Transcription

1 1 de 7 16/06/2014 9:48 Contact Us Search Home ( About ( Media ( Interviews ( An Interview with Nacho Alamillo Nacho Alamillo ( is a Catalan lawyer who specializes in electronic signatures. He is a CISA, CISM and ITIL-F certified professional who is a member of the EESSI SG and ETSI ESI, and has coauthored several European technical specifications related to trust services. His company Astrea.cat offers compliance services and legal advice to trust service providers, governments and private sector companies. The EU s new Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (eidas) regulation, which significantly revises the previous European Directive on Electronic 1999/93, was approved by the European Parliament on April 3, 2014 and is expected to be endorsed by the European Council in July The comprehensive new regulation, which must be implemented by all EU member states, establishes cross-border procedures, requirements and obligations for Trust Services Providers (TSPs) and trust-related services, such as electronic identification, electronic signatures and seals, CoSign in the News (/about /press-room/news/) Press Releases (/about/press-

2 2 de 7 16/06/2014 9:48 time stamping and more, as well as for Qualified Signature Creation Devices. room/releases/) While the eidas regulation covers all of these issues and many more, it only provides their basic descriptions. Two central European certification organizations, ETSI and CEN, have been appointed to technically define the legislation by precisely defining each of the issues at hand and establishing the many related norms and standards relevant to the new legislation. Q: In the past, based on the previous European Directive on Electronic 1999/93, every country passed local legislation regarding digital signatures. In Spain, for example, there were hardly any options for using a Secure Signature Creation Device (SSCD) to create qualified signatures so most organizations chose to use only advanced signatures. How do you think this will change once the new regulations are in place? A: Only a cryptographic microchip was recognized as a SSCD by the Spanish legislation, so the deployment of qualified electronic signature solutions was minimal, slow and ineffective. For example, the DNIe (national electronic identification), which is the main system for qualified electronic signatures in Spain, is used in just 3% of public sector transactions and is not used at all in private sector transactions such as electronic banking. Most of the remaining transactions are authenticated by using either software-based certificates or passwords. With the enactment of the new European regulation, which adopts a more flexible approach, we can deploy new types of SSCDs, particularly those that utilize centralized key management systems. The industry has been successfully experimenting with this innovation for some time, so I m sure this will make a significant contribution to the use of qualified electronic signatures. To ARX offices worldwide click here (/contactform /arx-worldwide/) Interviews (/about/pressroom/interviews/) Q: What do you think will be the effect of the new regulation in other European countries? A: The new European regulation adopted a set of uniform rules that are directly applicable throughout the EU enabling the creation of truly pan-european services. For example, a trust service

3 3 de 7 16/06/2014 9:48 provider established in Spain may offer its services throughout the European Union without any impediment from national laws, as was previously the case. This does not imply that national legislation cannot establish additional rules, which would only apply to providers based in their territory. But there will always be a provision that providers from other Member States must not be affected by these additional rules and can continue offering their services to consumers located in that state. Q: As noted earlier, in contrast to the previous directive, the new regulation presents a very clear picture regarding the use of digital signatures and Qualified Signature Creation Devices across all EU countries. What do you envision will happen in Europe once the regulations with all of their standards and clauses are clearly defined? A: The new regulation is really a rule of administrative law that amended the previous system by establishing an administrative license before the provision of services, and by creating important legal protection. When the legislative and technical standards are fully developed, we will have all the components required to innovatively deploy qualified electronic signature services with a solid legal basis for authenticity. One key example would be electronic signatures that are created by remote or centralized key-based systems. This approach will boost qualified electronic signatures, which to date have not been widely used, partially due to the fact that citizens found card-based SSCDs difficult to use. In addition, companies that operate in several Member States of the European Union will now be able to optimize their investments using systems that are accepted throughout the Union, while being granted legal certainty. Q. What do you predict will happen during the interim period until all of the standards and norms are in place, considering that this process could take several years? A: In principle, the schedule established by the European Standards Organizations has set the end

4 4 de 7 16/06/2014 9:48 of 2015 as the target date by which all the technical requirements for the conformity assessment of trust services must be formulated, because the regulation is scheduled to be fully applicable as of July However, to avoid paralyzing the market during this interim period, the regulation allows the usage of ad hoc evaluation mechanisms to prove compliance in some cases. For example, in the case of centralized electronic signature HSMs, the regulation allows this type of device to be certified according to equivalent criteria established by the Member States until a protection profile is defined under Common Criteria. Obviously, companies with products certified under this alternative will have a clear market advantage, as long as the SSCD certification is compulsory under the new regulation. Q. Will the recognition of Trust Services Providers (TSPs) under the new regulation cause consolidation in the existing CA market? A. I expect that given the additional costs imposed by the new regulation, the number of service providers that issue trust certificates will be reduced somewhat. Q. Will CAs and TSPs address the pan-european market or will this continue on a local scope? How will this process work in a court of law, for example? A. Although the conditions for the provision of services will have been created by the time the new regulation is fully applicable across the Union, this does not necessarily imply that pan-european CAs will be established. This is mostly due to the fact that, at least until national electronic identification systems are deployed, the issuance of certificates will require identification based on personal presence. Therefore, this aspect of the process may continue to operate as a local business. We must also keep in mind that there is hardly any competition between commercial CAs and government organizations issuing national electronic identifiers, at least vis-à-vis citizens. However, when it comes to services such as creating remote electronic signatures HSM with

5 5 de 7 16/06/2014 9:48 centralized keys, electronic signature validation, archiving, or registered electronic delivery all of these may develop successfully on a pan-european scale. Regarding the judicial process, we have to keep in mind that the new regulation provides legal presumptions that bind all judges within the European Union and apply as long as the legal dispute is resolved in this territory. Furthermore, European contract law allows contracting parties to choose the law that rules the form of a contract between companies. This means that provided a contract with non-european companies is drafted correctly, it could be subject to the regulation and benefit from this special legal regime. Q. Who will these TSPs be? Governments? Banks? Private companies? A: In my opinion, governments will be key players in this space, especially regarding certificate issuance. However, banks and private companies may become large consumers of trust services such as the creation of remote electronic signatures based on an HSM with centralized keys, electronic signature validation, archiving, or registered electronic delivery. Therefore, we can assume they will be important players, especially in a self-provision scheme where they deploy technology in house. Q: Due to the fact that there is a prolonged interim period, there is a risk that organizations may be tempted to acquire short-term solutions that comply only with the existing and interim regulatory demands without thinking ahead. What advice would you offer such organizations? My recommendation is very clear: It is important to do a detailed analysis of the cost of the solution prior to implementation, depending on the defined amortization period. Since the regulation will force the abandonment of solutions that do not meet the requirements established in the new technical

6 6 de 7 16/06/2014 9:48 standards some of which we are already acquainted with today organizations will be forced to replace these interim solutions once their use is prohibited. Organizations would be wise to avoid the cost of double implementation; first of the interim solution and then of the final solution. SHARE ( /share_save#url=http %3A%2F %2Fwww.arx.com%2Fabout%2Fpress- ARX Security Products (/securityproducts) Digital for Applications (/digital-signature) Digital for Industries (/industries) room%2finterviews%2fnacho- Digital alamillo- for Processes (/digitalsignaturedigital- PrivateServer HSM /privateserver-hsm/) Microsoft Word & Excel (/digitalsignature/word-excel) Life Sciences (/industries/lifesciences) Overview (/digital-signature signature- expert& /processes-overview) PrivateCard / Minikey (/securityproducts/security-tokens/) PDF Documents (/digitalsignature/pdf) Government (/industries /governments) Human Resources (/digitalsignature/human-resources) title=insights%20into%20the%20new%20eidas%20regulation PrivateSafe (/security-products /privatesafe/) Microsoft SharePoint (/digitalsignature/sharepoint) Engineering (/industries /engineering) %20%C2 Contract Management (/digitalsignature/contract-management) %A0%20 CryptoKit (/security-products /cryptokit/) PrivateWire (/security-products /privatewire/) ECM & DM (/digital-signature /ecm-dm) Others (/digital-signature/other) Healthcare (/industries /healthcare) Legal (/industries/legal) Point of Sale (/digital-signature %C2%A0& /point-of-sale) description=) Web Applications (/digitalsignature/web-application) Social Facebook ( Twitter ( YouTube (

7 7 de 7 16/06/2014 9:48 LinkedIn ( Blog (/blog) Contact us (415) us (mailto:[email protected]) Copyright 2014 ARX Inc. All rights reserved About (/about/company-profile) ARX UK ( Support (/support) Contact (/contactform/contact-us) Site Map (/sitemap) Terms of use (/misc/terms-of-use) Privacy Policy (/misc/privacy-policy)