Regulation on electronic identification and trust services for electronic transactions in the internal market

Transcription

1 Informationsgesellschaft, Telekommunikation Regulation on electronic identification and trust services for electronic transactions in the internal market Meaning of the EU-Regulation for the national legal framework for esignatures in Germany - A view from a member state - CA Day

2 Draft provided by the COM 04. Juni 2012 Negotion started September 2012 Proceeding Progress reports from the CYP (20. December 2012) and IRE Presidency (6. Juni 2013). European Parliament (IMCO, ITRE) Amendments 14. October 2013 First informal Trialog (Council, COM, Parliament), Coreper : Mandat to start Trialogue with the EP about Art. 1 to 19 (= first part) on the basis of a common position of the council concerning this articles. January/February 2014 Trialog and Negotions about Art. 20 to 42 Target: First reading agreement bevore the end of the legislation (April 2014); Negotiations have to be finished February 2014!!

3 State of the negotiation

4 Chapter I - General Provision (Art. 1 to 4a) Art. 3 (Definitions) (10) certificate for electronic signature means an electronic attestation which links electronic signature validation data to a natural person and confirms the name or the pseudonym of that person; (12) trust service means electronic services consisting in: - the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps [electronic delivery, website authentication] and certificates related to these services or - the preservation of electronic signatures, seals or certificates related to these services,

5 Chapter I - General Provision (Art. 1 to 4a) Art. 3 (Definitions) (13a) conformity assessment body means a body defined in point 13 of Article 2 of Regulation 765/2008 which is accredited in accordance with that Regulation as competent to carry out conformity assessment of qtsp and qts it provides; (15) qualified trust service provider means a trust service provider who provides one or more qualified trust services and is granted the qualified status by the supervisory body;

6 Chapter II - Electronic Identification (Art 5 to 8) - state of the negotiation proposals discussed - 1. Three assurance levels: Low substantial high 2. Services provided by public sector bodies which require the assurance level substantial or high have to accept notified eid means from other MS if their assurance is equal or higher than the assurance level required by the service. 3. Time for the Implementation Art. 42: 3 years (tbd) after the deadline for adoption of all implementing/delegated acts necessary for the application of chapter II (esp. important for local and regional public sector bodies) 12 month after publication by the COM

7 Chapter III Trust Services (Art. 9 to bis 37) 1. General provisions Art. 9 (Liability and burden of proof) - all TSP are liable for damage caused intentionally or negligently due to failure to comply with the obligations under the Regulation. - for qtsp: shifting of the burden of proof - application in accordance with national rules on liability

8 Supervision (Art. 13 bis 19) part 1 Art. 13 (supervisory body) - Member States shall designate a supervisory body (how? 3 SigG?) - (ex ante/ex post) Supervision of qtsp - ex post supervisory activities, when informed of other TSP (no monitoring!) - MS may provide that SB shall establish, maintain and update a trust infrastructure according to the conditions set by national law. Art. 15 (Security requirements applicable to TS s) - all TSP shall take appropriate measures to mage the risk posed to the security of the trust services they provide. Art. 16 (Supervision of qtsp s) - qtsp shall be audited at least every 24 month (every year?) at their own expense by a conformity assessment body (tbd) : - audit following any significant technological or organizational changes? - audit every three years if the audit reports in the past raised no concern?

9 Chapter III Trust Services (Art. 9 bis 37) Supervision (Art. 13 to 19) Part 2 Art. 17 Initiation of a qualified trust service: - TSP have to submit to the supervisory body a notification of their intention together with a conformity assessment report issued by a conformity assessment body - The supervisory body shall verify the compliance of the TSP with the requirements of the regulation and grant the qualified status to the TSP and the trust services it provides and the updation of the TSL not later than 3 month after notification - qtsp may start to provide the quakified service after the status has been indicated in the TSL Art. 18 Trusted list (TSL)

10 Chapter III Trust Services (Art. 9 to 37) 1. Electronic Signature (Art. 20 to 27, Annex I and II) Art. 20 Legal effects of electronic signatures 1) e-signatures shall not be denied admissibility as evidence in court 2) qes shall have the equivalent effect of a handwritten signature 3) qes issued in one MS shall be recognised as qes in all other MS Art 20a (electronic signature in public services): Par. 1 If an advanced e-signature is required in one MS for the usage in a publicly available service online, advanced e-signature based on a qualified certificate for e signatures and qualified e-signatures issued in another MS shall also be recognised. Par. 3 MS shall not request for the cross-border usage in a publicly avalable service online offered by a public sector body an e-signature at a higher security level than qualified e-signature.

11 Chapter III Trust Services (Art. 9 to 37) 1. Electronic Signature (Art. 20 to 27, Annex I and II) Art. 21 qualified certificates for electronic signatures Par. 1: requirements laid down in Annex I Par. 2: no mandatory requirements exceeding the requirements in annex I! Par. 2a: Qualified certificates may include non-mandatory additional specific attributes. Those attributes shall not affect the interoperability and recognition of qes. Attributes are essential for many services (ehealth, Justice, etc.)!

12 2. Electronic Seals (Art. 28 to 31, Annex III) - New, positiv! - for legal person 3. Electronic time stamp (Art. 32 to 33) 4. Elektronic documents (Art. 34) - not a trust-service - problematic! 5. Electronic delivery service (Art. 3 No. 28, Art. 35 to 36) - Impact unclear - D , epost-brief, etc? 6. Website-authentication (Art. 3 No. 30, Art. 37, Annex IV).

13 Discussion. Harmonisation/ Flexibility/ How much is needed? Interoperability on Innovation/ EU-Level EU-Regulation Individual on eid needs and Trust Services eid Systems/TSP (egovernment-) Application Who has to serve whom? Regulation National Law Which aspects can/should still be regulated by national law?

14 Stefan Altmeppen, LL.M. Federal Ministry of Economics and Energy Scharnhorststr Berlin