LAW OF MONGOLIA ON ELECTRONIC SIGNATURE

LAW OF MONGOLIA ON ELECTRONIC SIGNATURE December 15, 2011 Ulaanbaatar CHAPTER ONE GENERAL PROVISIONS Article 1. Purpose of the law 1.1 The purpose of this Law is to determine the legal base of using electronic and digital signature, regulate relations arising out the infrastructure establishment of the public key digital signature. Article 2. Legislation on electronic signature 2.1 Legislation on electronic signature shall comprise of the Constitution of Mongolia, Civil law, this Law and other legislative acts enacted in conformity therewith. 2.2. If an international treaty to which Mongolia is a party is inconsistent with this law, then provisions of international treaty shall prevail. Article 3. Application of the law 3.1 Relations connected with transferring, transiting information, documents except which is concerned as a state secret shall be regulated by this law. 3.2 Relation connected with license to provide digital signature certificate which is not regulated by this law shall be regulated by relevant provisions of the law on licensing. 3.3 Relation arising from making contract electronically which is not regulated by this law shall be regulated by relevant provisions of Civil Code.

Article 4. Definitions of terms 4.1 The terms used in this law are defined as follows: 4.1.1 electronic signature means electronic data concerned with attached or aggregated word, alphabet, number, sign, shape to describe person who signed in electronic document; 4.1.2 digital signature means created information by cryptograph converting using private key of digital signature, type of electronic signature, which is formation of these documents; 4.1.3 cryptograph means a branch of mathematic science that studies method to hide information; 4.1.4 electronic document means an electronic data, which can be created, sent, received, kept by using information technological equipment and program; 4.1.5 private key of digital signature means character s unique orderliness to create a digital signature and resolve data; 4.1.6 public key of digital signature (hereinafter referred as public key ) means sequence of characters, which is mathematically related to the following digital signature private keys for data confidentiality and verification of digital signature: 4.1.7 digital signature holder means a person, legal entity, who is holding the public key of the digital signature stated in a digital signature certificate; 4.1.8 digital signature certificate means an electronic document, concerned with digital signature tenure provided by the holder of license of activity to provide digital signature certificate, public key of digital signature and other relevant information;

4.1.9 digital signature database means a base contained information that suspended, extended, invalidated digital signature certificate provided by the holder of license of activity to provide digital signature certificate; 4.1.10 registration unit of license holder means a body entitled with rights to receive, register digital signature, resolute the information, reject, grant to the license holder and to advice in connection with application; 4.1.11 infrastructure of the public key means a structure related to create, organize, divide, use, save or invalidate private or public key of the digital signature and to introduce and use it in the electronic connection; 4.1.12 digital signature tool means an equipment, program which is giving chance to create digital signature of electronic document using digital signature private key or verify digital signature using digital signature public key which is part of electronic document; 4.1.13 certificating policy means a document describes general tendency of certificate name, type, arrangement, duty, responsibility, payment, charges of certificate issuance body; 4.1.14 certificating procedure means a requirement for license holder activity, who conducts activity to issue digital signature license and document describes safety and general method of its activity control. CHAPTER TWO USAGE OF ELECTRONIC AND DIGITAL SIGNATURE

Article 5. Electronic signature usage 5.1 Unless otherwise referred by law, electronic signatures shall be treated as equivalent to handwritten signatures. 5.2 The number and forms of electronic signatures to be hold by the subscriber shall not be limited. Article 6. Digital signature usage 6.1 Digital signature confirmed by digital signature certificate which is issued by license holder to issue digital signature certificate referred in article 18 of this law (hereinafter referred as license holder ) shall be treated as equivalent to regular signature. 6.2 Person, legal entity with digital signature certificate issued by license holder can use digital signature. 6.3 Government bodies, fully or partially state-owned enteprises shall use only digital signature to transfer, transit the electronic document. 6.4 Government shall adopt a general rule to record official work in electronic form. 6.5 Contract that requires to be in written form by law except contract referred in the Civil code that required to certify by notary or to register could be made in electronic form. 6.6 If legal entity is a digital signature certificate holder, person authorized to represent the legal entity shall use digital signature. 6.7 Relation relevant to the usage of digital signature, which is not regulated by this law accurately shall be regulated by other relevant laws. Article 7. Digital signature tool 7.1 Whether the digital signature is relevant to the digital signature certificate holder or the documents are integral, should be ensured by the digital signature tool.

7.2 Tools shall meet following requirements, when creating digital signature or keeping digital signature private key (herein after referred as private key ): 7.2.1 to be able to define whether content of the digital signature document is changed; 7.2.2 to be able to recognize the digital signature certificate holder; 7.2.3 to be able to define whether the digital signature is made in fraudulent; 7.2.4 ensured the clause to prevent illegal usage of the private key; 7.2.5 ensured confidential or singularity of the private or public key (hereinafter referred as public key ) of the digital signature when establishing or transferring it. Article 8. Seal replacement 8.1 In the case of electronically transferring, transmitting (receiving) sealed or shall be sealed document, must be used additional digital signature of the person, who is authorized to seal, in addition signature as referred in provision 6.2, 6.5 of this law. Article 9. Disclosed information 9.1 License holder shall upload to its website and information board following information and should be renewed constantly: 9.1.1 Information referred in provision 11.1, 11.2 of this law; 9.1.2 rocedure to issue digital signature certificate; 9.1.3 Statement on revoke, suspend, recover of digital signature certificate; 9.1.4 Information relevant to the revoked, suspended digital

signature certificate; 9.1.5 Other information referred in the legislation. CHAPTER THREE DIGITAL SIGNATURE CERTIFICATE Article 10. Issuing digital signature certificate 10.1 License holder could issue digital signature certificate to person, legal entity, who applied in accordance with the procedure referred in provision 34.1.5 of this law. 10.2 Person, legal entity shall submit an application to obtain digital signature certificate to the license holder or registration unit of license holder. 10.3 License holder shall verify whether the information relevant with person, legal entity set forth in provision 10.1 of this law is accurate through ID number or document treated as equal to it. 10.4 The body indicated in provision 10.2 of this law shall verify the application information accuracy as referred in provision 10.3 of this law and shall take either of the following decisions: 10.4.1 If application information is accurate, license holder shall issue certificate; 10.4.2 If application information is accurate, registration unit of license holder (hereinafter referred as registration unit ) shall send to the license holder with the application and filled form by the applicant to issue digital signature certificate; 10.4.3 If applicant s information is incorrect or inaccurate application shall be returned to the applicant. 10.5 The body indicated in provision 10.2 of this law is obliged to explain following matters to the applicant:

10.5.1 unless otherwise stipulated by law using digital signature has same legal consequence with using regular signature; 10.5.2 technical and other conditions of using and possessing certificate; 10.5.3 private key safety and security measures. 10.6 Certificate shall be issued to the digital signature holder with the usage direction of digital signature and it should be registered to the digital signature database. Article 11. The certificate content 11.1 The certificate must include the followings: 11.1.1 name, address of issued body; 11.1.2 name, electronic address of the digital signature holder; 11.1.3 certificate number, date of issuance; 11.1.4 valid date of the certificate; 11.1.5 public key; 11.1.6 public key certified cryptograph convert names. 11.2 In addition as referred in provision 11.1 of this law, following information can be added to the certificate by the request of certificate holder: 11.2.1 Limitation of the right to use digital signature; 11.2.2 Limitation for amount of the agreement using digital signature; 11.2.3 Others. Article 12. Term of the certificate 12.1 The certificate shall be granted with the term of up to 2 years. Article 13. Suspending the certificate

13.1 In case of license holder detected violation, reviewing dispute by the request of the certificate holder, license holder shall verify the violation and must suspend the certificate until the violation is eliminated and shall retrieve certificate s validity as soon as violation is eliminated. Article 14. Revoking the certificate 14.1 License holder shall revoke a certificate under the following conditions: 14.1.1 term of the certificate expired; 14.1.2 digital signature certificate holder shall notify the license holder when private key is disclosed, or possibility of disclosure is occured; 14.1.3 certificate holder submits a request to revoke certificate; 14.1.4 upon the death of an individual certificate holder or liquidaty of a legal entity. 14.1.5 if it is proven that false application documents have been submitted; 14.1.6 certificate holder failed to fulfill its obligation referred in provision 16.2 of this law. Article 15. Notification of revoking and suspending of certificate 15.1 In case of revoking, suspending the certificate, license holder shall notify the digital signature certificate holder and shall admit relevant information to the digital signature database within six hours. Article 16. Rights and obligations of the certificate holder 16.1 A certificate holder shall have following rights: 16.1.1 to use digital signature; 16.1.2 to submit request to revoke, suspend, recover certificate.

16.1.3 other rights referred in legislation. 16.2 A certificate holder shall have following obligations: 16.2.1 not to transfer private key to others; 16.2.2 secure confidentiality of the private key; 16.2.3 immediately notify the counterpart and license holder, in case of private key is known by other person, or have reasonable reason that it might be known; 16.2.4 other obligations referred in legislation. 16.3 Certificate holder shall bear the responsibility of losing private key or disclosing confidentiality of private key due to own fault. Article 17. Digital signature certificate of foreign country 17.1 Certificate issued according to relevant foreign legislation can be used in Mongolia. CHAPTER FOUR LICENSE FOR CERTIFICATION SERVICE PROVIDER Article 18. License for certification service provider 18.1 Activity to issue certificate shall be exercised with the license granted from State Administrative body in charge of communication (hereinafter referred as State Administrative body ). 18.2 License to issue certificate can be granted to the company, which is established and operating under Mongolian legislation. 18.3 Legal entity using public key infrastructure for the internal

operations, not required to have a license. Article 19. General requirements for the license applicant 19.1 License applicant shall meet the following requirements: 19.1.1 shall develop, adopt own certificating policy, procedure of certificating according to the international standard; 19.1.2. shall fulfill financial, human resource, technical, technological and safety requirement stipulated by State Administrative body. Article 20. Required documents for license application 20.1 License applicant shall submit following documents in addition as referred in provision 11.1.1-11.1.4 of the law on Licensing, provision 13.2.1 of law on Communication: 20.1.1. certificating policy; 20.1.2. procedure of certificating. Article 21. Issuing a license 21.1. State Administrative body can issue license to the license applicant, who met conditions referred in article 19 of this law in accordance with term referred in the article 12 of the Law of Mongolia on Licensing. 21.2. State Administrative body shall conduct following activity upon receiving application: 21.2.1. to register application and give statement to the applicant; 21.2.2. to review an application and other relevant documents whether it is meet with requirement referred in law; 21.2.3. to give notification on issuing license as a result of

reviewing in person that whether the applicant meet requirement referred in provision 19.1 of this law; 21.2.4. to issue license after the person, who received notification submitted relevant documents with covered liability insurance. 21.3. If State Administrative body denies issue license, reason shall be explained to the applicant in written form or sent by e-mail. 21.4. State Administrative body shall inform public regarding the decision that issued license within three business days. 21.5. State Administrative body shall determine minimum amount of liability insurance, which is referred in provision 21.2.4 of this law. Article 22. Charges 22.1. License holder shall pay state stamp fee in accordance with the term referred in law on state stamp fee. Article 23. Term of the license 23.1. License shall be issued for four years. Article 24. Extension of a license 24.1. License holder can submit request to extend to the State Administrative body one month before the expiry date of license. 24.2. Following documents shall be attached to the request to extend license: 24.2.1 license copy; 24.2.2. payment receipt of the state stamp fee. 24.3.State Administrative body shall make a decision whether to extend a license within five business days after receiving the request referred in provision 24.1 of this law.

24.4. License shall be extended for four years; 24.5. State Administrative body shall report to public and shall make note to the registration of license within three business days after decision to extend license has made. 24.6. License holder shall notify to the certificate holder within on month, if license holder is not extending the license. Article 25. Suspending a license 25.1.License shall be suspended in accordance article 13 of the Law of Mongolia on Licensing. Article 26. Prohibition of license transfer 26.1. In accordance with provision 5.3 of the Law of Mongolia on Licensing, it is prohibited to sell, present, pledge and transfer by other forms to others ownership, possession and exploitation. Article 27. Revoking a license 27.1. State Administrative body revoke a license on the following grounds: 27.1.1. legal entity has been liquidated; 27.1.2 proven that false application documents have been submitted; 27.1.3. terms and requirements of the license have been breached consequently, seriously breached; 27.1.4. requirements to eliminate breaches have not been met within the suspension period. 27.1.5. private key is lost or its confidential is disclosed. 27.2. State Administrative body shall notify about revoking the license

to license holder in accordance with procedure referred in provision 14.2 of the Law of Mongolia on Licensing and the reasons of such revoking shall be explained to the applicant in written form and sent by e-mail within three business days after decision has made. 27.3. If holder is not agreed with reason of revoking, which referred in provision 27.2 of this law, evidence document shall be sent to the State Administrative body. 27.4. State Administrative body shall revoke the statement to revoke license after revising evidence document referred in provision 27.3 of this law and shall revoke license if it is unreasonable and shall notify decision to the license holder. 27.5. License holder has right to submit a claim to the court if holder is not agreed with decision to revoke license accordance with term referred in provision 27.4 of this law. Article 28. Grounds of termination of a license 28.1.License shall be terminated under the following grounds: 28.1.1. license is expired; 28.1.2. State Administrative body terminated the license. 28.2. License holder shall give the license and the data stored in digital signature database to the State Administrative body when license is terminated. 28.3.In the case of referred in provision 28.2 of this law State Administrative body shall transfer digital signature database created and kept by former license holder to different license holder in the basis of contract. 28.4. In the case of referred in provision 28.3 of this law, the same term and condition of license of digital signature holder shall be preserved.

Article 29. Rights and obligations of the license holder 29.1. License holder have the following rights: 29.1.1. to issue, suspend, recover and revoke certificate; 29.1.2. to determine service fee of issuing certificate in accordance with method adopted by State Administrative body; 29.1.3. to create public key by the request of user; 29.1.4. to establish registration agency, order others to fulfill duty to register; 29.1.5.to verify whether the information relevant with person, legal entity set forth in provision 10.1 of this law is accurate through citizenship card number or document treated as equivalent to it; 29.1.6 other rights referred in legislation. 29.2. License holder have the following obligations: 29.2.1. to provide safety and security of private key possessed by entity; 29.2.2. to engage in activity which met technical and safety requirement defined by State Administrative body; 29.2.3. to record registration relevant with certificate, to collect certificate database; 29.2.4. to fulfill legal demand from State Administrative body and state inspector in timely manner and to report, to take measures to remove detected violations. 29.2.5. to give accurate information about reviewing and registration of the certificate in accordance with demand of the State Administrative body 29.2.6 to notify to the State Administrative body within 3 business days in writing, in the case of occurance of a change in license and/or in documents submitted when obtaining it;

29.2.7. to notify a certificate holder of factors which may seriously affect the accuracy and integrity of information provided in the signature certificate; 29.2.8. to prevent from fraudulent certificate and to take measures to provide safety and confidentiality of it 29.2.9. to use harmless, confidential and efficient technology and digital signature tool which met international standard; 29.2.10. to follow law and regulation, international and domestic standard for its activity; 29.2.11 not to disclose private confidential information of digital signature holder and shall not make changes to the certificate without permission; 29.2.12. to post information referred in provision 9.1 of this law to its website and should update regularly; 29.2.13. to take measures to provide condition to verify certificate in accordance with procedure referred in this law, to suspend, revoke, protect and to prevent from issuing counterfeit certificate; 29.2.14. other obligations referred in law. 29.3. Update regularly which referred in provision 29.2.12 of this law is referred as update the information referred in provision 9.1 of this law not less than once in every week or to update when necessary. Article 30. Registration unit 30.1.Registration unit stipulated in provision 29.1.4 of this law have following obligations: 30.1.1. to give registration information of user to the license holder; 30.1.2 to use digital signature tool provided from license holder;

30.1.3. not to copy public key when transferring information of user to the license holder. Article 31. To record registration relevant with certificate 31.1. License holder shall record registration relevant with certificate (herein after referred as registration ) to provide possibility to verify, collect information relevant with certificate issuance. 31.2. Following information shall be stated in registration: 31.2.1 Issued, suspended, revoked certificate; 31.2.2 Taken measures to execute electronic signature law and to provide its safety; 31.2.3.Verified in accordance with provision 10.2 of this law whether the information relevant with person, legal entity set forth in provision 10.1 of this law is accurate; 31.2.4. About to explain terms referred in provision 10.3 of this law to the person, legal entity set forth in provision 10.1 of this law. 31.2.5. Others Article 32. Prohibitions for license holder 32.1. Disclosing information counted as confidential for the certificate holder or third party shall prohibited to the license holder except following clauses: 32.1.1. Person agreed in written to disclose its confidential; 32.1.2. State Administrative body, communication inspector demanded relevant with execution of its obligation referred in law. 32.1.3. With the court decision, judge decision, prosecutor permission.

CHAPTER FIVE STATE REGULATION OF PUBLIC KEY INFRASTRUCTURE Article 33. Authority of State administrative body 33.1.State administrative body shall have following authority for public key infrastructure: 33.1.1. to develop policy to use public key infrastructure adhered by state and execute; 33.1.2. to adhere hierarchic system when providing public key infrastructure activity by consolidated regulation; 33.1.3. to co-operate with foreign country, international organization to accommodate public key infrastructure activity of foreign country with national public key infrastructure activity; 33.1.4. to determine requirement of certificating policy and certificating procedure; 33.1.5. to issue, suspend, revoke license referred in provision 18.1 of this law; 33.1.6. other authority referred in law. Article 34. Authority of the Communications Regulatory Commission 34.1. Communications Regulatory Commission shall have the following authority: 34.1.1 to draft and adopt regulation, rule, and instruction relevant with usage of public key infrastructure and monitoring in compliance with it. 34.1.2. to develop public key infrastructure standard and shall seek approval of competent authority. 34.1.3. to adopt a method to determine service fee of certificate issuance;

34.1.4. to draft and adopt common rules relating certificate issuance and monitoring the implementation. 34.1.5. to adopt rules to collect, use, store digital signature database and monitoring the implementation. 34.1.6. to establish registration unit and to adopt rules for its operation; 34.1.7. other authority provided by law. CHAPTER SIX MISCELLENIOUS Article 35. Monitoring the implementation of legislation on electronic signature 35.1. State Administrative body and state inspector for communication shall conduct monitoring on implementation of legislation on electronic signature within the scope of its authority referred in law. 35.2. State Administrative body shall conduct monitoring on license holder activity not less than once in year and shall make report. 35.3 Monitoring and report can be made by internationally reputable independent expert if State Administrative body recognized it is necessary so. Article 36. Liabilities for breach of the Law 36.1. If breach of the law on electronic signature does not constitute a criminal offence, the judge or state inspector for communication shall impose the following administrative liability on the offender of this law.: 36.1.1 If the activity referred in article 18 of this law is conducted without proper licensing, illegal income derived from such activities

shall be confiscated and official who resposible shall be imposed a fine in the amount of from ten to fifteen times the minimum wage, legal entities shall be imposed a fine in the amount of from twenty to twenty five times the minimum wage. 36.1.2. Official who disclosed confidential of the private key shall be imposed a fine in the amount of from three to five times the minimum wage, legal entities shall be imposed a fine in the amount of from five to ten times the minimum wage. 36.1.3. Official who breached regulation to use digital signature referred in provision 6.3, 6.4 of this law shall be imposed a fine in the amount of from three to five times the minimum wage, legal entities shall be imposed a fine in the amount of from five to ten times the minimum wage. 36.1.4. If license of license holder is granted by breaching the terms and conditions referred in provision 10.3, 10.5 of this law, it shall be revoked and all income or products derived from such activities shall be confiscated and the guilty official shall be imposed a fine in the amount of from ten to fifteen times the minimum wage, legal entities shall be imposed a fine in the amount of from fifteen to twenty five times the minimum wage. 36.1.5. License holder who failed to revoke certificate in accordance with term referred in provision 13.1 of this law shall be imposed a fine in the amount of from five to ten times the minimum wage. 36.1.6. License holder who breached provision 14.1 of this law shall be imposed a fine in the amount of from three to five times the minimum wage 36.1.7. License of license holder who breached provision 15.2 of this law shall be revoked and holder shall be imposed a fine in the amount

of from five to ten times the minimum wage. 36.1.8. Former license holder who breached provision 27.2 of this law shall be imposed a fine in the amount of from twenty to twenty five times the minimum wage. 36.1.9. License holder failed to fulfill its obligation referred in provision 30.1 of this law shall be imposed a fine in the amount of from ten to fifteen times the minimum wage. 36.1.10. License holder who breached provision 13.1 of this law shall be imposed a fine in the amount of from ten to fifteen times the minimum wage. 36.1.11. Person who made changes to electronic document by breaching law shall be imposed a fine in the amount of from five to ten times the minimum wage, official shall be imposed a fine in the amount of from ten to fifteen times the minimum wage, legal entities shall be imposed a fine in the amount of from fifteen to twenty five times the minimum wage. 36.1.12. Person who deleted digital signature database, made changes illegally shall be imposed a fine in the amount of from five to ten times the minimum wage,, official shall be imposed a fine in the amount of from ten to fifteen times the minimum wage, legal entities shall be imposed a fine in the amount of from twenty to twenty five times the minimum wage. 36.1.13. Official who failed to fulfill demand of state inspector shall be imposed a fine in the amount of from three to five times the minimum wage, legal entities shall be imposed a fine in the amount of from five to ten times the minimum wage. CHAIRMAN OF STATE IKH KHURAL

OF MONGOLIA DEMBEREL.D