I.- Use of cross-border identification and signature systems
The transposition of Directive 1999/93 was uneven and it has never seemed clear enough that electronic signature and identification certificates issued by Certification Service Providers in one Member State had to be accepted by the rest of the Member States. States, in particular in its eGovernment services.
Since July 1st 2016, the direct application of EU Regulation 910/2014 definitely clarifies this concept. We will see how it is assumed in the implementations.
II.-CSPs (Certification Services Providers) will be called ETSPs (Electronic Trust Services Providers)
They are now called Trust Services Providers (TSPs). And they can issue qualified certificates (equivalent to recognized certificates of Law 59/2003) or non-qualified certificates.
The issuance of natural person certificates is an specific type of trust service (which is compatible with the service provided in Law 59/2003) and, among them, there are qualified certificates (in the aforementioned law they were called “recognized”). In order to issue this kind of certificates, a notification of its intention together with a Conformity Assessment Report issued by a Conformity Assessment Body (in Spain, Entidad Nacional de Acreditación (ENAC)) shall be submitted to the Supervisory Body (in Spain, the State Secretariat for Telecommunications and Information Society). If it is granted with the possibility of issuing qualified certificates, it will be placed in a trusted list (which each Member State publishes with information of all qualified providers of Trust Services) and may use the trust tag “EU” to indicate the services it provides.
It should be noted that the control mechanisms on all service providers are increased (whether they issue qualified certificates or not), which will be audited every 24 months to confirm that they comply with the provisions of the Regulation.
III.- Liability of Service Providers
They remain liable for the damages caused deliberately or negligently to any person due to any breach of the obligations established in the Regulation. However, the limitations on the liability of Article 23 of Law 59/2003 are removed, being the burden of proof (i) of the person claiming the damage, when the Provider issues non-qualified certificates, or (ii) a service provider issuing qualified certificates, who must prove that the damages occurred without intention or negligence on his part.
IV.- Legal Person Certificates
The Regulation does not foresee the issuance of electronic signature certificates in favor of legal persons or entities without legal personality. This type of entities only have electronic stamps, which allow to prove the authenticity of the origin and the integrity of the sealed document.
V.- New regulated services
Apart from the electronic signature (defined in Law 59/2003, in 3 types, electronic signature, advanced and qualified), the Regulation also regulates the electronic seal (there are also 3 kinds), electronic timestamp, certified electronic delivery service, electronic document and website authentication. Recital 55 of the Regulation also opens the possibility of generating qualified electronic signatures such as the mobile signature or the cloud signature, which can greatly boost the market for electronic signatures.