under its national laws;
3. Must provide online free ID data authentication facility;
4. Is liable for unambiguous identification of persons and for
authentication;
5. May allow the private sector to use ‘notified’ eID
•
Coordination mechanism between Member States to ensure eID means
interoperability and enhance security
6
What is not covered?
• The proposal does not require / address / contain:
•
•
•
•
•
•
•
•
•
•
•
•
Member States to have an eID scheme
Member States to notify their eID scheme(s)
«soft ID» (ex. Facebook)
«Notified» eIDs are not necessarily ID cards
"EU database" of any kind
"EU eID"
Prior authorisation to start qualified service or accreditation
Details on trust services other than eSig / eSeals
Persons’ roles and/or attributes
Format of e-documents
Establishment of proof
Encryption
7
Electronic trust services
Common Principles:
• Technological neutrality
• Mutual recognition of qualified electronic trust
services
• Strengthens and harmonises national supervision of
qualified trust service providers and trust services
• Reinforces data protection + obligation for data
minimisation
• Uses delegated and implementing acts as a
mechanism to ensure flexibility vis-à-vis technological
developments and best practice
8
Supervision (1/3)
• National or «regional» supervision authority
• Common essential supervision requirements of Q-TSPs
• Cooperation between Supervisors:
Mutual supervision assistance
Yearly supervision report
Collection of market statistics from Q-TSPs and
Supervisors
Exchange of good practices between Supervisors (
FESA)
• MS to ensure long term availability of trust data of QTSPs
9
Supervision (2/3)
• Requirements on Q and non Q-TSPs (Art. 15):
• Obligation of security due diligence for Q and non QTSPs
• Security breach notification obligation for Q and non
Q-TSPs
• Binding instructions by Supervisors to Q and non QTSPs
• Supervision of Q-TSPs (Art. 16)
• Q-TSP subject to at least yearly audit
• Supervisor can issue binding instructions to Q-TSP.
Supervisor can remove “Qualified” status.
10
Supervision (3/3)
• Initiation of Q-Trust services (Art. 17)
• Mandatory notification to Supervisory body
• No prior authorisation
• Trusted Lists (Art. 18)
• EU trusted lists of Q-TSs and Q-TSPs ( SD
Decision 2009/767/EU)
• Requirements for Q-TSPs (Art. 19)
• Issuance certificates: face-to-face OR remotely
using «notified» eID
• Mandatory on-line standardised certificate status info
Other reliability and professionalism requirements
similar to Annex II of eSignature directive
11
Electronic signature (1/3)
• Builds on existing eSignature infrastructure and
clarifies concepts related to eSig. (natural persons)
• Introduces eSeals (legal persons)
• Allows for full reference to standards
• Clarifies validation of qualified eSignatures
• Ensures long term preservation
• Allows «server / remote» and «mobile» signing
12
Electronic Signatures (2/3)
• Definitions of eSignature (Art. 3.6)
• Data in e-form attached to or logically associated with other edata and which are used by the signatory to sign
• Natural persons only
• Advanced eSig. (AeS): adapted to allow server signing and make
« sole control » manageable
• Legal effect and acceptance of eSignatures (Art. 20)
• Qualified eSig. (QeS) has “equivalent legal effect” to handwritten
signature
• Mutual recognition and acceptance of QeS
• Allows for classification of eSignatures with security assurance
levels < QeS
• Security of AeS may be defined via standards
• Security assurance requirements higher than QeS are forbidden
for public services
13
Trust services (1/2)
•
Electronic Seals
• Legal persons only (but not identification means)
• definition: “data in e-form attached to or logically associated with other
e-data to ensure origin and integrity of the associated data”
• «mutatis mutandis» like eSignature
•
Electronic Time stamping
• Legal existence of time stamps
• Defines qualified time stamps («date certaine»)
•
Electronic Documents
• Non discrimination «paper vs e-documents»
• Admissibility as evidence in legal proceedings, having regard to its
assurance level of authenticity and integrity
• Presumption of authenticity and integrity of Q-signed/sealed
eDocuments
14
Trust services (2/2)
• Qualified electronic delivery service
• Legal effect: certainty of cross-border electronic
delivery
• Establishes qualified eDelivery services
• NB. national legislation to establish legal equivalence
of e-delivery and paper registered letter
• Website authentication
• Only establishes legal existence of qualified website
authentication certificates
15
Secondary legislation
• Delegated acts (Art. 38)
• To make the Regulation a technologically neutral and flexible
legal instrument vis-à-vis technical evolution and adoption of
new best practices by stakeholdres and MS
Example: Article 15.5
• Delegated acts may specify, by taking into account state of the
art practices and standards, what security measures are
appropriate in relation with a specific level of risk
• Basic act (article 15.1) aims at ensuring that TSPs set up and
document via a security audit an appropriate system to manage
security risks based on a risk assessment should the level of
harmonisation ensured by art. 15,1 be insufficient to guarantee a
high level of security.
16
Secondary legislation
Implementing acts (Art 39)
• Will replace Art. 9 Committee (eSig directive) composed of
representatives of Member States
• “Examination procedure”
• the Commission may only adopt an implementing act if the
committee delivers a positive opinion (qualified majority).
• In case of negative opinion, the Commission may either
propose an amended version of the draft act within two
months, or refer the matter to the appeal committee.
• If the appeal committee is seized, its opinion must be
positive for the draft act to be adopted
17
Final provisions
• Art 40: reporting every four years
• Art 41: Repeal Directive 1999/93/EC
• SSCDs already certified as SSCDs become QSCDs
• Existing Q-Certificates will remain valid max. five years
• Art 42: Entry into force
• 20 days after official publication following adoption by European
Parliament and Council by the «ordinary procedure» (excodecision)
• Transitional clause to be probably discussed by the colegislators
18
Why will it make a difference?
(1/2)
• Creates confidence in electronic trust services:
• Effective state supervision
• Systematic usage of "trusted lists“
• De facto world class «trustmark» for EU qualified services
• Easy eSignature:
• Harmonisation power of Regulation
• Full eSig specification via secondary legislation + standards
• Related trust services:
• Address clear market needs: eSeals, eDelivery, eDocuments, …
• Harmonise national legislation: time stamping, eDelivery
• e-Document admissibility: « big bang » for de-materialisation
• Website authentication is an implicit expectation of the citizens
19
Why will it make a difference?
(2/2)
• Comprehensive “toolbox” of trust building
instruments
• One single legislation across EU
• Harmonisation power of Regulation
• Foster eID usage (“world premiere”):
• Leverage eID cards and mobile ID infrastructure
• Reliable eID to allow cross border eBusiness and
enable eGov services
• Private sector is invited to build on «notified» eIDs
• Leverage Large Scale Pilot project STORK
20
Indicative timeline
Legislative process
Commission
Cyprus
Proposal
Presidency
4.6.2012
report
Parliament
+ Council
adoption
Standardisation mandate m460
Standards
Delegated/Implementing acts
Commission Decisions
2011
2012
2013
2014
2015
2016
NB. Dates are indicative
21
For further information
• Website:
http://ec.europa.eu/information_society/policy/esignature
• Draft Regulation:
• European Commission’s “Proposal for a Regulation of the
European Parliament and Council on electronic identification and
trust services for electronic transactions in the internal market”,
COM(2012) 238, 4.6.2012
http://ec.europa.eu/information_society/policy/esignature/eu_legi
slation/regulation
• Impact assessment: SWD(2012)135 and SWD(2012)136
22