ROADMAP. A Pan-European framework for electronic identification, authentication and signature
Size: px
Start display at page:

Download "ROADMAP. A Pan-European framework for electronic identification, authentication and signature"

Transcription

1 TITLE OF THE INITIATIVE ROADMAP A Pan-European framework for electronic identification, authentication and signature TYPE OF INITIATIVE CWP Non-CWP Implementing act/delegated act LEAD DG RESPONSIBLE UNIT INFSO A3/H2 EXPECTED DATE OF ADOPTION Month/Year: Q VERSION OF ROADMAP No: 5 Last modification: Month/Year: November 2011 This indicative roadmap is provided for information purposes only and is subject to change. It does not prejudge the final decision of the Commission on whether this initiative will be pursued or on its final content and structure. A. Context, problem definition (i) What is the political context of the initiative? (ii) How does it relate to past and possible future initiatives, and to other EU policies? (iii) What ex-post analysis of the existing policy has been carried out and what results are relevant for this initiative? (i) The Digital Single Market can bring great benefits to citizens and businesses: enjoying lower prices, having more choice of attractive offers from travel to electronics, getting easy access to health as a tourist in another part of Europe, registering for education elsewhere, or selling to whole new customer groups. This vision of the Digital Single Market can become a reality if citizens and businesses have the awareness, skills, tools that give them ease of use, trust and confidence to participate in online interactions and transactions across Europe. For citizens and businesses it should be as easy and trusted to use an online service from abroad as from their own country. Providers on their turn need to make their websites usable, trustworthy, and attractive. They likewise need ease of use, trust and confidence in the digital world and notably when dealing with digital customers from another country. Boosting ease of use, confidence and trust in the digital economy is an essential prerequisite to stimulate further use of the internet, thereby offering possibilities for creating growth and jobs as set out in the Europe 2020 strategy. Therefore we propose to launch a major political initiative entitled "a Pan-European framework for electronic identification, authentication and signature. This initiative, which is part of the Digital Agenda for Europe as well as of the Single Market Act, will seek to boost the confidence of citizens, businesses and administrations when interacting electronically, by developing the legal basis for a pan-european electronic ID, authentication and signature framework and thereby easing the usage of trusted services throughout the single market, ensuring mobility of citizens within the digital single market and take-up of public online services. (ii) In December 1999 the European Parliament and the Council adopted Directive 1999/93/EC on a Community framework for electronic signatures. The purpose of the Directive was to establish a legal framework for esignature and for providers of signature certificates. For the purpose of the Directive, esignature means "data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication". The revision of the e-signature Directive is a key action of the "Digital Agenda for Europe" communication. It is a necessary contribution to the creation of a well-functioning digital single market. The revision of the e-signatures Directive concentrates on the legal framework for electronic signatures. It aims at revising the legal framework on electronic signature defined in the directive 1999/93/EC in order to adapt to the new technological and legal challenges of the digital world and to ensure a sound legal environment for electronic signatures used for web-services and online transactions, in particular in the cross-border context. Part of the pan-european framework will be new legislation on electronic identification in order to create the legal basis for the cross-border recognition and acceptance of national e-identification means already issued in the Member States for the access to electronic services, mainly provided by public authorities and e- Authentication. eid-means are understood as "electronic representation of a certain subset of one or more attributes pertaining to an entity in such a way that it can be unambiguously attributed to this entity and for

2 which the Member States takes over liability also if it is used in another Member State". Authentication is the verification of electronic identities when used to access online services. These two actions are complementary. (iii) Regarding electronic signatures 1 a number of studies have been already carried out on the existing policy such as: "The legal and market aspects of e-signature" 2 in 2003, "Study on the standardisation aspects of e- signatures" 3 of 2007, IDABC studies on e-signature 4 and e-id interoperability 5 in and the CROBIES study on cross-border interoperability of esignatures 6 were published in August These studies detailed technical, organisational, legal and trust issues and provided detailed technical, organisational and legal recommendations for solutions. The variability of national identification infrastructures was identified by studies on e-id interoperability as one of the major challenges of cross-border eid and e-authentication. The CIP-ICT-PSP-Large Scale Pilot STORK (where more than half of the EU-Member States operate together to enable the cross-border use of eids and eauthentication) has demonstrated that at technical level it is possible to recognise and accept eids which are used in the Member States for the access to online services, mostly to those of public authorities. As recommended by the studies, STORK makes it possible to connect centralised and decentralised approaches of the Member States to a pan-european eid platform. What are the main problems which this initiative will address? Many citizens already have a way to identify themselves electronically and reliably at home, namely with the national electronic ID, but they cannot yet use that tool in the same way across Europe as their eid is not recognised in another country, even though solutions have been developed to address the technical barriers of cross-border interoperability (Large Scale Pilot STORK). When Member States started to issue e-identification and e-authentication instruments to their citizens at national level to enhance trust and security in online services they considered only their national needs and requirements without taking into account the potential European dimension. The lack of a common legal basis engaging each Member State to recognise and accept eids issued in other Member States to access public online services and the insufficient cross-border interoperability of national eids lead to electronic barriers which hinders citizens and businesses to fully benefit from the digital single market. For authorising an online transaction in a country or across Europe, the esignatures Directive has been providing since years the legal framework but its use is still too limited as it is perceived to be rather complicated and missing the following key elements for today s online world: - Lack of interoperability and capability coupled with a guarantee on the appropriate use of data. When starting an online transaction parties are usually not as easily identifiable as in the physical world. In addition, users are often confronted with the dilemma on how to balance privacy concerns with the need to obtain services. They feel neither adequately protected against the loss and misuse of personal or business data nor empowered to keep them under their own control (risks are fraud or inerasable trails on the web). - Insufficient legal certainty, especially in cases of transactions requiring the exchanges of documents. The parties involved in an electronic transaction not always have at their disposal the means to express their consent and to certify the claims they make or receive. Also, Service providers have not always the means to ensure the reliability of the information they obtain from users. Furthermore, until now the policy and legal framework is too much tilted towards creating confidence for the providers of online services. Solving the problems presented, both related to demand and supply, could be exponentially developed and create a real digital single market. The new initiative proposes to look at ways how both the user acting as consumer or beneficiary of public services and the providers of public or private services can obtain more trust and transparency about whom they are dealing with: For citizens and businesses as customers of the private and public sector: - simplicity of use such as having to use only the one and well-known national eid, one-time-only registration and single sign-on, at home and across Europe; 1 "Electronic signature" means data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication. (article 2(1) of the Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures)

3 - confidence to interact, transact with governments, and buy online while in another country - possibility for citizens/consumers to verify the trustworthiness of on-line service providers or suppliers (for example through a direct link between commercial websites and the European electronic commercial registry and of Member States drawing up 'black-lists' of fraudulent websites) - reduced risk of identity theft - keeping control on own identity data on the internet - trusted online social interaction e.g. for children in chat-rooms For companies as suppliers and for public administrations: - increased participation to public procurement across borders - possibility to verify the trustworthiness of potential buyers or clients For economy and society overall: - increased productivity and efficiency in the private and public sector - increased innovation in online markets, at home and across Europe - economic growth and jobs (link with Europe 2020) - more social inclusion. Who will be affected by it? Citizens, business, industry, public administrations. (i) Is EU action justified on grounds of subsidiarity? (ii) Why can Member States not achieve the objectives of the proposed action sufficiently by themselves? (Necessity Test) (iii) Can the EU achieve the objectives better? (Test of EU Value Added) It is unlikely that market forces and national e government or trust actions will be sufficient in this field especially in cross-border contexts - without an EU policy. Equally, in the absence of an EU response, Member States will be inclined to develop their own solutions resulting in (further) fragmentation of the single market. The initiative would potentially contribute to increased take-up, in particular a wider use of cross-border e- commerce and e-government services. Finally, it will boost growth and jobs thereby contributing to the Europe 2020's strategy objectives. What are the main policy objectives? B. Objectives of the initiative The initiative aims at boosting the confidence of citizens, businesses and administrations when interacting electronically. This is indeed an essential prerequisite to stimulate further use and development of the Internet, which in turn will stimulate innovative interactions in the private and public sectors and increase productivity, thereby offering possibilities for creating growth and jobs as set out in the Europe 2020 strategy. This will be achieved by developing the legal basis for a pan-european electronic ID, authentication and signature framework and therefore easing the usage of trusted services throughout the single market, ensuring mobility of citizens within the digital single market and take-up of public services. The legislation on mutual recognition and acceptance of e-identification and e-authentication will allow citizens and businesses to use their national eid-means abroad when they need to access e-services to travel, work, study, live or do business in other Member States. The legislation on esignature will ensure legal certainty for users and service providers, as well as cross-border interoperability. Do the objectives imply developing EU policy in new areas? Yes (electronic identification).

4 C. Options (i) What are the policy options being considered? (ii) What legislative or 'soft law' instruments could be considered? (iii) How do the options respect the proportionality principle? The following options have been considered for this EU action: Option 1) No policy change, i.e. maintaining the status quo both on esignature, and eidentification and authentication. In the context of this option, the current e-signature Directive would be kept unchanged and there would be no EU policy on eidentificaiton. Option 2) Extended framework with ancillary trusted services and credentials This option would: - substantially revisit the esignature Directive turning it into a legal tool to boost trust in the Digital Single Market by enhancing e-signature interoperability as mentioned in the previous option and introducing some ancillary trusted services and credentials such as time-stamping, long-term electronic signature preservation, electronic seals, registered documents delivery, website authentication or roles and authorisations. - provide a legal basis to the mutual recognition and the acceptance of electronic identification and authentication to access online services, in particular egovernment services cross-border (addressing the Digital Agenda Key Action 16 objective) and cross-sector without interfering in already existing eid and authentication infrastructures and systems at Member State level. The LSP STORK has successfully shown that EU-wide interoperability of the different solutions developed by the Member States is possible and that the federated authentication platform developed works well. What is missing now is the legal basis to enable citizens and businesses to use their national eids across borders for the access to online services at least provided by pubic administrations and to oblige Member States to mutually recognise and accept each others national eids. The private sector should be also allowed to use these national eids for the purpose of identification of users, customers, consumers or clients. Option 3) Focused upgrade of the e-signature Directive This option would consist of an upgrade of the current esignature directive by adding provisions focusing on specific e-signature and document authentication issues that are identified as barriers to cross-border interoperability. It would also entail the extension from cross-border to additional cross-sector interoperability with regard to eidentification and authentication. The legal framework would be revised through measures like clarification of terminology, improved provisions for validation, improved provisions for supervision or usage of trusted status lists. The electronic identification would not be affected. Option 4) "Simplified" e-signature Directive This option would entail the repealing of most provisions of the current e-signature Directive, leaving only the provisions necessary for the establishment of the legal effect of e-signatures. The electronic identification would not be affected. Option 5) Cancel all activities at EU level This policy option implies the complete cessation of all EU activities in the field of the electronic identification, authentication and signatures, including those already started. (ii) For option 1, the e-signature Directive would be kept unchanged For option 2, 3 and 4 a proposal for one single measure has been considered in order to create a more efficient framework for electronic transactions. In particular, options 3 and 4 would entail the introduction of provisions on mutual recognition and acceptance of electronic identification and authentication and option 4 would go further by adding trusted services and credentials in order to provide a global and consistent environment to implement the Digital Single Market. (iii) Policy options 2, 3 and 4 require an intervention at EU level. In particular proposing a legislative measure encompassing electronic identification, authentication and signatures would improve the current framework regarding the cross-border use of electronic signatures and, on the other, would oblige Member States to mutually recognise and accept official eids of each Member State for the access to cross-border online services. Given the cross-border character of the policy objective, EU action is needed to guarantee a common legal basis which will guide Member States to adapt their national laws to the cross-border dimension of the digital single market.

5 D. Initial assessment of impacts What are the benefits and costs of each of the policy options? Maintaining the status quo as defined under option 1 would not entail any particular benefit or cost compared to the current situation. Options 2 would enhance trust in electronic transactions. It would reduce fragmentation of the single market and potentially lead to an increased take-up, in particular a wider use of cross-border e-commerce, e-business and e-government services. This would result in mutual recognition and acceptance of e-identification and e- authentication, as well as ensuring legal certainty and cross-border interoperability of esignatures. Furthermore, this option would also introduce ancillary trust services to e-signatures in order to provide a comprehensive "end-to-end" framework. As option 2, options 3 would enhance trust in electronic transactions. It would focus on only a subset of the issues which are e-identification, e-authentication and esignatures. It advantage may be to be faster to be implemented. Both policy options 2 and 3 would ultimately lead to a broader boost of confidence of citizens or businesses when interacting electronically. A "simplified" e-signature Directive as defined under policy option 4 may not help solving the interoperability issues related to the current esignature directive. Neither would it produce benefit on electronic identification and authentication. Cancelling all activities at EU level would mean repealing the e-signature Directive (and its related Decisions). This would leave Member States focusing on their national reality which would be detrimental to actions leading to EU wide solutions. This, in turn would enhance the risk of aggravating cross border interoperability problems due to internal legislation barriers. It would also undermine mutual recognition of national electronic signatures leading to an absence of legal certainty. Further analysis of the benefits and costs of each of the policy options will be provided in the impact assessment report. Could any or all of the options have significant impacts on (i) simplification, (ii) administrative burden and (iii) on relations with other countries, (iv) implementation arrangements? And (v) could any be difficult to transpose for certain Member States? (i) Simplification here means on the one hand the simplification of usage of electronic signature because today the legal, operational and technical situation is excessively cumbersome for users and developers. On the other hand the EU-wide recognition and acceptance of national eids can contribute significantly to the simplification and reduction of administrative burdens. Benefits can be expected for users as well as for private and public sector. Users do not necessarily have to show up physically for identification and authentication purposes. They could use their eid for the access to cross-border services of other Member States. (ii) Efficient and easy to use electronic identification, authentication and signature are needed to allow migrating administrative processes from a paper to an electronic support. In particular, the process related to the provision of Services in other Member States must be achievable by law in electronic form and the take-up of electronic public procurement depends on electronic signature; (iii) Agreements could be established with third countries for the mutual recognition of eids and/or e-signatures once cross-border interoperability becomes a reality in EU; (v) The transposition by the Member States of the existing esignature Directive has shown that no major difficulty should be expected provided that backward compatibility with existing infrastructure is taken care of. The implementation of the Framework should not be difficult as nearly all Member States deploy eids and e- authentication at national level. For those Member States not issuing eids and e-authentication the implementation of the Decision will be mostly not applicable as they will not be forced to introduce eid systems. In the context of the Large Scale Pilot STORK on e-identification in which 17 Member States are involved a technical solution was developed enabling the use of national eids across borders based on existing national infrastructures as well as authentication. Legislation on cross-border recognition and acceptance would contribute to the sustainability of the achievements delivered by STORK. Member States issuing eids have already established national mechanisms for authentication national eids. The same mechanisms would be used in the cross-border context.

6 (i) Will an IA be carried out for this initiative and/or possible follow-up initiatives? (ii) When will the IA work start? (iii) When will you set up the IA Steering Group and how often will it meet? (iv) What DGs will be invited? (i) Yes, an impact assessment is foreseen. (ii) The work on the IA process has already started. The work on the IA report started in 2011 (an external contractor will contribute to the report with a study to be contracted by the end of 2011). A public consultation on electronic identification, authentication and signatures has been open from 18 February to 15 April The overall picture is that stakeholders have contrasted views on the causes of low esignature take-up and contrasted opinions on how to address issues. (iii) An IA Steering Group for the revision of the esignatures directive has been launched. It is foreseen that the group will meet (at least) twice in the period December February (iv) Given the horizotal nature of the subject, all DGs are invited to participate; in particular MARKT, ENTR, DIGIT, TAXUD (e-invoicing), LEGAL SERVICE, SECRETARIAT-GENERAL, HOME, JUSTICE, SANCO, EMPL. (i) Is any of options likely to have impacts on the EU budget above 5m? (ii) If so, will this IA serve also as an ex-ante evaluation, as required by the Financial regulation? If not, provide information about the timing of the ex-ante evaluation. No. E. Evidence base, planning of further work and consultation (i) What information and data are already available? Will existing impact assessment and evaluation work be used? (ii) What further information needs to be gathered, how will this be done (e.g. internally or by an external contractor), and by when? (iii) What is the timing for the procurement process & the contract for any external contracts that you are planning (e.g. for analytical studies, information gathering, etc.)? (iv) Is any particular communication or information activity foreseen? If so, what, and by when? (i) A number of studies have been already carried out on the existing policy such as: "Study on the Evaluation of the standardisation procedures in the context of the European electronic signature standardization initiative" of 2002, "The legal and market aspects of e-signature" in 2003, "Study on the standardisation aspects of e- signatures" of 2007,IDABC studies on e-signature and e-id interoperability in and the CROBIES study on cross-border interoperability of esignatures were published in August (ii) Further information was gathered through a public consultation on eid, e-authentication and e-signatures. The in-depth analyses of the feedback received should provide further information on the minimum principles which need to be covered by the Decision. (iii) N/A (iv) The public consultation was announced by a press release (IP) on Which stakeholders & experts have been or will be consulted, how, and at what stage? Stakeholders: - Representatives of Member States in CIP/ICT/PSP STORK project, esignature national contact persons, MS committees and groups such as the Expert Group on the Implementation of the Services Directive, the egovernment Subgroup (Dir H), Article 29 Data Protection Group, Privacy Commissioners, Public Procurement Group, e-id users (ex. ehealth, etax). - Private sector experts (demand and supply sides). Wide public via a Special Eurobarometer 359 on Data Protection and Electronic Identity in the European Union (June 2011) Main events: - Workshop on eid, e-authentication and e-signatures (10/3/2011) - "IAS study" workshop on eid, e-authentication and e-signatures (03/10/2011) - CEN and ETSI Workshop (21/11/2011) - Public consultation (ended on 15/4/2011)

7 - Coordinated action on standardisation issues with the other Large Scale Pilots (epsos, SPOCS and PEPPOL) at LSP coordination meeting (several meetings including ETSI-SPOCS meeting in Den Haag, 8/9/2011) - 16/6/2011 Workshop on What next for eids and e-signatures? in the context of the Digital Agenda Assembly. The aim is to highlight the user and business perspective and to get a first view from EU-Institutions on the most important topics to be considered - Delivery of STORK results including validation of the common specifications for the eidentification and eauthentication models developed by STORK - Consultation and awareness raising with industry on the proposal of STORK for common specifications for cross border eid management at STORK Industry Group meeting (2Q 2011) /11/2011 Polish Presidency's conference on esignature (9-10/11/2011) - egovernment Conference in Poznan, Poland (17-18/11/2011) - CEN-ETSI public joint workshop on the esignature standardisation mandate m460, Paris, France, 21/11/2011

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information