http://www.arx.com/about/press-room/interviews/nacho-alamillo-digital-signature-expert



Similar documents
ETSI SECURITY WEEK EIDAS Overview CEN/ETSI esignature Standardization including standards for TSP Compliance. ETSI All rights reserved

DS : Trust eservices. The policy context: eidas Regulation

Digital Signatures The Law and Best Practices for Compliance. January 2014

NIST-Workshop 10 & 11 April 2013

ETSI TS V1.1.1 ( ) Technical Specification

SSLPost Electronic Document Signing

Electronic signature and compliance assurance: what s new?

Implementation of eidas through Member States Supervisory Bodies

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

CoSign for 21CFR Part 11 Compliance

CERTIFICATION PRACTICE STATEMENT UPDATE

Factsheet on the Right to be

TTP.NL Scheme. for management system certification. of Trust Service Providers issuing. Qualified Certificates for Electronic Signatures,

ETSI TS V2.1.1 ( ) Technical Specification

A7-0365/133

How To Write A Letter To The European Commission On A Number Of Issues

Commission s proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market

Legal Status of Qualified Electronic Signatures in Europe

The Global Standard for Digital Transaction Management. Legal Aspects

esignature building block Introduction to the Connecting Europe Facility DIGIT Directorate-General for Informatics

ETSI TS V2.1.2 ( )

Unleashing the Potential of Cloud Computing in Europe - What is it and what does it mean for me?

Electronic Documents Law

Security framework. Guidelines for trust services providers Part 1. Version 1.0 December 2013

LAW OF MONGOLIA ON ELECTRONIC SIGNATURE

UKAS Guidance for bodies operating certification of Trust Service Providers seeking approval under tscheme

Automation for Electronic Forms, Documents and Business Records (NA)

STANDARDISIERUNG FÜR EIDAS IM MANDATE/460

PrivateServer HSM Integration with Microsoft IIS

INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS Aristotle University of Thessaloniki PKI ( WHOM IT MAY CONCERN

Merchants and Trade - Act No 28/2001 on electronic signatures

The newly adopted Luxembourg Law on electronic archiving. Luxembourg has taken a crucial step towards a paperless office.

Data transfers in the Cloud

COMMISSION OF THE EUROPEAN COMMUNITIES

15656/1/14 REV 1 GS/np 1 DG D 2C

Signicat white paper. Signicat Solutions. This document introduces the Signicat solutions for digital identities and electronic signatures

POSITION OF THE NOTARIES OF EUROPE ON THE POST-STOCKHOLM PROGRAMME

THE LAW OF THE AZERBAIJAN REPUBLIC ON DIGITAL ELECTRONIC SIGNATURE

Under European law teleradiology is both a health service and an information society service.

e-justice in Hungary Ferenc Zombor Deputy State Secretary Responsible for EU and International Justice Cooperation

ETSI SR V1.1.2 ( )

SECURITY MEASURES RELATED WITH DATA PROTECTION. A PRACTICAL APPROACH: THE IMPORTANCE OF THE ORGANIZATIONAL MEASURES

ELECTRONIC SIGNATURES AND ASSOCIATED LEGISLATION

ComSignTrust e-signing Solutions

LAW FOR THE ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE. Chapter two. ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

EU regulatory framework for e-commerce

Qualified Electronic Signatures Act (SFS 2000:832)

Boosting Productivity and Innovation Through. Public Sector Compliant Cloud Services

Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules

Landscape of eid in Europe in 2013

PKI Adoption Case Study (for the OASIS PKIA TC) ClinPhone Complies with FDA Regulations Using PKIbased Digital Signatures

ETSI EN V2.2.2 ( )

Aniko GYENGE: The Hungarian model of licensing orphan works

ETSI TC ESI PRESENTATION TO CAB FORUM. ETSI All rights reserved

Top Ten Tips for Selecting the Right Digital Signature Solution for Your Organization

European Public Sector Information Platform Topic Report No / 3. The amendment of the PSI directive: where are we heading?

Guidelines for the use of electronic signature

Submitted to the EC on 03/06/2012. COMPETITIVENESS AND INNOVATION FRAMEWORK PROGRAMME ICT Policy Support Programme (ICT PSP) e-codex

NATIONAL PARTNERSHIP AGREEMENT ON E-HEALTH

Chapter 7. ELECTRONIC COMMERCE ACT (Assented to December 1, 2004)

Application of Data Protection Concepts to Cloud Computing

la Caixa predoctoral contracts at UIB

(DRAFT)( 2 ) MOTION FOR A RESOLUTION

Analysis of the act on electronic signatures

Making Digital Signatures Work across National Borders

LEGAL FRAMEWORK FOR E-SIGNATURE IN LITHUANIA AND ENVISAGED CHANGES OF THE NEW EU REGULATION

EDRi s. January European Digital Rights Rue Belliard 20, 1040 Brussels tel. +32 (0)

Cyber Security Review

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

Ericsson Group Certificate Value Statement

Overview of the national laws on electronic health records in the EU Member States National Report for Lithuania

European Union Law and Online Gambling by Marcos Charif

TRANSPOSITION NOTE. Directive 2013/11/EU on alternative dispute resolution for consumer disputes

ACT. of 15 March 2002

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

The Cloud and Cross-Border Risks - Singapore

Contracting for International Outsourcing

Lobbying: Sweet Smell of Success?

Issues to Address: The Privacy Concerns of Individuals

Subject to, notwithstanding and without prejudice to what do they all mean?

Transcription:

1 de 7 16/06/2014 9:48 Contact Us Search Home (http://www.arx.com) About (http://www.arx.com/about/) Media (http://www.arx.com/about/press-room/) Interviews (http://www.arx.com/about/press-room/interviews/) An Interview with Nacho Alamillo Nacho Alamillo (http://es.linkedin.com/in/nachoalamillo/) is a Catalan lawyer who specializes in electronic signatures. He is a CISA, CISM and ITIL-F certified professional who is a member of the EESSI SG and ETSI ESI, and has coauthored several European technical specifications related to trust services. His company Astrea.cat offers compliance services and legal advice to trust service providers, governments and private sector companies. The EU s new Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (eidas) regulation, which significantly revises the previous European Directive on Electronic 1999/93, was approved by the European Parliament on April 3, 2014 and is expected to be endorsed by the European Council in July 2014. The comprehensive new regulation, which must be implemented by all EU member states, establishes cross-border procedures, requirements and obligations for Trust Services Providers (TSPs) and trust-related services, such as electronic identification, electronic signatures and seals, CoSign in the News (/about /press-room/news/) Press Releases (/about/press-

2 de 7 16/06/2014 9:48 time stamping and more, as well as for Qualified Signature Creation Devices. room/releases/) While the eidas regulation covers all of these issues and many more, it only provides their basic descriptions. Two central European certification organizations, ETSI and CEN, have been appointed to technically define the legislation by precisely defining each of the issues at hand and establishing the many related norms and standards relevant to the new legislation. Q: In the past, based on the previous European Directive on Electronic 1999/93, every country passed local legislation regarding digital signatures. In Spain, for example, there were hardly any options for using a Secure Signature Creation Device (SSCD) to create qualified signatures so most organizations chose to use only advanced signatures. How do you think this will change once the new regulations are in place? A: Only a cryptographic microchip was recognized as a SSCD by the Spanish legislation, so the deployment of qualified electronic signature solutions was minimal, slow and ineffective. For example, the DNIe (national electronic identification), which is the main system for qualified electronic signatures in Spain, is used in just 3% of public sector transactions and is not used at all in private sector transactions such as electronic banking. Most of the remaining transactions are authenticated by using either software-based certificates or passwords. With the enactment of the new European regulation, which adopts a more flexible approach, we can deploy new types of SSCDs, particularly those that utilize centralized key management systems. The industry has been successfully experimenting with this innovation for some time, so I m sure this will make a significant contribution to the use of qualified electronic signatures. To ARX offices worldwide click here (/contactform /arx-worldwide/) Interviews (/about/pressroom/interviews/) Q: What do you think will be the effect of the new regulation in other European countries? A: The new European regulation adopted a set of uniform rules that are directly applicable throughout the EU enabling the creation of truly pan-european services. For example, a trust service

3 de 7 16/06/2014 9:48 provider established in Spain may offer its services throughout the European Union without any impediment from national laws, as was previously the case. This does not imply that national legislation cannot establish additional rules, which would only apply to providers based in their territory. But there will always be a provision that providers from other Member States must not be affected by these additional rules and can continue offering their services to consumers located in that state. Q: As noted earlier, in contrast to the previous directive, the new regulation presents a very clear picture regarding the use of digital signatures and Qualified Signature Creation Devices across all EU countries. What do you envision will happen in Europe once the regulations with all of their standards and clauses are clearly defined? A: The new regulation is really a rule of administrative law that amended the previous system by establishing an administrative license before the provision of services, and by creating important legal protection. When the legislative and technical standards are fully developed, we will have all the components required to innovatively deploy qualified electronic signature services with a solid legal basis for authenticity. One key example would be electronic signatures that are created by remote or centralized key-based systems. This approach will boost qualified electronic signatures, which to date have not been widely used, partially due to the fact that citizens found card-based SSCDs difficult to use. In addition, companies that operate in several Member States of the European Union will now be able to optimize their investments using systems that are accepted throughout the Union, while being granted legal certainty. Q. What do you predict will happen during the interim period until all of the standards and norms are in place, considering that this process could take several years? A: In principle, the schedule established by the European Standards Organizations has set the end

4 de 7 16/06/2014 9:48 of 2015 as the target date by which all the technical requirements for the conformity assessment of trust services must be formulated, because the regulation is scheduled to be fully applicable as of July 2016. However, to avoid paralyzing the market during this interim period, the regulation allows the usage of ad hoc evaluation mechanisms to prove compliance in some cases. For example, in the case of centralized electronic signature HSMs, the regulation allows this type of device to be certified according to equivalent criteria established by the Member States until a protection profile is defined under Common Criteria. Obviously, companies with products certified under this alternative will have a clear market advantage, as long as the SSCD certification is compulsory under the new regulation. Q. Will the recognition of Trust Services Providers (TSPs) under the new regulation cause consolidation in the existing CA market? A. I expect that given the additional costs imposed by the new regulation, the number of service providers that issue trust certificates will be reduced somewhat. Q. Will CAs and TSPs address the pan-european market or will this continue on a local scope? How will this process work in a court of law, for example? A. Although the conditions for the provision of services will have been created by the time the new regulation is fully applicable across the Union, this does not necessarily imply that pan-european CAs will be established. This is mostly due to the fact that, at least until national electronic identification systems are deployed, the issuance of certificates will require identification based on personal presence. Therefore, this aspect of the process may continue to operate as a local business. We must also keep in mind that there is hardly any competition between commercial CAs and government organizations issuing national electronic identifiers, at least vis-à-vis citizens. However, when it comes to services such as creating remote electronic signatures HSM with

5 de 7 16/06/2014 9:48 centralized keys, electronic signature validation, archiving, or registered electronic delivery all of these may develop successfully on a pan-european scale. Regarding the judicial process, we have to keep in mind that the new regulation provides legal presumptions that bind all judges within the European Union and apply as long as the legal dispute is resolved in this territory. Furthermore, European contract law allows contracting parties to choose the law that rules the form of a contract between companies. This means that provided a contract with non-european companies is drafted correctly, it could be subject to the regulation and benefit from this special legal regime. Q. Who will these TSPs be? Governments? Banks? Private companies? A: In my opinion, governments will be key players in this space, especially regarding certificate issuance. However, banks and private companies may become large consumers of trust services such as the creation of remote electronic signatures based on an HSM with centralized keys, electronic signature validation, archiving, or registered electronic delivery. Therefore, we can assume they will be important players, especially in a self-provision scheme where they deploy technology in house. Q: Due to the fact that there is a prolonged interim period, there is a risk that organizations may be tempted to acquire short-term solutions that comply only with the existing and interim regulatory demands without thinking ahead. What advice would you offer such organizations? My recommendation is very clear: It is important to do a detailed analysis of the cost of the solution prior to implementation, depending on the defined amortization period. Since the regulation will force the abandonment of solutions that do not meet the requirements established in the new technical

6 de 7 16/06/2014 9:48 standards some of which we are already acquainted with today organizations will be forced to replace these interim solutions once their use is prohibited. Organizations would be wise to avoid the cost of double implementation; first of the interim solution and then of the final solution. SHARE (http://www.addtoany.com /share_save#url=http %3A%2F %2Fwww.arx.com%2Fabout%2Fpress- ARX Security Products (/securityproducts) Digital for Applications (/digital-signature) Digital for Industries (/industries) room%2finterviews%2fnacho- Digital alamillo- for Processes (/digitalsignaturedigital- PrivateServer HSM /privateserver-hsm/) Microsoft Word & Excel (/digitalsignature/word-excel) Life Sciences (/industries/lifesciences) Overview (/digital-signature signature- expert& /processes-overview) PrivateCard / Minikey (/securityproducts/security-tokens/) PDF Documents (/digitalsignature/pdf) Government (/industries /governments) Human Resources (/digitalsignature/human-resources) title=insights%20into%20the%20new%20eidas%20regulation PrivateSafe (/security-products /privatesafe/) Microsoft SharePoint (/digitalsignature/sharepoint) Engineering (/industries /engineering) %20%C2 Contract Management (/digitalsignature/contract-management) %A0%20 CryptoKit (/security-products /cryptokit/) PrivateWire (/security-products /privatewire/) ECM & DM (/digital-signature /ecm-dm) Others (/digital-signature/other) Healthcare (/industries /healthcare) Legal (/industries/legal) Point of Sale (/digital-signature %C2%A0& /point-of-sale) description=) Web Applications (/digitalsignature/web-application) Social Facebook (https://www.facebook.com/cosignbyarx) Twitter (https://twitter.com/cosign_arx) YouTube (https://www.youtube.com/user/digitalsignatures/videos)

7 de 7 16/06/2014 9:48 LinkedIn (http://www.linkedin.com/company/arx-algorithmic-research?trk=cp_followed_logo_arx-algorithmic-research) Blog (/blog) Contact us (415) 839 8161 Email us (mailto:sales@arx.com) Copyright 2014 ARX Inc. All rights reserved About (/about/company-profile) ARX UK (http://www.arx-cosign.co.uk/) Support (/support) Contact (/contactform/contact-us) Site Map (/sitemap) Terms of use (/misc/terms-of-use) Privacy Policy (/misc/privacy-policy)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information