Implementation of the Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation)

and comparison of Directive 99/93/EC and eIDAS Regulation

Workshop on registered electronic mail policies and implementations

(ETT 57074)

Ankara, 16.3. – 17.3. 2015

Content:

1. eIDAS Regulation2. Implementation of eIDAS Regulation in member states and Slovenia3. Directive 1999/93/EC4. Comparison between eIDAS Regulation and Directive 1999/93/EC

The Regulation 910/2014/EC (eIDAS Regulation) was adopted on 23. July 2014 and was published on 28. August 2014.

It entered into force on 17. September 2014, but it is not entirely applicable from this date on:◦ The rules regarding electronic identification will apply from the date of application of

the implementing acts (deadline is 18.9.2015), except for mandatory mutual recognition (art. 6) which will apply 3 years after the adoption of implementing acts (i.e. 3Q 2018)

◦ The rules for Trust Services will apply from 1. July 2016.

The eIDAS Regulation- Introduction

Neelie Kroes, 1. March 2014: “The adoption of this Regulation on e-ID is a fundamental

step towards the completion of the Digital Single Market.

This agreement boost trust and convenience in

cross-border and cross-sector electronic transactions.”

President Juncker's Political Guidelines :“By creating a connected Digital Single Market, we can generate up to €250 billion of additional growth. “

eIDAS will:◦ ensure that national electronic identification schemes (eIDs) can be used in other

EU countries ◦ establish European internal market for Trust Services (TS) by providing rules which

will ensure that such services will work across borders and have the same legal status as traditional paper based processes.

The eIDAS Regulation- Introduction

Electronic Identification (eID): ◦ Rules for mutual recognition of eID across MS◦ legal framework (notification, assurance levels, security…)

Trust Services (TS):◦ Interoperability and application of electronic signature ◦ Interoperability and application of electronic seals ◦ Uniform regulation of:

-time stamping-electronic delivery of electronic documents-recognition of electronic documents -authentication of websites

Previous rules on e-signature (Directive 1999/93/EC) are repealed and entirely substituted by the eIDAS Regulation (art. 50)

What is covered by the eIDAS Regulation:

mutual recognition of eIDs across MS which are notified to EC (Notified Electronic Identification Schemes)

mutual recognition of QTS ensuring effective cross-border interoperability of services, ensuring accessibility to TS for disabled users harmonizing national (and regional!) supervision of QTSPs and their

services, light-touch supervision for TSPs (ad hoc measures) the establishment of Trusted lists (for QTPS) and EU trust mark enhanced data protection and minimization of a set of personal data

by service providers achieving flexibility and technological neutrality through the

implementing acts

Main goals of the eIDAS Regulation:

to introduce electronic ID cards or other electronic identification solutions

to introduce European ID cards an individual to have electronic ID card or passport to link national databases with national databases of other

Member States introduction of a sharing of personal or financial information

with other parties

What eIDAS does not require:

As EU lawmakers seek flexibility and technological neutrality, many implementing acts are envisaged.

28 implementing acts altogether: 4 implementing the eIDs rules 24 implementing TS rules

1 delegated act for technical specification of the TS 7 +1 acts are obligatory - their adoption is necessary for

applying the rules of the regulation Majority of acts is „optional“. Nevertheless, their adoption

would contribute to the clarification of the subject-matter and greater harmonization

Adoption of implementing acts

Time plan as proposed by the Commission:

Adoption of implementing acts

List of obligatory implementing acts:

Adoption of implementing acts

List of additional implementing acts:

Adoption of implementing acts

List of additional implementing acts:

Adoption of implementing acts

According to Art. 288 of the Treaty on the Functioning of the EU, regulations are directly applicable in the Member States:„To exercise the Union's competences, the institutions shall adopt regulations, directives, decisions, recommendations and opinions.

A regulation shall have general application. It shall be binding in its entirety and directly applicable in all Member States.

The supremacy principle demands that national laws which are in conflict with the laws of the EU shall be ignored/repealed so that the European rules can take effect. This was further elaborated in Costa v ENEL doctrine.

The direct effect principle ensures the application and effectiveness of European law in the Member States (Van Gend en Loos doctrine)

Theoretically, no further (proactive) legal activities regarding the implementation of the Regulation should be taken by the MS.

MS should prevent national rules to be in conflict with the EU rules (therefore derogation/adaptation of national laws might be necessary)

Implementation in MS:

Slovenia transposed Directive 1999/93/EC in its domestic legislation

Existing national legal framework regarding e-signature: ◦ Electronic Commerce and Electronic Signature Act (Official Gazette no. 57/2000 and

25/2004)◦ Decree on conditions for electronic commerce and electronic signatures (Official

Gazette no. 77/2000 and 2/2001)◦ Rules on the application of certifiers and keeping the register of certification

authorities in the Republic of Slovenia (Official Gazette no. 99/2001) Private and public providers of some TS:

Situation in Slovenia:

As the eIDAS Regulation has been adopted only recently no concrete steps towards the implemetntation have been taken in Slovenia

Preparations have begun on political and on organizational -strategical level.

Political level – strong commitment to implement eIDAS Regulation into Slovenian legal system: "Due to the methodological and terminological harmonization on the national level, the Electronic Commerce and Electronic Signature Act will be amended or even new legal framework that will be adopted. The aim is to comprehensively regulate the area of electronic identity management and trust services for electronic transactions” (Press Conference of Minister for Education, Science and Sport, September 2014)

Implementation in Slovenia:

Organizational & Strategical level: ◦ competence lies within the jurisdiction of Directorate for Information Society

(Minisistry for Education, Science and Sport) ◦ Other portfolios are also affecetd (Ministry for Public Administration, Ministry

of Interior…) ◦ Multi-sector Working Group established by the Governmet to coordinate the

implementation of the eIDAS Regulation◦ Strategical documents which deal with this topic -> Strategy Si2020 (currently

in the process of adoption):„Following the provisions of eIDAS Regulation, adjustments of national legal framework are necessary to establish appropriate organization and infrastructure environment for eIDs, which includes the implementation of supervisory functions, recognition and acceptance of notified electronic identification elements from other MS and reporting functions. Already established electronic public sector services will also need to be adapted in order to be accepted in cross-border use“

Implementation in Slovenia:

Tasks of the Multi-sector Working Group for eIDAS: • Preparation of the analysis of the existing situation and

identification of necessary adjustments• comparative analysis of the measures and solutions in other

MS • preparation of action plan which will address normative,

institutional and operational measures for creation of a new legal framework for eID and TS• Monitoring the harmonization of national sectoral rules

with the Regulation

Implementation in Slovenia:

Some technical preparations: ◦ Activities to modernize e-identification and other services to increase

confidence and security in the public sector have already started. ◦ On the field of TSs Ministry of Public Administration is in the process of

preparing a central authentication system (SI-CAS) and the central server system for e-signature (SI-CES)

◦ For this purpose the Ministry is already participating in the various EU projects, such as STORK 2.0

for cross-border e-identification and e-SENS project for the establishment of common building blocks for TSs in cross-border transactions.

Implementation in Slovenia:

Tasks to be addressed:◦ Creation of the list of all relevant national legislation (acts) which need to be

changed/adapted or repealed.◦ Impact assessement –what are the costs? How to implement provisions of the

Regulation in order to avoid duplication? Questions to be answered:

◦ Are there any national acts needed for implemtation of the Regulation? (eg. regarding the definition who is competent authority, surveilance, fines for non-compliance, etc.)

◦ Does the list of certification service providers from ECESA complies to Trusted Lists from art. 22 of the Regulation?

◦ How many eID means should we introduce? Should we include private sector as well? (Recital 13 of the Regulation)

◦ How to organize the supervision? Designation of the competent authority? ◦ Shall we also adapt other existing national solutions which are not directly affected by

the Regulation- eg. ZVDAGA

Implementation in Slovenia:

• register Certification Authorities = trusted list?• organization of proper control?• one or more scheme (public/private sector)?• do we have an oversight of legislative and executive acts editing this content?• Is our national legislation anywhere in conflict with regulation?• how to avoid duplication of tasks?• maintain the existing national solutions or as much as possible adapt to the

requirements of cross-border e-commerce?• how to optimally adapt the services of the public sector to meet the requirements

for mutual recognition?• the costs of regulation(public/private sector)?

SLO national legislation – implementation steps

Directive laid down the criteria for legal recognition of electronic signatures by focusing on certification services:• common obligations for certification service providers in order to

secure cross-border recognition of signatures and certificates throughout the European Community;

• common rules on liability to help build confidence among users, who rely on the certificates, and among service providers;

• cooperative mechanisms to facilitate cross-border recognition of signatures and certificates with third countries.

Directive didn‘t deliver a comprehensive cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions.

Directive 1999/93/EC

The Directive introduced: ◦ the electronic signature and advanced electronic signature◦ the qualified certificate

Access to the market: ◦ No license/authorisation required for Certification Services Providers (CSPs) ◦ there is an notification requirement for those CSPs issuing qualified

certificates to the public that have been subject to voluntary accreditation◦ Member States may not limit the number of accredited CSPs◦ Member States may not restrict the provision of certification services

originating in another Member State

Legal effects of electronic signatures: ◦ advanced electronic signature based on a qualified certificate created by a

secure-signature-creation device has the same legal status as a handwritten signature

Directive 1999/93/EC

Liability of CSPs: o CSP which issues a qualified certificate is liable to any person who

reasonably relies on the certificate if he was acting intentionally or with negligence

o CSP is not liable for damage arising from use of a qualified certificate that exceeds the limitations placed on it

o Limitation of compensation by CSPs is allowed International aspects: o MS must ensure that mutual legal recognition of qualified certificates

and electronic signatures from third countries is applied if certain reliability conditions are met.

Data Protection: o CSPs and national bodies responsible for accreditation or supervision

comply with Directive 95/46/EC

Directive 1999/93/EC

„From e-signature to Trust Services“

The Directive did not provide comprehnesive legal framework, which has has lead to a very different approaches in implementing the rules into national legislation. Outcome: it was de facto impossible to conduct cross border electronic transactions. Comprehensive rules regarding TS legal framework (Chapter III) from which part is also e-signature (supervision, qualified services and building of trust and special rules for e-signiture only)

The Regulation is much broader in scope and more conrete in rules as it introduced:◦ legal effects of electronic seals, ◦ the legal effects of and requirements for electronic time stamps and electronic

registered delivery services, ◦ the requirements for website authentication and the legal effects for

electronic documents,

Comprehensive rules regarding TS legal framework (Chapter III) from which part is also e-signature (supervision, qualified services and building of trust and special rules for e-signiture only)

Comparison - general observations

supervisory schemes: In this respect rules are now much more concrete; they provide for possibility for regional supervision, different layers of supervision, reporting to the EC (art. 17), mutual assistance (art. 18), obligation to notify (see below), audit of qTSP every 24 months (art. 20)

stricter rules on security requirements for TSPs (art. 19): ◦ they will need to implement organizational and security measures that are proportional to the level of risk

presented by their activities ◦ they will have to inform stakeholders about the effects of incidents◦ In case of breach/loss of integrity which has impact on personal data, TSP are obliged to notify it to

supervisory body and affected parties in 24 h at latest.

Rules regarding the initiation of qTS (art. 21): notification to supervisory body, prior conformity assessement, granting of the qTSP status and its inclusion on the trusted list.

Comparison:

Comprehensive Requirements for qTSPs (art. 24): some of them have already been introduced by the Annex II to the e-signature Directive (eg. rules on verification, staff requirements, liability, obligation to inform…) but are now elaborated and modified (eg. trustworthy systems, eg. verification). Also some new requirements have been introduced (up-to-date termination plan, obligation to establish and update certificate database)

building of trust (qTS): introduction of trusted lists for qTSPs together with qTS in each MS (art. 22) and EU trust mark to identify services which meet certain strict requirements and are therefore reliable (art. 23). Aim is to build the trustworthiness of the e-signatures

Comparison:

Special rules regarding e-signature are set out in Section 4 (art. 25-35):

Regulation makes distinction among:◦ e-signature◦ advanced e-signature◦ qualified e-signature

In the sense of legal effects, qualified e-signature from eIDAS Regulation (art. 25) corresponds to advanced e-signature from the Directive (art. 5): Qualified e-signature has equivalent legal effect of a handwritten signature

In comparison to the E-signature Directive, the eIDAS Regulation has more elaborated rules on requirements for qualified certificates for e-signatures (Annex I): more elaborate data on signatory (bullets a and b), location of services which enable to check validity status of the certificate, …

Comparison:

In addition, Regulation laid down rules on revocation of qualified certificates for e-signatures (art. 28). MS may adopt national rules regarding the temporary suspension of qualified certificates for e-signatures (art. 28(5)).

In comparison to the Directive, the Regulation provides rules on devices for creation of e-signature (=Qualified Electronic Signature Creation Devices-QESCDs): Requirements for QESCDs are laid down in Annex II (art. 29), certification procedures are provided in art. 30 + implementing acts of the Commission, and creation and publication of the List of QESCDs (art. 31)

Rules on validation of qualified e-signatures (art. 32 and 33) which will provide legal certainty and trust: Regulation sets under what conditions the Q e-signature shall be regarded as being validated (a-h).

Comparison:

Art. 33 provides additional rules on qualified validation services (=Qualified Validation Service for Qualified Electronic Signature). These services may only be provided by QTSPs and will provide users with the result of the validation process in a trustworthy manner (automated message, signed/stamped by the QTSP.

Preservation of qualified e-signatures (art. 34): Regulation laid down rules on Qualified Preservation Service for Qualified Electronic Signatures. This concept has not been introduced. Regulation now stipulates that this service may be provided only by QTSPs. Standards for qualified Preservation Service may be prescribed by the Commission.

Comparison:

Thank you!