Commission s proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market

Commission s proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market COM(2012)238 of 4.6.2012 ClubPSCo, Paris, 20.6.2012 Gérard GALLER European Commission - DG ConNECT gerard.galler@ec.europa.eu 1

Current esignature / eid status in EU Directive 1999/93/EC legal framework CEN and ETSI e-signature standards EU Member States + industry investments In Services Directive context: Trusted list of qualified certificates providers Points of Single Contact must handle ETSI signature formats No EU legislation on eid 2

Strong political commitment Reiterated political commitment of EU Institutions: European Commission Communications: Digital Agenda for Europe 19.5.10, COM(2010)245 European egov Action Plan 2011-15 15.12.10, COM(2010)743 Single Market Act 13.4.11, COM(2011)206 A roadmap to stability and growth 12.10.11, COM(2011)669 Commission Work Programme 2012 15.11.11, COM(2011)777 Consistently echoed by European Council Two European Parliament Resolutions, 2010 EU Member States and Institutions consider a renewed legal framework as a top priority 3

New legisaltion s ambition To strengthen EU Single Market by boosting convenience and trust online Requires secure and seamless cross-border e-transactions: Between administrations, businesses and citizens Offering legal certainty Easy to use by non specialists Low cost E-identification, authentication, signature and related trust services are instrumental A B C 4

Consultation process Trigger: Action Plan on esig. and eid COM(2008)798, 28.11.2008 Sources of feedback: Several studies (Crobies, IAS study, IDABC studies, ) Public online consultation Feb-Apr 2011, 434 respondents SME survey Oct-Dec 2011, 1251 respondents Services Directive technical group on e-procedures (CD 2009/767/EC, 2011/130/EU) FESA (Forum of European Supervisory Authorities) six-monthly meetings Dedicated meetings with EU Member States (Warsaw 9.11.2011, Poznan 16.11.2011, Brussels 25.1.2012) Participation to some 40 public conferences Numerous bilateral meetings with stakeholders Interservice consultation within European Commission 5

Scope of the proposed Regulation 1. Mutual recognition of electronic identification 2. Electronic trust services: Electronic signatures interoperability and usability Electronic seals interoperability and usability Cross-border dimension of: 1.Time stamping, 2.Electronic documents delivery, 3.Electronic documents admissibility, 4.Website authentication. 6

Structure Building of Trust e-identification, authentication, signatures & related trust services Underlying principles: Internal market Subsidiarity Technological neutrality esignatures eseals Time stamping edelivery services edocuments admissibility Website authentication Trust Services Common principles Supervision Trust (trusted lists, devices certification) Convenience/transparenc y (legal certainty) Security (qualified levels) Data protection Liability International aspects Accessibility Specific Requirements Legal effect Mutual recognition and acceptance Reference to standards eidentification Principles Natural & legal persons Notification Authentication Requirements Mutual recognition and acceptance Liability 7

Mutual recognition and acceptance of eid A EU Member State: 1. May notify to European Commission the national electronic identification scheme(s) used at home for, at least, access to public services; 2. Must recognise and accept notified eids of other Member States for cross-border access to its public services requiring e-identification; 3. Must provide online free eid authentication facility; 4. Is liable for unambiguous identification of persons and for authentication; 5. May allow the private sector to use notified eid 8

What is OUT of scope? What is not covered on eid: No obligation on Member States to have an e-identification scheme No obligation on Member States to notify their e-identification scheme(s) "Notified" eid is NOT the same as ID cards No "EU database" of any kind No "EU eid" Multiple e-identifications schemes are allowed No coverage «soft ID» (ex. Facebook); only «hard eid» "Notified" eid does not mean meeting the eligibility conditions for a service What is not covered on trusted services: Supervision at EU level (vs. national / regional level) No prior authorisation to start qualified service, no accreditation Detailed provisions on trust services other than esignatures/eseals Persons roles and/or attributes Certification of other products than esig/eseal creation devices Encryption 9

Why will it make a difference? Comprehensive toolbox of trust building instruments One single legislation across EU Foster eid usage ( world premiere ): Leverage eid cards and mobile ID infrastructure Reliable eid to allow cross border ebusiness and enable egov services Private sector is invited to build on «notified» eid schemes Creates confidence in electronic trust services: Effective state supervision Systematic usage of trusted lists Easy esignature: Harmonisation power of Regulation: de facto «EU signature» Enables full esig specification via secondary legislation + standards Allows "mobile" and "server" qualified signatures Related trust services: Address blatant market needs: eseals, edelivery, edocuments, long term validity of esig Harmonise national legislation: time stamping, edelivery E-Document admissibility: «big bang» for de-materialisation Website authentication is a non formulated expectation of the citizens 10

Indicative process Legislative process Public consultation Commission proposal Cyprus Presidency report Parliament + Council adoption Standardisation mandate m460 Standards Delegated/Implementing acts Commission Decisions 2011 2012 2013 2014 2015 2016 NB. Dates are indicative 11

For further information and feedback Website: http://ec.europa.eu/information_society/policy/esignature Draft Regulation: http://ec.europa.eu/information_society/policy/esignature/eu_legisla tion/regulation Mailbox: infso-e-signature@ec.europa.eu 12

Additional slides Main changes w.r.t. esignatures Directive Not carried out from esignatures Directive Main provisions of draft Regulation 13

Main changes w.r.t. esignatures Directive Single legislation across EU (Regulation) Extended scope: mutual recognition & acceptance of notified electronic ID and trust services Reinforced security & usability of trust services: Common essential supervision requirements "Regional" supervision besides national supervision Explicit obligation for security due diligence (qualified and non qualified providers) + breach notification Trusted list" list of qualified EU providers List of certified «qualified signature creation devices» Presumption of compliance + interoperability via delegated/implementing acts and voluntary standards esignature fully defined with provisions with legal effects for legal certainty and interoperability Allow «server» and «mobile» signing 14

Not carried out from esignatures Directive No accreditation (ex-art 2.13) No mandatory signatory attributes in qualified certificates (ex-annex I.d) No limitation on «scope of use» of qualified certificates or transactions value (ex-art. 6.4; Annex I.i, j) No public sector derogation (ex-art 3.7) Recognition of third country providers : No recognition via accreditation (ex-art 7.1.a) No recognition via «patronage» by EU provider (ex-art 7.1;b) No reference to certificates issued to the public (several ex-articles) 15

Key principle: technological neutrality Three-pronged approach: Systematically, for each trusted service: 1 2 3 Technology neutral definition Non discrimination «electronic vs. paper» Qualified level Defined by target security requirements «Rewarded» by higher legal effect Does not specify means to achieve them «Presumption» of compliance to qualified level (via secondary legislation): Qualified level specified by voluntary standards 16

Scope Natural persons eidentification ID national registers Legal persons eidentification Business registers Regulated professions Roles / Attributes Social security eid Mutual recognition & acceptance (X-sector, X-border) Website authentication esignature eseal Scope Certified edelivery Time stamping edocument admissibility Long term preservation 17

Electronic trust services Common Principles: Mutual recognition of «qualified» electronic trust services Strengthens and harmonises national supervision of qualified trust service providers and trust services Uses delegated and implementing acts as a mechanism to ensure flexibility vis-à-vis technological developments esignature Clarifies the concepts related to esignature (natural persons) Introduces eseals (legal persons) Clarifies validation of qualified esignatures Ensures long term preservation Allows for full reference to standards Allows «server» and «mobile» signing 18

Provisions of the proposed Regulation Ch 1: General Provisions Ch 2: Notified electronic identification Ch 3: Trust services Ch 4: Delegated acts Ch 5: Implementing acts Ch 6: Final provisions Annexes I, III, IV: Qualified certificates Annex II: Qualified esig creation devices 19

Ch 1. General Provisions Legal basis: Art 114 TFEU (internal market) Art 1, Art 2: Subject matter and scope Extended to cover mutual recognition & acceptance of "notified" eid "electronic trust services" (esig, eseals, edoc, time stamping, esig/eseal long term preservation service, website authentication) "Toolbox" of trust services: usage is NOT mandatory Art 3: Definitions Trust services do not encompass eid (subsidiarity) Qualified = matching the requirements of the Regulation Qualified trust service providers (Q-TSP) and trust services (Q-TS) esig creation device: SW or HW used to create an esig Art 4: Internal market Free movement of trust services and related products Mutual recognition and acceptance of trust services 20

Ch 2. Electronic identification Art 5: Legal effect: Mutual recognition and acceptance of notified e-identification schemes Natural and legal persons Art 6, Art 7: Notification mechanism A Member State: May notify to Commission the national eid scheme(s) used domestically for at least, access to public services; Must recognise and accept notified eids of other Member States for cross-border access to its public services requiring e-identification; Must provide online free eid authentication facility; Are liable for unambiguous identification of persons and for authentication; May allow the private sector to use notified eid Art 8: Coordination mechanism between Member States to ensure eid means interoperability and enhance security 21

Ch. 3. Trust services (TS) Section 1. General provisions Art 9: Liability: TSP is liable for what it does (similar to esig Directive) Art 10: International aspects: Mutual recognition of QTS (new) and Q-certificates (like in esig Directive) 3rd country TS must match at least EU data protection, security and supervision levels Only via international agreement Art 11: Data processing and protection Stronger and unlimited reference to data protection directive Data minimisation (new) Art 12: Accessibility for disabled persons Services and products «accessible» whenever possibe (new) Generic three-pronged approach: Technologically neutral definiton (non discrimination) "Qualified" secure level (with legal effect) Presumption of compliance (if voluntary standards are matched) 22

Ch. 3. Trust services Section 2. TSP and TS Supervision (1/2) Art 13, 14: Supervision National (like esig Directive) or «regional» (new) supervision authority Common essential supervision requirements of Q-TSPs Cooperation between Supervisors: Mutual supervision assistance Yearly supervision report Collection of market statistics from Q-TSPs and Supervisors Exchange of good practices between Supervisors ( FESA) MS to ensure long term availability of trust data of Q-TSPs 23

Ch. 3. Trust services Section 2. TSP and TS Supervision (2/2) Art 15: Requirements on Q and non Q-TSPs: Obligation of security due diligence for non Q-TSPs if risky service Security breach notification obligation for Q and non Q-TSPs Binding instructions by Supervisors to Q and non Q-TSPs Art. 16: Supervison of Q-TSPs Q-TSP subject to at least yearly audit Supervisor can issue binding instructions to Q-TSP. Supervisor can remove Qualified status. Art. 17: Initiation of Q-Trust services Mandatory notification to Supervisor (new) No prioir authorisation (unchanged) Art. 18: Trusted Lists: EU trusted lists of Q-TSs and Q-TSPs ( SD Decision 2009/767/EU) Art. 19: Requirements for Q-TSPs: Certificates issuance (new): face-to-face OR remotely using «notified» eid Mandatory on-line standardised certificate status info (ex. OCSP) Other reliability and professionalism requirements (similar to ex-annex II) 24

Ch. 3. Trust services Section 3: esignatures (1/2) Art. 3 (definitions): esignature: esig. = data in e-form attached to or logically associated with other e-data and which are used by the signatory to sign Natural persons only Advanced esig. (AeS): adapted to allow server signing and make «sole control» manageable Art. 20: Legal effects and acceptance of esignatures Qualified esig. (QeS) has equivalent legal effect of handwritten signature Mutual recognition and acceptance of QeS Allows for classification of esignatures with security insurance level < QeS Security of AeS may be defined via standards Security insurance requirements > QeS are forbidden for public services 25

Ch. 3. Trust services Section 3: esignatures (2/2) Art. 21 and Annex I: Qualified certificates for esignature Fully defined in Annex I: exact mandatory content Art 3.17, 22-24: Qualified signature creation devices Q-SCD Extended scope of creation devices: HW or SW to create an esig. Certification of Q-SCD (ex. ISO 15408 "Common Criteria") European positive list of certified Q-SCD Art 25-26: Validation Defines when a QeS is valid Defines Q-validation service provider (new) Standardised interface for Q-validation service provider (ex. XKMS) Art 27: Preservation of esignatures Defines Q-long term preservation service (new) Art 34.4: esig formats for public services: Administrations to accept a minimum common set of standardised esig formats (= SD Decision 2011/130/EU: CAdES, XAdES, PAdES) 26

Ch. 3. Trust services Section 4. eseals Legal persons only Instrument for document authentication: data in e-form attached to or logically associated with other e-data to ensure origin and integrity of the associated data «mutatis mutandis» like esignature Section 5. Time stamping Legal existence of time stamps Defines qualified time stamps («date certaine») Section 6. edocuments Non discrimination «paper vs e-documents» Presumption of authenticity and integrity of Q- signed/sealed edocuments 27

Ch. 3. Trust services Section 7. edelivery Legal effect: certainty of cross-border electronically delivery Establishes qualified edelivery services NB. Assumes national legislation will establish equivalence of e-delivery and paper «recommandé» Section 8. Website authentication Only establishes legal existence of qualified webiste authentication certificates 28

Ch 4 and 5. Secondary legislation Ch 4: Delegated acts Art. 38: Standard provision for delegated acts Ch 5: Implementing acts Art 39: Standard provision for implementing acts: Examination procedure Qualified majority 29

Ch 6. Final provisions Art 40: reporting every four years Art 41: Repeal Directive 1999/93/EC Already SSCDs certified SSCDs become QSCDs Existing Q-Certificates remain valid max. five years Art 42: Immediate entry into force 20 days after official publication following adoption by European Parliament and Council by «ordinary procedure» (ex-codecision) 30

Other Decision 2000/709/EC on "Designated Bodies" to be «transferred» later to Regulation Decision 2003/511/EC on SSCD Protection Profiles: still to be updated under 1999/93/EC before repeal (TBC) to be «transferred» to Regulation «Trusted List» of Decision 2009/767/EC to be «transferred» to Regulation «Expert Group(s)» to be set up: eid (art 8), Supervisors (art 14) and Stakeholders 31