220 likes | 382 Views
European Commission’s proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market. Alessandra SBORDONI European Commission - DG CONNECT alessandra.sbordoni@ec.europa.eu. 1. What is the legislative proposal's ambition?.
E N D
European Commission’s proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market Alessandra SBORDONI European Commission - DG CONNECT alessandra.sbordoni@ec.europa.eu 1
What is the legislative proposal's ambition? To strengthen EU Single Market by boosting TRUST and CONVENIENCE in secure and seamlesscross-border and cross-sector electronic TRANSACTIONS To stimulate new business opportunities
What is the scope of the proposed Regulation? Mutual recognition of electronic identification Electronic trust services: Electronic signatures interoperability and usability Electronic seals interoperability and usability Cross-border dimension of: Time stamping, Electronic delivery service, Electronic documents admissibility, Website authentication. 3
Provisions of the proposed Regulation Ch 1: General Provisions Ch 2: Electronic identification Ch 3: Trust services Sec 1: General Provisions Sec 2: Supervision Sec 3: Electronic signature Sec 4: Electronic seals Sec 5: Electronic time stamp Sec 6: Electronic documents Sec 7: Qualified electronic delivery service Sec 8: Website authentication Ch 4: Delegated acts Ch 5: Implementing acts Ch 6: Final provisions Annexes I, III, IV: Qualified certificates Annex II: Qualified eSig creation devices 4
General Provisions Legal basis: Art 114 TFEU (internal market) Subject matter and scope: Cover mutual recognition & acceptance of eID" « Toolbox » of trust services: usage is NOT mandatory Definitions Trust services do not encompass eID (subsidiarity) Qualified = matching the requirements of the Regulation Qualified trust service providers (QTSP) and trust services (QTS) eSig creation device: SW or HW used to create an eSig Internal market Free “movement” of trust services and related products Mutual recognition and acceptance of trust services 5
Electronic identification Legal effect Mutual recognition and acceptance of “notified” e-identification schemes Natural and legal persons Notification mechanism A Member State: May ‘notify’ to Commission the ‘national’ electronic identification scheme(s) used at home, at least, for access to public services; Must recognise and accept ‘notified’ eIDs of other Member States for cross-border access to its online servicesrequiring e-identification under its national laws; Must provide online freeID data authentication facility; Is liable for unambiguous identification of persons and for authentication; May allow the private sector to use ‘notified’ eID Coordination mechanism between Member States to ensure eID means interoperability and enhance security 6
What is not covered? • The proposal does not require / address / contain: • Member States to have an eID scheme • Member States to notify their eID scheme(s) • «soft ID» (ex. Facebook) • «Notified» eIDs arenot necessarily ID cards • "EU database" of any kind • "EU eID" • Prior authorisation to start qualified service or accreditation • Details on trust services other than eSig / eSeals • Persons’ roles and/or attributes • Format of e-documents • Establishment of proof • Encryption 7
Electronic trust services Common Principles: Technological neutrality Mutual recognition of qualified electronic trust services Strengthens and harmonises national supervision of qualified trust service providers and trust services Reinforces data protection + obligation for data minimisation Uses delegated and implementing acts as a mechanism to ensure flexibility vis-à-vis technological developments and best practice 8
National or «regional» supervision authority Common essential supervision requirements of Q-TSPs Cooperation between Supervisors: Mutual supervision assistance Yearly supervision report Collection of market statistics from Q-TSPs and Supervisors Exchange of good practices between Supervisors ( FESA) MS to ensure long term availability of trust data of Q-TSPs Supervision (1/3) 9
Requirements on Q and non Q-TSPs (Art. 15): Obligation of security due diligence for Q and non Q-TSPs Security breach notification obligation for Q and non Q-TSPs Binding instructions by Supervisors to Q and non Q-TSPs Supervision of Q-TSPs (Art. 16) Q-TSP subject to at least yearly audit Supervisor can issue binding instructions to Q-TSP. Supervisor can remove “Qualified” status. Supervision (2/3) 10
Supervision (3/3) • Initiation of Q-Trust services (Art. 17) • Mandatory notification to Supervisory body • No prior authorisation • Trusted Lists (Art. 18) • EU trusted lists of Q-TSs and Q-TSPs ( SD Decision 2009/767/EU) • Requirements for Q-TSPs (Art. 19) • Issuance certificates: face-to-face OR remotely using «notified» eID • Mandatory on-line standardised certificate status info Other reliability and professionalism requirements similar to Annex II of eSignature directive
Builds on existing eSignature infrastructure and clarifies concepts related to eSig. (naturalpersons) Introduces eSeals (legalpersons) Allows for full reference to standards Clarifies validation of qualified eSignatures Ensures long term preservation Allows «server / remote» and «mobile» signing Electronic signature (1/3) 12
Definitions of eSignature(Art. 3.6) Data in e-form attached to or logically associated with other e-data and which are used by the signatory to sign Natural persons only Advanced eSig. (AeS): adapted to allow server signing and make « sole control » manageable Legal effect and acceptance of eSignatures (Art. 20) Qualified eSig. (QeS) has “equivalent legal effect” to handwritten signature Mutual recognition and acceptance of QeS Allows for classification of eSignatures with security assurance levels < QeS Security of AeS may be defined via standards Security assurance requirements higher than QeS are forbidden for public services Electronic Signatures (2/3) 13
Electronic Seals Legal persons only (but not identification means) definition: “data in e-form attached to or logically associated with other e-data to ensure origin and integrity of the associated data” «mutatis mutandis» like eSignature Electronic Time stamping Legal existence of time stamps Defines qualified time stamps («date certaine») Electronic Documents Non discrimination «paper vs e-documents» Admissibility as evidence in legal proceedings, having regard to its assurance level of authenticity and integrity Presumption of authenticity and integrity of Q-signed/sealed eDocuments Trust services (1/2) 14
Qualified electronic delivery service Legal effect: certainty of cross-border electronic delivery Establishes qualified eDelivery services NB. national legislation to establish legal equivalence of e-delivery and paper registered letter Website authentication Only establishes legal existence of qualified website authentication certificates Trust services (2/2) 15
Secondary legislation Delegated acts (Art. 38) To make the Regulation a technologicallyneutral and flexible legal instrument vis-à-vis technicalevolution and adoption of new best practices by stakeholdres and MS Example: Article 15.5 Delegated acts may specify, by taking into account state of the art practices and standards, what security measures are appropriate in relation with a specific level of risk Basic act (article 15.1) aims at ensuring that TSPs set up and document via a security audit an appropriate system to manage security risks based on a risk assessment should the level of harmonisation ensured by art. 15,1 be insufficient to guarantee a high level of security. 16
Secondary legislation Implementing acts (Art 39) • Will replace Art. 9 Committee (eSig directive)composed of representatives of Member States • “Examination procedure” • the Commission may only adopt an implementing act if the committee delivers a positive opinion (qualified majority). • In case of negative opinion, the Commission may either propose an amended version of the draft act within two months, or refer the matter to the appeal committee. • If the appeal committee is seized, its opinion must be positive for the draft act to be adopted
Final provisions Art 40: reporting every four years Art 41: Repeal Directive 1999/93/EC SSCDs already certified as SSCDs become QSCDs Existing Q-Certificates will remain valid max. five years Art 42: Entry into force 20 days after official publication following adoption by European Parliament and Council by the «ordinary procedure» (ex-codecision) Transitional clause to beprobablydiscussed by the co-legislators 18
Why will it make a difference? (1/2) Creates confidence in electronic trust services: Effective state supervision Systematic usage of "trusted lists“ De facto world class «trustmark» for EU qualified services Easy eSignature: Harmonisation power of Regulation Full eSig specification via secondary legislation + standards Related trust services: Address clear market needs: eSeals, eDelivery, eDocuments, … Harmonise national legislation: time stamping, eDelivery e-Document admissibility: « big bang » for de-materialisation Website authentication is an implicit expectation of the citizens 19
Why will it make a difference? (2/2) Comprehensive “toolbox” of trust building instruments One single legislation across EU Harmonisation power of Regulation Foster eID usage (“world premiere”): Leverage eID cards and mobile ID infrastructure Reliable eID to allow cross border eBusiness and enable eGov services Private sector is invited to build on «notified» eIDs Leverage Large Scale Pilot project STORK 20
Indicative timeline Legislative process Commission Proposal 4.6.2012 Cyprus Presidency report Parliament + Council adoption Standardisation mandate m460 Standards Delegated/Implementing acts Commission Decisions 2011 2012 2013 2014 2015 2016 NB. Dates are indicative 21
For further information Website: http://ec.europa.eu/information_society/policy/esignature Draft Regulation: European Commission’s “Proposal for a Regulation of the European Parliament and Council on electronic identification and trust services for electronic transactions in the internal market”, COM(2012) 238, 4.6.2012http://ec.europa.eu/information_society/policy/esignature/eu_legislation/regulation Impact assessment: SWD(2012)135 and SWD(2012)136 22