Electronic signatures and
related services that allow data authentication can play an important role in
ensuring security and trust in electronic transactions. Certainly, in open
networks such as the Internet, security issues are emerging, which hinder the
development of electronic services. In particular, concerns are raised on the
confidentiality and security of electronic communications, which hold back the
exploitation of the Internet as a platform for e-commerce.
To deal with the issues of security and trust in electronic transactions, the EU adopted in 1999 the eSignature Directive. This Directive (Directive 1999/93/EC) establishes the legal framework at EU level
for electronic signatures and certification services. The aim is to make
electronic signatures easier to use and help them become legally recognised
within the Member States. The Directive does not favour any specific
technology.
The Directive
lays down the rule of legal recognition of electronic signatures;[1] it
establishes a legal framework for electronic signatures and certification
services and defines two levels of security that organizations may apply to
e-signatures depending on the sensitivity of the transaction, that is: (a)
simple e-signatures, which provide a minimum level of security and (b) advanced
electronic signatures, which provide a higher level of security and can be used
as a substitute for a handwritten signature.
In order for a signature to
be qualified as an advanced signature, certain requirements have to be
fulfilled (Article 5(1) of the Directive). These requirements concern the
technical function of the signature software and the existence of a qualified
certificate, which is provided by a certification service provider which meets
certain criteria. As is obvious, apart from the regulation of the legal effect
of electronic signatures, the legal regulations concerning the certification of
e-signatures and the accreditation of service providers are also of great
importance.
As already mentioned, the
Directive adopts a technology neutral approach regarding the recognition of
electronic signatures. It defines electronic signatures in an abstract manner,
so that different technologies can be used to fulfil the legal requirements in
order to be qualified as electronic signatures. However, advanced electronic
signatures correspond essentially to digital signatures, since the requirements
laid down are only met by public key crypto systems.
Regarding the legal effect
of e-signatures, a two-tier system is created, in accordance with Article 5 of
the directive. Firstly, advanced electronic signatures, which are based on a
qualified certificate and are created by a secure signature creation device,
are equal in their effect, that is legal validity and probative effect, to
handwritten signatures in paper documents. Secondly, the rule of
non-discrimination of e-signatures is laid down. Accordingly, EU Member States
shall ensure that an electronic signature is not denied legal effectiveness and
admissibility as evidence in legal proceedings solely on the grounds that it
is:
— in electronic
form, or
— not based upon
a qualified certificate, or
— not based upon
a qualified certificate issued by an accredited certification-service-provider,
or
— not created by
a secure signature-creation device.
Furthermore, the |Directive
includes rules on market access (Article 3) and establishment of providers of
e-signatures services (Article 4), which are in line with EU principles. The
liability of certification service providers is regulated in Article 6, which
provides for a strict liability regime; accordingly, as a minimum, by issuing a
certificate as a qualified certificate to the public or by guaranteeing such a
certificate to the public a certification service provider is liable for damage
caused to any entity or legal or natural person who reasonably relies on that
certificate.
The recognition of
certificates issued by providers established in third countries is regulated in
Article 7. Certification service providers are further under the obligation to
comply with data protection requirements, laid down in directive 95/46 and more
specifically, to collect personal data only directly from the data subject, or
after the explicit consent of the data subject, and only insofar as it is
necessary for the purposes of issuing and maintaining the certificate. The data
may not be collected or processed for any other purposes without the explicit
consent of the data subject.
On the basis of this
Directive, Commission Decision 2003/511/EC of
14 July 2003 on the publication of reference numbers of generally recognised
standards for electronic signature products was issued. The Annex of this legal
act includes a list of standards in compliance with the requirements in Annex I
f of the Directive, i.e., CWA 14167-1 (March 2003): security requirements for
trustworthy systems managing certificates for electronic signatures - Part 1:
System Security Requirements and CWA 14167-2 (March 2002): security
requirements for trustworthy systems managing certificates for electronic
signatures - Part 2: cryptographic module for CSP signing operations -
Protection Profile (MCSO-PP) and a list of standards in compliance with the
requirements in Annex III, i.e., CWA 14169 (March 2002): secure
signature-creation devices.
Furthermore, the Commission
Decision 2000/709 was issued, which lays down the minimum criteria to be taken
into account by Member States when designating bodies in accordance with
Article 3(4) of Directive 1999/93/EC, that is, when a national body is designated
as responsible for the conformity assessment of signature-creation-devices.
A report on the operation of
the Directive 1999/93 was issued in 2006.[2]
The conclusions of this report concentrated on the legal aspect and the market
effect of the Directive. Regarding the former, it is acknowledged that the
directive introduced legal certainty with respect to the general admissibility
of electronic signatures: the need for the legal recognition of electronic
signatures has been met by the transposition of the EU-Directive into the
legislation of the EU-Member States. As far as the market effect of
e-signatures is concerned, this has been relatively low. In particular, it was
found that the use of qualified electronic signatures had been much less than
expected and the market was not very well developed. The main reason for the
slow take-off of the market is that service providers had little incentive to
develop multi-application electronic signature and preferred to offer solutions
for their own services. The banking sector and e-government were the sectors
where e-signatures were mostly used.
Consequently, extensive
consultations on a review of the e-signatures directive took place, and also,
on the initiative of the EU Commission, a number of studies were conducted in
relation to electronic identification, authentication, signature and related
trust services (eIAS). It was made clear that a large majority of stakeholders
agreed on the need to review the current framework to fill the gaps left by the
directive. It was concluded that this would better respond to challenges posed
by the rapid development of new technologies (particularly online and mobile
access) and by increased globalisation, while maintaining the technological
neutrality of the legal framework.
Critics also highlight the
fact that the e-Signatures Directive mistakenly combines identification and
authentication with signing, while those should be treated separately.[3] And also, the combining of PKI technology and
the legal status of signatures seems frustrating.
As a result, the
e-Signatures Directive was replaced with the Regulation
910/2014 on electronic identification and trust services for electronic
transactions in the internal market (eIDAS
Regulation), adopted on 23 July 2014. The eIDAS Regulation shall
apply from 1 July 2016, with the exception of certain provisions which
will apply in different stages.
The eIDAS Regulation creates
a European internal market for electronic identification and electronic trust
services, including:
· electronic
signatures; the rules related to the legal effect of e-signatures are provided
for, as well as the requirements for qualified signature certificates, for
qualified e-signature creation devices etc.
· Time stamping,
i.e. the date and time on an electronic document which proves that the document
existed at a point-in-time and that it has not changed since then;
· Electronic seal,
i.e. the electronic equivalent of a seal or stamp which is applied on a
document to guarantee its origin and integrity;
· Electronic
delivery, i.e. a service that, to a certain extent, is the equivalent in the
digital world of registered mail in the physical world;
· Legal
admissibility of electronic documents to ensure their authenticity and
integrity;
· Website
authentication, i.e. trusted information on a website (e.g. a certificate)
which allows users to verify the authenticity of the website and its link to
the entity/person owning the website.
The Regulation obliges
public bodies to accept cross-border identification/authentication services
that are provided under a scheme that has been properly notified to the
European Commission. Thus, it ensures that people and businesses can use their
own national electronic identification schemes (eIDs) to access public services
in the EU countries where eIDs are available.
It also creates a European
internal market for electronic trust services in that it guarantees that they
will operate across borders and have the same legal status as traditional paper
based processes.
EU Member States should
establish supervisory bodies that will supervise certification service
providers, but also trust service and qualified trust service providers. The
conditions for the supervision of those providers are laid down in the
provisions of the Regulation.
The EU adopt measures for the implementation of the Regulation:
Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance)
Commission Implementing Decision (EU) 2015/1506 of 8 September 2015 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies pursuant to Articles 27(5) and 37(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance)
Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Article 12(8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance)
Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance)
Commission Implementing Regulation (EU) 2015/806 of 22 May 2015 laying down specifications relating to the form of the EU trust mark for qualified trust services (Text with EEA relevance)
Commission Implementing Decision (EU) 2015/296 of 24 February 2015 establishing procedural arrangements for cooperation between Member States on electronic identification pursuant to Article 12(7) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market Text with EEA relevance
[1]. OJ EC L 13 of 19 Jan. 2000,
online available at: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31999L0093&from=EN
[2] COM(2006) 120 final, online available at: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52006DC0120&from=EN
[3] See M. Voulon, “European
Union introduces new legal framework for identity management”, online
available at: http://www.idnext.eu/en/home/european-union-introduces-new-legal-framework-for-identity-management/
Δεν υπάρχουν σχόλια:
Δημοσίευση σχολίου