Πέμπτη, 24 Σεπτεμβρίου 2015

The EU legal framework on electronic signatures

 

Electronic signatures and related services that allow data authentication can play an important role in ensuring security and trust in electronic transactions. Certainly, in open networks such as the Internet, security issues are emerging, which hinder the development of electronic services. In particular, concerns are raised on the confidentiality and security of electronic communications, which hold back the exploitation of the Internet as a platform for e-commerce.

To deal with the issues of security and trust in electronic transactions, the EU adopted in 1999 the eSignature Directive. This Directive (Directive 1999/93/EC) establishes the legal framework at EU level for electronic signatures and certification services. The aim is to make electronic signatures easier to use and help them become legally recognised within the Member States. The Directive does not favour any specific technology.
The Directive lays down the rule of legal recognition of electronic signatures;[1] it establishes a legal framework for electronic signatures and certification services and defines two levels of security that organizations may apply to e-signatures depending on the sensitivity of the transaction, that is: (a) simple e-signatures, which provide a minimum level of security and (b) advanced electronic signatures, which provide a higher level of security and can be used as a substitute for a handwritten signature.

In order for a signature to be qualified as an advanced signature, certain requirements have to be fulfilled (Article 5(1) of the Directive). These requirements concern the technical function of the signature software and the existence of a qualified certificate, which is provided by a certification service provider which meets certain criteria. As is obvious, apart from the regulation of the legal effect of electronic signatures, the legal regulations concerning the certification of e-signatures and the accreditation of service providers are also of great importance.

As already mentioned, the Directive adopts a technology neutral approach regarding the recognition of electronic signatures. It defines electronic signatures in an abstract manner, so that different technologies can be used to fulfil the legal requirements in order to be qualified as electronic signatures. However, advanced electronic signatures correspond essentially to digital signatures, since the requirements laid down are only met by public key crypto systems.

Regarding the legal effect of e-signatures, a two-tier system is created, in accordance with Article 5 of the directive. Firstly, advanced electronic signatures, which are based on a qualified certificate and are created by a secure signature creation device, are equal in their effect, that is legal validity and probative effect, to handwritten signatures in paper documents. Secondly, the rule of non-discrimination of e-signatures is laid down. Accordingly, EU Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is:
— in electronic form, or
— not based upon a qualified certificate, or
— not based upon a qualified certificate issued by an accredited certification-service-provider, or
— not created by a secure signature-creation device.

Furthermore, the |Directive includes rules on market access (Article 3) and establishment of providers of e-signatures services (Article 4), which are in line with EU principles. The liability of certification service providers is regulated in Article 6, which provides for a strict liability regime; accordingly, as a minimum, by issuing a certificate as a qualified certificate to the public or by guaranteeing such a certificate to the public a certification service provider is liable for damage caused to any entity or legal or natural person who reasonably relies on that certificate.

The recognition of certificates issued by providers established in third countries is regulated in Article 7. Certification service providers are further under the obligation to comply with data protection requirements, laid down in directive 95/46 and more specifically, to collect personal data only directly from the data subject, or after the explicit consent of the data subject, and only insofar as it is necessary for the purposes of issuing and maintaining the certificate. The data may not be collected or processed for any other purposes without the explicit consent of the data subject.

On the basis of this Directive, Commission Decision 2003/511/EC of 14 July 2003 on the publication of reference numbers of generally recognised standards for electronic signature products was issued. The Annex of this legal act includes a list of standards in compliance with the requirements in Annex I f of the Directive, i.e., CWA 14167-1 (March 2003): security requirements for trustworthy systems managing certificates for electronic signatures - Part 1: System Security Requirements and CWA 14167-2 (March 2002): security requirements for trustworthy systems managing certificates for electronic signatures - Part 2: cryptographic module for CSP signing operations - Protection Profile (MCSO-PP) and a list of standards in compliance with the requirements in Annex III, i.e., CWA 14169 (March 2002): secure signature-creation devices.

Furthermore, the Commission Decision 2000/709 was issued, which lays down the minimum criteria to be taken into account by Member States when designating bodies in accordance with Article 3(4) of Directive 1999/93/EC, that is, when a national body is designated as responsible for the conformity assessment of signature-creation-devices.

A report on the operation of the Directive 1999/93 was issued in 2006.[2] The conclusions of this report concentrated on the legal aspect and the market effect of the Directive. Regarding the former, it is acknowledged that the directive introduced legal certainty with respect to the general admissibility of electronic signatures: the need for the legal recognition of electronic signatures has been met by the transposition of the EU-Directive into the legislation of the EU-Member States. As far as the market effect of e-signatures is concerned, this has been relatively low. In particular, it was found that the use of qualified electronic signatures had been much less than expected and the market was not very well developed. The main reason for the slow take-off of the market is that service providers had little incentive to develop multi-application electronic signature and preferred to offer solutions for their own services. The banking sector and e-government were the sectors where e-signatures were mostly used.

Consequently, extensive consultations on a review of the e-signatures directive took place, and also, on the initiative of the EU Commission, a number of studies were conducted in relation to electronic identification, authentication, signature and related trust services (eIAS). It was made clear that a large majority of stakeholders agreed on the need to review the current framework to fill the gaps left by the directive. It was concluded that this would better respond to challenges posed by the rapid development of new technologies (particularly online and mobile access) and by increased globalisation, while maintaining the technological neutrality of the legal framework.

Critics also highlight the fact that the e-Signatures Directive mistakenly combines identification and authentication with signing, while those should be treated separately.[3]  And also, the combining of PKI technology and the legal status of signatures seems frustrating. 

As a result, the e-Signatures Directive was replaced with the Regulation 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation), adopted on 23 July 2014. The eIDAS Regulation shall apply from 1 July 2016, with the exception of certain provisions which will apply in different stages.

The eIDAS Regulation creates a European internal market for electronic identification and electronic trust services, including:
· electronic signatures; the rules related to the legal effect of e-signatures are provided for, as well as the requirements for qualified signature certificates, for qualified e-signature creation devices etc.
· Time stamping, i.e. the date and time on an electronic document which proves that the document existed at a point-in-time and that it has not changed since then;
· Electronic seal, i.e. the electronic equivalent of a seal or stamp which is applied on a document to guarantee its origin and integrity;
· Electronic delivery, i.e. a service that, to a certain extent, is the equivalent in the digital world of registered mail in the physical world;
· Legal admissibility of electronic documents to ensure their authenticity and integrity;
· Website authentication, i.e. trusted information on a website (e.g. a certificate) which allows users to verify the authenticity of the website and its link to the entity/person owning the website.

The Regulation obliges public bodies to accept cross-border identification/authentication services that are provided under a scheme that has been properly notified to the European Commission. Thus, it ensures that people and businesses can use their own national electronic identification schemes (eIDs) to access public services in the EU countries where eIDs are available.

It also creates a European internal market for electronic trust services in that it guarantees that they will operate across borders and have the same legal status as traditional paper based processes.

EU Member States should establish supervisory bodies that will supervise certification service providers, but also trust service and qualified trust service providers. The conditions for the supervision of those providers are laid down in the provisions of the Regulation.

The EU adopt measures for the implementation of the Regulation:

Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance) 


Commission Implementing Decision (EU) 2015/1506 of 8 September 2015 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies pursuant to Articles 27(5) and 37(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance) 


Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Article 12(8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance) 

Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance) 

Commission Implementing Regulation (EU) 2015/806 of 22 May 2015 laying down specifications relating to the form of the EU trust mark for qualified trust services (Text with EEA relevance) 

Commission Implementing Decision (EU) 2015/296 of 24 February 2015 establishing procedural arrangements for cooperation between Member States on electronic identification pursuant to Article 12(7) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market Text with EEA relevance




[3]  See M. Voulon, “European Union introduces new legal framework for identity management”, online available at: http://www.idnext.eu/en/home/european-union-introduces-new-legal-framework-for-identity-management/

Δεν υπάρχουν σχόλια:

Δημοσίευση σχολίου