Implementation of eidas through Member States Supervisory Bodies

Transcription

1 Implementation of eidas through Member States Supervisory Bodies Riccardo Genghini - ETSI TC ESI & CEN-ETSI e-sign Coord. Group Chairman CA Day Berlin June 09 th, 2015 ETSI All rights reserved

2 2 Legislative paradigm shift: Directive 1999 vs Regulation 2014

3 3 Substantive and referencing secondary legislation The Regulation empowers the European Commission to draft secondary legislation One delegated act Several implementing act (some of them mandatory other optional) The secondary legislation acts can be grouped according to the actual power of the European Commission: The EC can define the actual content of the delegated/implementing acts (substantive legislation) The EC can only reference international and European standards (referencing legislation only implementing acts)

4 Substantive delegated and implementing acts 4 [Secondary legislation involving European Standardisation Organisations (ESOs) highlighted with red] [Secondary legislation that is mandatory highlighted with bold] Commission is empowered to adopt delegated act for the establishment of specific criteria to be met by the designated bodies that carry on security evaluations of electronic signature creation devices (Art of Regulation (EU) No. 910/2014); Commission may adopt implementing acts to define the formats and procedures for the security breach report (Art. 17.8); [ENISA is working on this matter]

5 Substantive delegated and implementing acts 5 Commission may adopt implementing acts to further specify the appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide (Art. 19.4a); [ETSI EN , ETSI EN ] Commission may adopt implementing acts to define the formats and procedures, including deadlines, applicable for notifying the supervisory body and, where applicable, other relevant bodies, such as the competent national body for information security or the data protection authority, of any breach of security or loss of integrity that has a significant impact on the trust service (Art. 19.4b); [ENISA is working on this matter]

6 6 Substantive delegated and implementing acts Commission may adopt implementing acts to define the formats and procedures for submitting to the supervisory body a notification of their intention to start a qualified trust service, together with a conformity assessment report issued by a conformity assessment body (Art. 21.4)

7 7 Substantive delegated and implementing acts Commission may adopt implementing acts to define the formats and procedures that the supervisory body shall use for verifying whether the trust service provider and the trust services provided by it comply with the requirements laid down in this Regulation, and in particular, with the requirements for qualified trust service providers and for the qualified trust services they provide (Art. 21.4)

8 Substantive delegated and implementing acts 8 Commission before 18 September 2015 shall adopt implementing acts to specify the information to be published on the trusted lists, including the information related to the qualified trust service providers for which the member states are responsible, together with information related to the qualified trust services provided by them (Art. 22.5) Commission before 18 September 2015 shall adopt implementing acts to define the technical specifications and formats for trusted lists (Art. 22.5) [ETSI TS ]

9 Substantive delegated and implementing acts 9 Commission before 1 st July 2015 shall adopt implementing acts to provide specifications with regard to the form, and in particular the presentation, composition, size and design of the EU trust mark for qualified trust services (Art. 23.3) By 18 September 2015, and taking into account existing practices, standards and legal acts of the Union, the Commission shall, by means of implementing acts, define reference formats of advanced electronic signatures used in public services or reference methods where alternative formats are used (Art. 27.5) [ETSI EN , EN , EN , EN ]

10 10 Substantive delegated and implementing acts Commission may, by means of implementing acts, define formats and procedures applicable for the notification of information on qualified electronic signature creation devices that have been certified (or whose certification has been cancelled) by the designated bodies referred to in Article 30(1) (Art. 31.3)

11 11 Substantive delegated and implementing acts By 18 September 2015, and taking into account existing practices, standards and legal acts of the Union, the Commission shall, by means of implementing acts, define reference formats of advanced electronic seals used in public services or reference methods where alternative formats are used (Art. 37.4) [ETSI EN , EN , EN , EN ]

12 12 Referencing implementing acts (Art. 20.4a) for accreditation of the conformity assessment bodies and for the conformity assessment report [ETSI EN ] (Art. 20.4b) for auditing rules under which conformity assessment bodies will carry out their conformity assessment of the qualified trust service providers (Art. 24.5) for trustworthy systems and products, which comply with the requirements under points (e) and (f) of paragraph 2 of article 24

13 13 Referencing implementing acts (Art. 27.4) for advanced electronic signatures formats [ETSI EN , EN , EN , EN ] (Art. 28.6) for qualified certificates for electronic signature [ETSI EN ] (Art. 29.2) for qualified electronic signature creation devices (Art. 30.3) for security assessment of qualified electronic signature creation devices (Art. 32.3) for the validation of qualified electronic signatures [ETSI EN ]

14 14 Referencing implementing acts (Art. 33.2) for qualified validation service of qualified signatures [future ETSI EN , EN ] (Art. 34.2) for the qualified preservation service for qualified electronic signatures [ETSI TS , future ETSI EN and EN ] (Art. 37.4) for advanced electronic seals formats [ETSI EN , EN , EN , EN ] (Art. 38.6) for qualified certificates for electronic seals [ETSI EN ]

15 15 Referencing implementing acts (Art. 42.2) for the binding of date and time to data and for accurate time sources [EN , EN ] (Art. 44.2) for processes for sending and receiving data [for REM ETSI TS and future ETSI EN ] [for ERDelivery future ETSI EN ] (Art. 45.2) for qualified certificates for website authentication [ETSI EN ]

16 16 ETSI All rights reserved Thanks for the attention! Questions? Riccardo Genghini ETSI TC ESI & CEN-ETSI e-sign coordination group Chairman