Qualified Time Stamping and eregistered Delivery Services Overall considerations

Transcription

1 eias Study on an electronic identification, authentication and signature policy Qualified Time Stamping and eregistered Delivery Services Overall considerations Building blocks for secondary legislation Riccardo Genghini (SG&A, ewitness), Chairman ETSI TC-ESI in the context of Regulation (EU) No 910/2014 Regulation on electronic identification and trust services

2

3 Overview of the presentation Legislative paradigm shift Issues for Implementing Acts for Trust Services Qualified time stamping Qualified e-registered delivery Recommendations for drafting Implementing Acts for Qualified Trust Services Annexes Annex I: Lists of delegated/implementing acts and existing standards Annex II: Rules for drafting standards with Regulation (EU) No 914/2014 in force

4 Legislative paradigm shift: Directive 4

5 Legislative paradigm shift: Regulation 5

6 Legislative paradigm shift From 1997 Directive to 2014 Regulation Regulation (EU) No 910/2014, EC normative power and industry standards

7 Key points (cont ed) The term qualified in the Directive, even though being a legal term, was only used for the certificates, for which there is a technical counterpart, i.e. the qualified certificates as defined by IETF RFC3739 in the Regulation has been extensively used for all aspects of TSPs, thus changing the well known terminology! => e.g. SSCD replaced by QSCD 7

8 EC powers given by the Regulation The first draft of the Regulation provided 12 types of delegated acts covering all aspects of TSP, qualified and non qualified That means that the Commission felt necessary to take up all the normative activities that until then where carried out by the supervisory bodies according to article 3.3 of the 1997/93/EC Directive, in order to ensure European wide interoperability of electronic signatures and of Trust Services 8

9 EC powers given by the Regulation (cont ed) The approved version of the Regulation, instead, provides only one delegated act, for the criteria to be met by the bodies that carry on security evaluation of QSCDs (art. 30.4) The Regulation provides a closed list of cases where the EU Commission, may/shall draft secondary legislation to define technical requirements and specifications i.e. procedures / formats for public services, supervision, etc. 9

10 EC powers given by the Regulation (cont ed) Then, with respect to most industry standards, the Commission may, by means of implementing acts, establish reference numbers of standards but is not empowered to determinate directly their content EU legislation recognises the ability and the right of industry to self regulate itself in the field of (Q)TSs Two levels of supervision for guaranteeing an adequate level of security of TSPs 10

11 Key points The approval of the Regulation 910/2014/EU introduces important changes in the role of (EU) industry standards for TSs FIRST not anymore a Directive but a Regulation SECOND it defines when the EC a) has the power to define the content of procedures, protocols and formats: 1. Security Targets for TSPs 2. Trusted List 3. Security breaches 4. Formats and procedures for supervisory bodies 5. AdES for public administration, 6. EU Trustmark b) has the power to just reference industry standards: and that is for all other matters related to TSPs 11

12 EC powers given by the Regulation Conclusion With respect to most aspects of the TSPs, Implementing Acts may/shall (just) reference industry standards There was consensus between Commission, EU Parliament and Member States that industry must self regulate itself as much as possible, within the legal and supervisory framework provided by the EU Regulation 12

13 EC powers given by the Regulation Conclusion (cont ed) It is not an ESO task to state if ESO standards comply with the Regulation: this task can only be fulfilled by the EC So in order to avoid confusion, ESOs need to keep the technical terminology consistent and independent from legal terminology it is the law that refers to standards, and not the other way around, It was exactly the opposite when the Directive allowed national legislations to regulate all aspects of the qualified signature, without any obligation to use/reference (EU or even national) standards 13

14 EC powers given by the Regulation Conclusion (cont ed) ESOs cannot write standards that act as secundary legislation. Regulation has excluded the necessity or possibility of intermediate regulatory acts it was a bold challenging decision: industry has the opportunity to show its willingness/ability for self regulation ESOs cannot become a parallel/shadow ENISA or surrogate delegated/implementing acts that are not foreseen by the Regulation 14

15 When the EC is empowered to draft the content of the secondary legislation this may happen in different ways putting through an IA (art procedure) an EU administration in charge (like it did with ENISA for security breach notification) no (EU) standard, but a piece of secondary legislation Issuing a Mandate to ESOs in order to produce a standard (like it did with Trusted Lists) that will be referenced by a delegated or implementing act one or more (EU) standards referenced by an implementing act of the Commission such standards must clearly separate two parts the purely technical (industry) part the (only eventual) regulatory part that implements or specifies a specific aspect of EU legislation 15

16 When the EC is empowered to draft the content of the secondary legislation (cont ed) this may happen in different ways: Drafting itself a set of rules that is published as a delegated or an implementing act; in this case there will be no (EU) standard, but a piece of secondary legislation to be approved according to article 48.2 of the Regulation 16

17 1997Directive vs. 2014Regulation (EU) standards 17

18 1997Directive vs. 2014Regulation (EU) standards 18

19 Qualified time stamping services Issues on Implementing Act 1) Legal framework 2) Issues and Recommendations 3) Landscape of specifications

20 1 Legal framework: 1.1 Definitions (Article 3) (33) electronic time stamp means data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time; (34) qualified electronic time stamp means an electronic time stamp which meets the requirements laid down in Article 42;

21 1 Legal framework: 1.2 Requirements QTimeStamps (Art. 42.2) The Commission may, by means of implementing acts, establish reference numbers of standards for the binding of date and time to data and for accurate time sources. Compliance with the requirements laid down in paragraph 1 shall be presumed where the binding of date and time to data and the accurate time source meets those standards.

22 1 Legal framework: 1.2 Requirements QTimeStamps (Art. 42.2) A qualified electronic time stamp shall meet the following requirements: (a) it binds the date and time to data in such a manner as to reasonably preclude the possibility of the data being changed undetectably; (b) it is based on an accurate time source linked to Coordinated Universal Time; and (c) it is signed using an advanced electronic signature or sealed with an advanced electronic seal of the qualified trust service provider, or by some equivalent method. NOTE: it is up to the provider to demonstrate the equivalence via conformity assessment (Rec. 61)

23 1 Legal framework: 1.3 Legal effect (Art. 41) Legal effect of a qualified electronic time stamp presumption of the accuracy of the date and the time it indicates and the integrity of the data to which the date and time are bound

24 2 Issues & Recommendations 2.1 different uses for time stamps 1/6 Time stamps provide electronic evidence that data to which it is applied existed at the time indicated in the time stamp data to be time stamped should not be given any particular meaning Within the Regulation, time stamps are mainly targeted to documents and signatures/seals time stamp gives a document a secure date time stamp gives a signature/seal secure date to evaluate the validity status of the qualified certificate at the time of signature or seal creation as the time stamp also guarantees the integrity of the binding of date/time and signature/seal, it can be used for their long term preservation to extend their trustworthiness beyond their technological validity period

25 2 Issues & Recommendations 2.2 binding of date and time to data 2/6 Assurance on the timestamped data: not addressed by the Regulation. The QTSP is not required to check the truthfulness of the content of the submitted data that the data to be time stamped correspond with the intention of the user that the received data is exactly that one the user has sent (man in the middle); however this assurance can be provided as an optional service (e.g. using electronic seals) to ensure the origin and the integrity of the received data;

26 2 Issues & Recommendations 2.2 binding of date and time to data 2/6 Assurance on time the qualified time stamp provider shall guarantee the integrity of the date and time indication included in the time stamp Assurance on date/time and data the qualified time stamp provider shall ensure the integrity of the whole time stamp (e.g. with advanced electronic signature/seal) Then signature/seal creation is a critical process that must occur within a secure system signature/seal creation data must be adequately protected requirements similar to those for the qualified electronic signature/seal creation devices (Art. 29 and 39 and Annex II) shall also apply to the electronic signature/seal creation devices used by the qualified time stamp provider

27 2 Issues & Recommendations 2.3 options for sending data to time stamp3/6 Sending the actual data to be time stamped (i.e. documents, signatures/seals or other data) approach useful if the time stamp provider also offers the long term preservation service Sending their digests calculated through a robust and secure hash function

28 2 Issues & Recommendations 2.4 accuracy of the time sources 4/6 The qualified time stamp provider must use time sources linked to the Coordinated Universal Time (UTC) timescale that is maintained by the Bureau International des Poids et Mesures (BIPM) within the declared accuracy The required accuracy should depend on the applications; for time stamps issued with different accuracy requirements different time sources should be used, each one synchronised with UTC within the related accuracy, or a single time source synchronised with UTC within the strongest required accuracy

29 2 Issues & Recommendations 2.5 granularity of the time indication 5/6 One time stamp usage is to give evidence of documents/data being available at a specific time Often a coarse granularity for the time indication is sufficient e.g. to date a document, the date alone is sufficient, no need for time exact to second From data protection point of view, time stamps provide a means to link information it can be a desired feature, or may be unwanted, e.g. if a person does not want to reveal her exact working time or in which order some documents were finalised and time stamped

30 2 Issues & Recommendations 2.5 granularity of the time indication 5/6 In line with the necessity principle from data protection law, the Regulation does not require the time exact to the second it only demands information on the accuracy For these reasons the time stamp provider may use different types of date/time statements, e.g. exact to the day <date> before <deadline> in between <date1> and <date2> As an alternative to meet the necessity principle sending the digest of the data to be time stamped instead of the actual data (current practice)

31 2 Issues & Recommendations 2.6 user s perspective 6/6 The relation with the time zone is a possible issue as the typical time indication is UTC users should be able to view the time stamp referred to their usual time zone offset to UTC or time zone abbreviation has to be given To bind the time stamp to specific data to be preserved for long time, these data have to be available to the time stamp provider user may provide encrypted data to prevent the time stamp provider from accessing the clear text the time stamp would then be bound to the encrypted data; it could not be checked from the decrypted file

32 3 Landscape of specifications: requirements for signing devices Currently, one possible set of technical specifications of requirements for these devices is the following set of CEN/ISSS Workshop agreements CEN/ISSS CWA :2004 Cryptographic module for CSP signing operations with backup - protection profile - CMCSOB-PP CEN/ISSS CWA :2004 Cryptographic module for CSP key generation services - protection profile - CMCKG-PP CEN/ISSS CWA :2004 Cryptographic module for CSP signing operations - protection profile - CMCSO-PP

33 3 Landscape of specifications: requirements for signing devices The mentioned technical specifications are currently being revised under the EC mandate M/460 and that will become: CEN TS : "Protection profiles for TSP Cryptographic modules - Part 2: Cryptographic module for CSP signing operations with backup" CEN TS : "Protection profiles for TSP Cryptographic modules - Part 3: Cryptographic module for Cryptographic module for CSP key generation services" CEN TS : "Protection profiles for TSP Cryptographic modules - Part 4: Cryptographic module for CSP signing operations without backup"

34 3 Landscape of specifications: format/protocol, policy requirements One option for technical specifications for time stamp format/protocol and for time stamp provider policy requirements is the set of ETSI TS Ver Policy requirements for time-stamping authorities ETSI TS Ver Time stamping profile These specifications are currently being revised under the EC mandate M/460 and will become EN Policy & Security Requirements for TSPs providing Time-Stamping Services EN Time-Stamping protocol and token profile ETSI TS Ver lists suitable algorithms

35 Conclusion and proposed scenario Different applications of the time stamps may have different requirements on accuracy and granularity on data protection Time stamp providers may issue time stamps under different policies Therefore the set of standards referenced in the Implementing Act should support a broad spectrum of requirements to satisfy actual needs of different applications avoid excessive burdens and be in line with the data protection necessity principle

36 Qualified e-registered delivery services Issues on Implementing Act 1) Legal framework 2) Issues and Recommendations 3) Landscape of specifications

37 1 Legal framework: 1.1 Requirements for QR edelivery art.44.2 The Commission may, by means of implementing acts, establish reference numbers of standards for processes for sending and receiving data. Compliance with the requirements laid down in paragraph 1 shall be presumed where the process for sending and receiving data meets those standards.

38 1 Legal framework: 1.2 Requirements for QR edelivery art Qualified electronic registered delivery services shall meet the following requirements: (a) they are provided by one or more qualified trust service provider(s) (b) they ensure with a high level of confidence the identification of the sender (c) they ensure the identification of the addressee before the delivery of the data

39 1 Legal framework: 1.2 Requirements for QR edelivery art (cont ed) (d) the sending and receiving of data is secured by an advanced electronic signature or an advanced electronic seal of a qualified trust service provider in such a manner as to preclude the possibility of the data being changed undetectably (e) any change of the data needed for the purpose of sending or receiving the data must be clearly indicated to the sender and addressee of the data

40 1 Legal framework: 1.2 Requirements for QR edelivery art (cont ed) (f) the date and time of sending, receiving and any change of data are indicated by a qualified electronic time stamp in the event of the data being transferred between two or more qualified trust service providers, the requirements in points (a) to (f) shall apply to all the qualified trust service providers

41 1 Legal framework: 1.3 related recital (#66) It is essential to provide for a legal framework to facilitate cross border recognition between existing national legal systems related to electronic registered delivery service. This framework could also open new market opportunities for European Union trust service providers to offer new pan-european electronic registered delivery services.

42 2 Issues & Recommendations 2.1 objectives Objective of the proposed regulation achieve legal effect on the certainty of crossborder e-registered delivery establish qualified e-registered delivery services EUMS may have in force national legislation establishing legal equivalence of e-registered delivery and paper registered letter

43 2 Issues & Recommendations 2.2 legal aspects Implementing Act s (IA) scope limited to establishing reference numbers of standards for processes for sending and receiving data process intended as structured, measured set of activities designed to produce a specified output The regulation does not address any type of registered notification that is part of the judicial process and of internal to the public administration (art. 8 of Postal Directive) Member States (have) the right to organise ( ) the registered mail service used in the course of judicial or administrative procedures in accordance with their national legislation

44 2 Issues & Recommendations 2.2 legal aspects Qualified e-registered delivery simply has the legal value of a presumption that a certain delivery process has been performed scope for several different e-delivery processes, with several different features, for legal procedures, banking, simple s, invoicing, each of such services requires a different identification and a different level of insurance very welcome that many different standards pop up, solving issues specific to their use environment the requirements for identifying the receiver are normally less strong than for the sender no eid-like identification nor in the sense of the postal Directive

45 2 Issues & Recommendations 2.3 multiplicity of e-delivery services Challenging to define the exact boundaries the identity of sender/receiver the authenticity of the claimed identity and their accountability and responsibility Therefore in the field of e-registered delivery multiplicity is unavoidable the Regulation should not stifle innovation the EC must have a way that allows swift recognition of new and effective standards to solve specific issues and to propose innovative e- registered delivery services

46 2 Issues & Recommendations 2.3 multiplicity of e-delivery services Trusted e-registered delivery as the new alternative to contractual agreement, in a fully digitalised environment it cannot be regulated as an alternative to registered mail and telegrams (national prerogative, according to the TFEU), should be open to embrace new paradigms

47 2 Issues & Recommendations 2.3 multiplicity of e-delivery services in this field, there are several different working environments and use cases that need different authentication rules (e.g.) from UPU with just object and system identification to legal XML that provides double sender and receiver strong authentication each and every use case has its merits and relevance there is a significant difference between processes in the various different contexts such as B2B, B2C, C2C, G2C etc.

48 2 Issues & Recommendations 2.4 issues for establishing standards a single standard will never be able to address all requirements many stakeholders with vested interests however, few if any of these technical specifications today can be considered open solutions and/or fit the technical requirements of the regulation because they eventually lack some requirements provided by Reg. 1025/2012/EU: transparent standardisation process open standardisation process standard publicly available to everybody

49 2 Issues & Recommendations 2.5 models for future services From a legal standpoint in open environments registered e-delivery is better suited to prove that someone that has an obligation to act/inform, has duly acted according to the law only in closed environments (like legal notifications, judicial proceedings, etc.) registered (if sent and received by professionals) can be used for putting an obligation to act on the receiver 6.2

50 2 Issues & Recommendations 2.6 economical aspects From an economical perspective, e-registered delivery is a broad market field and the creation of a fair level playing field is important It can be argued that e-registered delivery in the sense of the Regulation can be some of the e-registered delivery services or e- transactions executions, as well as a single pan-european framework: Connecting Europe Facility To grow this market, it is recommended to avoid any stifling of innovation; and creation of unfair competitive advantage for incumbents (e.g. entry barriers, etc.)

51 2 Issues & Recommendations 2.7 societal aspects Attention should be paid to not introducing or enforcing a digital divide between persons/organisations that have access to electronic processes, and those that have not Equal attention should be given to the processing of privacy-sensitive information, particularly with regard to selling and re-selling transaction related information that might disclose behaviour or preferences 6.4

52 3 Landscape of specifications: ISO and OASIS ISO SWIFT services OASIS ebxml Registry TC develops specifications for interoperable registries and repositories ebxml Messaging Services TC develops technology delivery of business transactions LegalXML for Electronic Court Filing is using XML to create and transmit legal documents among attorneys, courts, litigants, and others

53 3 Landscape of specifications: UPU and ETSI UPU (Universal Postal Union) established an Electronic PostMark (EPM) published as an OASIS standard, including a profile of the OASIS Digital Signature Service ETSI ETSI TS Registered Electronic Mail v2.1.1 REM architecture (Part 1) Data structures and formats for messages and Evidences (Part 2) Information Security Policy Requirements for provision of REM services (Part 3) REM Conformance requirements (Part 4) Interoperability Profiles for SMTP-based REM (Part 5)

54 3 Landscape of specifications: EU projects and initiatives European e-sens Project e-sens is building on the previous Large Scale Pilot (LSP) outcomes in 3 competence clusters: e- Delivery, Semantics and e-documents, as well as e-identity and e-signatures e-delivery competence cluster addressing issues that have not been solved during cooperation of STORK (e-delivery-pilot), PEPPOL, SPOCS and e-codex

55 3 Landscape of specifications: EU projects and initiatives (cont ed) Connecting Europe Facility (CEF) CEF includes the Digital Service Infrastructure (DSI) established to connect Member State players they keep freedom at national level DSI will enable cross-border delivery of services of common interest as such, e-delivery CEF-DSI is the critical layer underpinning the technical implementation of e- registered delivery services across the EU

56 Conclusion and proposed scenario 1/2 Important that e-registered delivery is and remains open to innovation models of legal notifications and registered mail should be just possible options in a wide range of models Innovative solutions must have the opportunity to become qualified services, even if they solve just specific issues and serve well de-fined communities the standards shall rely on current and future established indistry standards: SMTP, FTP, HTML, etc.

57 Conclusion and proposed scenario 2/2 In this perspective, any future scenario should establish a mechanism that allows ESOs and Organisations and International Standardisation Bodies, to submit a proposal for an e-registered delivery standard to be referenced by the EC mandate a transparent review of the proposed standard, checking that it does not lack none of the properties required by Regulation (EU) No 1025/2012, in particular transparent standardisation process open standardisation process standard publicly available to everybody free, or or upon payment (like CEN and ISO standards)

58 Recommendations for drafting Implementing Acts for Qualified Trust Services

59 Electronic items Chapter III (Trust Services) of the Regulation defines a number of electronic items trust services, or the objects the providers of such services (or the general public) use: - e,g. the electronic signature/seal devices the objects the providers of such services (or the general public) produce: e.g. electronic evidences like the electronic signatures and seals, the electronic time stamps, 59

60 Secondary legislation and electronic items (cont ed) Secondary legislation, particularly the IAs, is the tool provided in the Regulation to define technical requirements and specifications for the electronic items to meet the requirements laid down in the Regulation directly or indirectly through reference to sets of standards Electronic items conforming to the standards referenced in the IAs shall be presumed to meet the requirements specified in the Regulation and are referred to as qualified 60

61 Secondary legislation and electronic items (cont ed) The extensive provision of IAs in the Regulation gives great flexibility and allows the definition of an overall legal subframework of references to sets of standards for this reason it is necessary to identify best practices to draft the IAs, e.g. how they relate to each other; need to identify the qualified electronic items defined in the Regulation that require or may have IAs to reference technical standards verify how such items are related to each other through a dependency analysis 61

62 Items requirements and IA deps Implementing Act Art. 27(4), Art. 27(5) AdESig Art. 28(6) QC for ESig Art. 29(2) QESigCD Art. 30(3) Certif. QESigCD Art. 31(3) Notif. of Cert. QESigCD Art. 32(3) Validation of QESig Art. 33(2) QESig validat. Service Art. 34(2) QESig preserv service Art. 37(4), Art. 37(5) AdESeal Art. 38(6) QC for ESeal Art. 42(2) QETStamp Art. 26 Art. 28 Annex I AdESig QC for ESig Art. 29 Annex II QESigCD Art. 30 Art. 31 Art. 32 Art. 33 Art. 34 Art. 36 Art. 38 Annex III Certif. QESigCD Publ. of Cert. QESigCD Validation of QESig QESig. validat. service QESig preserv. service AdESeal QC for ESeal Art. 39 Art. 40 Art. 42 Art. 44 Art. 45 Annex IV QESealC D (m.m.) QESeal valid./ preserv. (m.m.) QETStamp QERDelivery service X X (*) X (*) X (*) X (*) X (*) X (*) X X X (*) X (*) X (**) X X (*) X (**) X X (**) X X (*) X (**) X X (**) X X (**) QC for Web Site Auth. X (*) X (*) X X (*) X (*) X (*) X (*) X X X (*) Art. 44(2) QERDelivery Service Art. 45(2) QC for Web Site Auth. X X 62

63 Summary of dependencies among items QESig validation service QESig preserv. service QC issuing service QESeal validation service QESeal preserv. service QETS service trusted services QERD service QESig validation QESeal validation procedures strong std dep QESigCD certificate publication QESealCD certificate publication weak std dep no std dep QESigCD certification QESealCD certification objects AdESig QC for ESig QESigCD AdESeal QC for ESeal QESealCD QC for web site 63

64 Dependencies among Item, standards and Implementing Acts The intrinsic functional dependencies among the items as defined in the Regulation will imply the dependencies among the standards that specify such items (that might be turned into cross-reference among the standards) and, in turn the dependencies among the IAs referencing such standards (that might be turned into crossreference among the IAs) Given the relevant number of dependencies among items, the set of IAs should be structured to avoid that updating one IA causes all others to be amended e.g. use of hub model for cross-referencing IAs 64

65 Hub model for cross-referencing IAs Supervision IA referencing QC for ESig IA QESigCD IA QESig validat. Service IA QESig preserv. Service IA QETS service IA QERD service IA 65

66 Other legal issues for IAs Given the relevant number of dependencies among items Need to avoid the assumption that any presumption (or legal effect) related to an IA depends on respecting all related IAs that might be referenced within the former. This is particularly dangerous, because after the trustworthiness and efficiency of the Courts, the most important criterion for assessing a legal system is (lack of) formalism. 66

67 Other legal issues for IAs (cont ed) Therefore if a service can be considered as qualified if and only if all signatures, all time stamps, all assessments by the auditors, all the QESCDs, all the QCs, and so on are compliant to the IAs and to the standards, the resulting legal framework would be too formal for the market that will likely choose the non qualified services Need for coordination between the Regulation (EU) No 910/2014, the EU secondary legislation (specifically the Implementing Acts) and the national legislation/regulations which the EU Regulation expressly refers to. 67

68 Conclusion For a qualified a Trust Service Provider and the Trust Service(s) it provides,any formal error or issue beyond the statement of a qualified trust service provider is only possibly relevant, if so decided with respect to a specific case by a Court or an Authority with legal powers to do so; this means that security issues, formal issues, problems in the auditing or in the supervision shall not have any impact on the qualified nature of the QES, QC, Qualified Time Stamps and other Qualified Trust Services defined in the Regulation unless so decided on a case to case basis by a Court 68

69 Conclusion (cont ed) Indeed the Regulation does not empower the supervisory authorities to invalidate in general terms QES, QC, Qualified Time Stamps and other Qualified Trust Services This is consistent with the best practices in relevant supervised activities (like banking and notaries, in particular): the supervision impacts on the supervised entities only Some supervision authorities can invalidate single acts of the supervised entities if the law entrusts them such powers (e.g. for the notaries), but if the supervised entities do not agree with the decision of the supervisor, they can address the Courts 69

70 Thanks for the attention! Questions?

71 Annex I Lists of delegated/implementing acts and existing standards

72 List of requirements and specs that can written as secondary legislation [Secondary legislation involving European Standardisation Organisations (ESOs) highlighted with red] Commission is empowered to adopt delegated act for the establishment of specific criteria to be met by the designated bodies that carry on security evaluations of electronic signature creation devices (Art of Regulation (EU) No. 910/2014); Commission may adopt implementing acts to define the formats and procedures for the security breach report (Art. 17.8); [ENISA is working on this matter] Commission may adopt implementing acts to further specify the appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide (Art. 19.4a); 72

73 List of requirements and specs that can written as secondary legislation Commission may adopt implementing acts to define the formats and procedures, including deadlines, applicable for notifying the supervisory body and, where applicable, other relevant bodies, such as the competent national body for information security or the data protection authority, of any breach of security or loss of integrity that has a significant impact on the trust service (Art. 19.4b); [ENISA is working on this matter] Commission may adopt implementing acts to define the formats and procedures for submitting to the supervisory body a notification of their intention to start a qualified trust service, together with a conformity assessment report issued by a conformity assessment body (Art. 21.4) 73

74 List of requirements and specs that can written as secondary legislation Commission may adopt implementing acts to define the formats and procedures that the supervisory body shall use for verifying whether the trust service provider and the trust services provided by it comply with the requirements laid down in this Regulation, and in particular, with the requirements for qualified trust service providers and for the qualified trust services they provide (Art. 21.4) Commission before 18 September 2015 shall adopt implementing acts to specify the information to be published on the trusted lists, including the information related to the qualified trust service providers for which the member states are responsible, together with information related to the qualified trust services provided by them (Art. 22.5) Commission before 18 September 2015 shall adopt implementing acts to define the technical specifications and formats for trusted lists (Art. 22.5) [ETSI TS , TS ] 74

75 List of requirements and specs that can written as secondary legislation Commission before 1 st July 2015 shall adopt implementing acts to provide specifications with regard to the form, and in particular the presentation, composition, size and design of the EU trust mark for qualified trust services (Art. 23.3) [No matter of standardisation] By 18 September 2015, and taking into account existing practices, standards and legal acts of the Union, the Commission shall, by means of implementing acts, define reference formats of advanced electronic signatures used in public services or reference methods where alternative formats are used (Art. 27.5) [ETSI EN , EN , EN ] 75

76 List of requirements and specs that can written as secondary legislation Commission may, by means of implementing acts, define formats and procedures applicable for the notification of information on qualified electronic signature creation devices that have been certified (or whose certification has been cancelled) by the designated bodies referred to in Article 30(1) (Art. 31.3) By 18 September 2015, and taking into account existing practices, standards and legal acts of the Union, the Commission shall, by means of implementing acts, define reference formats of advanced electronic seals used in public services or reference methods where alternative formats are used (Art. 37.4) [ETSI EN , EN , EN ] 76

77 List of requirements and specs that secondary legislation can only reference as industry standards (Art. 20.4a) for accreditation of the conformity assessment bodies and for the conformity assessment report [ETSI EN ] (Art. 20.4b) for auditing rules under which conformity assessment bodies will carry out their conformity assessment of the qualified trust service providers (Art. 24.5) for trustworthy systems and products, which comply with the requirements under points (e) and (f) of paragraph 2 of article 24 [CEN EN ] (Art. 27.4) for advanced electronic signatures formats [ETSI EN , EN , EN ] (Art. 28.6) for qualified certificates for electronic signature [ETSI EN parts 1, 2 and 5] (Art. 29.2) for qualified electronic signature creation devices 77

78 List of requirements and specs that secondary legislation can only reference as industry standards (Art. 30.3) for security assessment of qualified electronic signature creation devices [possibly ISO standards ] (Art. 32.3) for the validation of qualified electronic signatures [ETSI EN ] (Art. 33.2) for qualified validation service of qualified signatures [future ETSI EN ] (Art. 34.2) for the qualified preservation service for qualified electronic signatures [ETSI TS , future ETSI EN and EN ] (Art. 37.4) for advanced electronic seals formats [ETSI EN , EN , EN ] (Art. 38.6) for qualified certificates for electronic seals [ETSI EN parts 1, 2, 3 and 5] 78

79 List of requirements and specs that secondary legislation can only reference as industry standards (Art. 42.2) for the binding of date and time to data and for accurate time sources [CEN EN , EN , EN ] (Art. 44.2) for processes for sending and receiving data [for REM ETSI TS and future ETSI EN ] (Art. 45.2) for qualified certificates for website authentication [ETSI EN parts 1, 2, 4 and 5] 79

80 Annex II Rules for drafting standards with Regulation (EU) No 914/2014 in force

81 No need anymore for a standard in PKI domain to reference EU legislation because today there is a whole world of technical standards that can be referenced In 1997, there was no European standard for HW security of SSCD, only a NIST standard (FIPS140-1); now there is a CC PP for SSCD (CEN CWA 14169), and so on Today standards can (must) reference other standards, particularly if they are widely adopted Today the EU law references (EU) standards, as we have seen; the possibility to bypass standards and create secondary legislation has been strictly limited by the Regulation 81

82 Writing standards: conclusions There is only one method to write standards, that are fit to be referenced by the Commission and that respect the fundamental principles stated in the Regulation The legal principles are: never reference the (EU) law, unless it is strictly necessary to do so, like in the case of Trusted Lists; possibly insert informative text/annexes with the mapping between the (EU) laws requirements and ESO standard clauses 82

83 Writing standards: conclusions (cont ed) references to the (EU) law have to be specific: whenever technical rules and legal rules are identical and there is no explicit reference from the standards to the law, the standard represents an industry best practice and not the implementation of a legal rule (essential for IPR issues) 83

84 Writing standards: conclusions (cont ed) technical terminology must remain unchanged: a legal term can be used in a technical standard, only where there is a legal requirement to do so; ambiguities must be avoided when a term can be legal or technical; e.g. in ETSI 2015 public drafts: EU Qualified Certificate is a certificate stated to be in accordance with Annex I. III or IV of the Regulation (EU) No 910/2014 or annex I of the Directive 1999/93/EC whichever is in force at the time of issuance to distinguish the EU legal term qualified certificate from the technical term defined in IETF RFC 3739 Qualified electronic Signature/Seal Creation Device (QSCD): as specified in Regulation (EU) No 910/2014 secure cryptographic device: for secure hardware not meeting all requirements defined in the Regulation 84