New taxonomy of digital trust electronic services after #eIdAS

By | Sin categoría | No Comments

Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trustworthy services in electronic transactions in the internal market and repealing Directive 1999 / / 93 / EC (EIDAS) is fully applicable from July 1, 2016.

The information displayed on the website of the Ministry of Industry, Energy and Tourism (MINETUR) on electronic certification service providers has been adapted to the new classification and categories of services provided in the aforementioned eIDAS Regulation.

Therefore, as of July 1, 2016, MINETUR publishes a new version of the service providers database with the following structure:

Qualified trust electronic services:

  • Qualified electronic certificate issuing service for electronic signature;
  • Qualified electronic certificate issuing service for qualified electronic certificates;
  • Qualified electronic certificate issuing service for website authentication;
  • Qualified electronic time stamps issuing service;
  • Qualified certified electronic delivery service;
  • Qualified electronic signatures validation service;
  • Qualified electronic seal validation service;
  • Qualified electronic signature preservation service;
  • Qualified electronic seal preservation service.

Unqualified trust electronic services:

  • Unqualified electronic certificate issuing service for electronic signature;
  • Unqualified electronic certificate issuing service for unqualified electronic seal;
  • Unqualified electronic certificate issuing service for website authentication;
  • Unqualified electronic time stamps issuing service;
  • Unqualified certified electronic delivery service;
  • Unqualified electronic signatures validation service;
  • Unqualified electronic seal validation service;
  • Unqualified electronic signature preservation service;
  • Unqualified electronic seal preservation service.

Other services:

Section in which services related to electronic signatures that do not have the condition of trustservice according to the eIDAS Regulation are published, but they could also remain within the framework of Law 59/2003, of December 19, of electronic signature, which includes the issuing services of electronic certificates of legal person or entity without legal personality, the issuance services of component certificates, publications certification services or electronic contracting services.

In addition, it provides the possibility of obtaining categorized information on electronic certificate issuing services used as identification and signature systems of Public Administrations (Law 11/2007, dated June 22, on electronic access of citizens to Public Services , Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations and Law 40/2015, of October 1, of the Legal Regime of the Public Sector):

  • Issuing service of electronic certificates of Public Administrations website;
  • Issuing service of electronic certificates of Public Administrations seal;
  • Issuing service of electronic certificate for public employees.

External expert report for the assessment of control measures for the prevention of money laundering

By | Sin categoría | No Comments

TCAB (Trust Conformity Assessment Body) will evaluate the control measures used in the “video onboarding”environments of financial institutions in the context of the recent regulation published for this purpose by SEBPLAC (Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses).

The Commission for the Prevention of Money Laundering and Monetary Offenses, which reports to the Ministry of Economy and Business Support of the Ministry of Economy and Competitiveness, created by Law 19/1993 of December 28th, is a collegiate body composed by representatives of different ministerial departments and Agencies, the Public Prosecutor’s Office, as well as the Autonomous Communities. It is the maximum responsible for the development of the anti-money laundering policy in Spain. Currently it is regulated by Law 10/2010, of April 28th, on the prevention of money laundering and the financing of terrorism.

The Commission has the support of the Secretariat, currently held by the General Subdirectorate for the Inspection and Control of Capital Movements of the General Secretariat of the Treasury and Financial Policy and the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses (SEPBLAC).

SEPBLAC is the Spanish financial intelligence unit and performs actions aimed at preventing the use of the financial system or of companies or professionals of another nature for money laundering, as well as the functions of investigation and prevention of administrative infractions of capital movements and economic transactions with other countries legal regime.

Article 28 of Law 10/2010 stipulates that the internal control measures referred to in article 26 of the previously mentioned Law will be subject to annual review by an external expert and those who wish to act as such should report it to the Executive Service of the Commission before starting its activity and inform the latter half-yearly of the list of obligated subjetcs whose internal control measures have been examined. This management has already been done by TCAB.

It is the responsibility of the obligated subjects to select suitable professionals, as well as to verify that the external examination is carried out in the terms established in Order EHA / 2444/2007, of July 31.

TCAB is an evaluation entity for products and services related to computer security and, in particular, to Electronic Service Providers of Trust, within the framework of the #eIdAS standard. It is governed by ISO 17065 and by EN 319 403 in relation to the Trust Service Providers Assessment.

An external expert report of internal measures assessment to prevent money laundering and terrorist financing. In particular, in application of the AUTHORIZATION OF PROCEDURES OF NON-PRESENCE IDENTIFICATION BY VIDEOCONFERENCE  published by SEBPLAC.

The aforementioned authorization allows the use by the legally bound party of non-presence videoconference identification procedures.

Registered Electronic Trust Service Providers under #eIdAS

By | Sin categoría | No Comments

The name “Electronic Trust Service Provider”, created under the recently existing EU Regulation No. 910/2014, renders the previous designations obsolete:

The new Electronic Trust Service Providers are classified in three levels:

  1. Qualified Electronic Trust Services, registered in the SETSI registry for TSPs (there cannot be qualified electronic services that are not registered).
  2. Not qualified Electronic Trust Services, services, registered in the SETSI TSPs registry.
  3. Not qualified Electronic Trust Services and not registered in the SETSI TSPs registry

Qualified Electronic Trust Service Providers are supervised by the Supervisory Bodies. In Spain, the Supervisory Body is the Ministry of Telecommunications and Information Society (SETSI), that belongs to the Ministry of Industry, Energy and Tourism (Minetur).

Qualified Electronic Trust Service Providers must be audited, at least every 24 months, by a Conformity Assessment Body. The purpose of the audit is to confirm that both the Electronic Trust Service Providers and the Electronic Trust Services fulfill the the requirements of Regulation (EU) 910/2014.

Qualified Trust Service Providers must submit the corresponding Conformity Assessment Report to the supervisory body within three working days upon receipt.

The Registered Electronic Trust Service Providers are a special category in terms of supervision of the services by the SETSI, since they provide either services that do not have the status of qualified service, or services that do not fit in the Trust Service definition according to Regulation (EU) 910/2014.

Due to the condition of Notified services to SETSI (and therefore included in the Trust Service Providers Registry), its information is published on the Ministry of Industry, Energy and Tourism website, although the Ministry of Industry, Energy and Tourism does not check the alignment of the services to the applicable legislation on trust services prior to publication.

Registered Providers can receive warnings and information requests from SETSI, if the latter receives any kind of complaint from the involved trust services users.

Some services, such as Certified Digitization, are not usually notified to SETSI, so they could be considered as Non-Registered, and therefore, outside the scope of action of the Supervisory Body.

A major step in signature interoperability: Commission Implementing Decision (EU) 2015/1506 of 8 September 2015

By | Sin categoría | No Comments

Simplification in the management of electronic signatures is now a legal mandate in all countries of the European Union thanks to the Commission Implementation Decision (EU) 2015/1506 of 8 September 2015 which lays down the specifications concerning the formats of advanced electronic signatures and advanced seals that must recognized by Public Sector bodies in accordance with Articles 27 (5) and 37 (5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council Electronic identification and trust services for electronic transactions in the internal market.

This standard will have a great impact on the development of the Public Administration and will force the revision of Law 11/2007, the RD 1671/2009 and the RD 4/2010, as well as the General Administration’s electronic signature policy and its certificates profile annex and one of the Technical Norms of Interoperability.

I include it below:

 

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having  regard to  Regulation (EU)  No  910/2014 of  the  European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (1), and in particular Article 27(5) and 37(5) thereof,

Whereas:

(1) Member States need to put in place the necessary technical means allowing them to process electronically signed documents that are required when using an online service offered by, or on behalf of, a public sector body.

(2) Regulation (EU) No 910/2014 obliges Member States requiring an advanced electronic signature or seal for  the use  of  an  online service  offered by,  or  on  behalf of,  a  public sector body,  to  recognise advanced electronic signatures and  seals,  advanced electronic signatures and  seals  based on  a  qualified  certificate  and  qualified electronic signatures and seals in specific formats, or alternative formats validated pursuant to specific reference methods.

(3) To define the specific formats and reference methods, existing practices, standards and Union legal acts should be taken into account.

(4) Commission Implementing Decision 2014/148/EU (2)  has  defined  a  number of  the  most  common advanced electronic signature formats  to  be  supported technically by  the  Member States,  where advanced electronic signatures are  required for  an  online administrative procedure. Establishing the  reference formats  aims at facilitating the cross-border validation of electronic signatures and at improving the cross-border interoperability of electronic procedures.

(5) The standards listed in the Annex to this Decision are the existing standards for formats of advanced electronic signatures. Due  to  the  ongoing revision by  the  standardisation bodies of  the  long  term  archival forms  of  the referenced formats, standards detailing long-term archiving are excluded from the scope of this Decision. When the new version of the referenced standards is available, references to the standards and the clauses on long term archiving will be revised.

(6) Advanced electronic signatures and  advanced electronic seals  are  similar from  the  technical point  of  view. Therefore, the standards for formats of advanced electronic signatures should apply mutatis mutandis to formats for advanced electronic seals.

(7) Where other electronic signature or seal formats than those commonly technically supported are used to sign or seal,  validation means that  allow  the  electronic signatures or  seals  to  be  verified  across borders should be provided.

In order  to allow the receiving Member States to be able to rely on those validation tools of another Member State, it is necessary to provide easily accessible information on those validation tools by including the information in the electronic documents, in

(8) Where electronic signature or  seal  validation possibilities suitable for  automated  processing are  available in  a Member State’s  public services,  such  validation possibilities should be  made available and  provided  to  the receiving Member State. Nonetheless, this Decision should not impede the application of Articles 27(1) and (2) and 37(1) and (2) of Regulation (EU) No 910/2014 when the automated processing of validation possibilities for alternative methods is not possible.

(9) In order to provide for comparable requirements for validation and to increase trust in the validation possibilities provided by Member States for other electronic signature or seal formats than those commonly supported, the requirements set out in this Decision for  the validation tools, draw from the requirements for  the validation of qualified electronic signatures and seals referred to in Articles 32 and 40 of Regulation (EU) No 910/2014.

(10) The measures provided for in this Decision are in accordance with the opinion of the Committee established by Article 48 of Regulation (EU) No 910/2014,

HAS ADOPTED THIS DECISION:

Article 1

Member States requiring an advanced electronic signature or an advanced electronic signature based on a qualified certificate as provided for in Article 27(1) and (2) of Regulation (EU) No 910/2014, shall recognise XML, CMS or PDF advanced electronic signature at conformance level B, T or LT level or using an associated signature container, where those signatures comply with the technical specifications listed in the Annex.

Article 2

  1. Member States requiring an advanced electronic signature or an advanced electronic signature based on a qualified certificate as provided for in Article 27(1) and (2) of Regulation (EU) No 910/2014, shall recognise other formats of electronic signatures than those referred to in Article 1 of this Decision, provided that the Member State where the trust service provider used by the signatory is established offers other Member States signature validation possibilities, suitable, where possible, for automated processing.
  2. The signature validation possibilities shall:

(a) allow other Member States to validate the received electronic signatures online, free of charge and in a way that is understandable for non-native speakers;

(b) be indicated in the signed document, in the electronic signature or in the electronic document container; and

(c) confirm the validity of an advanced electronic signature provided that:

(1) the certificate that supports the advanced electronic signature was valid at the time of signing, and when the advanced electronic signature is supported by a qualified certificate, the qualified certificate that supports the advanced electronic signature was, at the time of signing, a qualified certificate for electronic signature complying with Annex I of Regulation (EU) No 910/2014 and that it was issued by a qualified trust service provider;

(2) the signature validation data corresponds to the data provided to the relying party;

(3) the unique set of data representing the signatory is correctly provided to the relying party;

(4) the use of any pseudonym is clearly indicated to the relying party if a pseudonym was used at the time of signing;

(5) when the advanced electronic signature is created by a qualified electronic signature creation device, the use of any such device is clearly indicated to the relying party;

(6) the integrity of the signed data has not been compromised;

(7) the requirements provided for in Article 26 of Regulation (EU) No 910/2014 were met at the time of signing;

(8) the system used for validating the advanced electronic signature provides to the relying party the correct result of the validation process and allows the relying party to detect any security relevant issues.

Article 3

Member States requiring an advanced electronic seal or an advanced electronic seal  based on a  qualified certificate as provided  for  in  Article  37(1)  and  (2)  of  Regulation (EU)  No  910/2014, shall  recognise XML,  CMS  or  PDF  advanced electronic seal  at  conformance level  B,  T or  LT or  using  an  associated seal  container where those  comply  with  the technical specifications listed in the Annex.

Article 4

  1. Member States requiring an advanced electronic seal or an advanced electronic seal based on a qualified certificate as provided for  in  Article  37(1)  and  (2)  of  Regulation (EU)  No  910/2014, shall  recognise other  formats  of electronic seals  than  those  referred  to  in  Article  3  of  this  Decision, provided  that  the  Member State  where the  trust  service provider  used by the creator of  the seal is established offers other Member States seal validation possibilities, suitable, where possible, for automated processing.
  2. The seal validation possibilities shall:

(a) allow  other  Member States to  validate the  received electronic seals  online, free  of  charge  and  in  a  way  that  is understandable for non-native speakers;

(b) be indicated in the sealed document, in the electronic seal or in the electronic document container

(c) confirm the validity of an advanced electronic seal provided that:

(1) the certificate that supports the advanced electronic seal was valid at the time of sealing, and when the advanced electronic seal  is  supported  by  a  qualified certificate, the  qualified  certificate that  supports  the  advanced electronic seal was, at the time of sealing, a qualified certificate for electronic seal complying with Annex III of Regulation (EU) No 910/2014 and that it was issued by a qualified trust service provider;

(2) the seal validation data corresponds to the data provided to the relying party;

(3)  the unique set of data representing the creator of the seal is correctly provided to the relying party;

(4) the  use  of  any  pseudonym  is  clearly indicated to  the  relying party  if  a  pseudonym  was  used  at  the  time  of sealing;

(5) when the advanced electronic seal is created by a qualified electronic seal creation device, the use of any such device is clearly indicated to the relying party;

(6) the integrity of the sealed data has not been compromised;

(7) the requirements provided for in Article 36 of Regulation (EU) No 910/2014 were met at the time of sealing;

(8) the system used for validating the advanced electronic seal provides to the relying party the correct result of the validation process and allows the relying party to detect any security relevant issues.

Article 5

This Decision shall enter  into force on the twentieth day following  that of  its publication in the Official Journal of  the European Union.

This Decision shall be binding in all its elements and directly applicable in all Member States.

 

Done in Brussels, 8 September 2015.

For the Commission

The President

Jean-Claude JUNCKER

 

ANNEX

List of technical specifications for XML, CMS or PDF advanced electronic signatures and the associated signature container

Advanced electronic signatures mentioned in Article 1 of the Decision must comply with one of the following ETSI technical specifications with the exception of clause 9 thereof:

XAdES Baseline Profile – ETSI TS 103171 v.2.1.1.(1)

CAdES Baseline Profile – ETSI TS 103173 v.2.2.1.(2)

PAdES Baseline Profile – ETSI TS 103172 v.2.2.2.(3)

(1)http://www.etsi.org/deliver/etsi_ts/103100_103199/103171/02.01.01_60/ts_103171v020101p.pdf

(2)http://www.etsi.org/deliver/etsi_ts/103100_103199/103173/02.02.01_60/ts_103173v020201p.pdf

(3)http://www.etsi.org/deliver/etsi_ts/103100_103199/103172/02.02.02_60/ts_103172v020202p.pdf

Associated signature container mentioned in Article 1 of the Decision must comply with the following ETSI technical specifications:

Associated Signature Container Baseline Profile – ETSI TS 103174 v.2.2.1 (1)

(1)http://www.etsi.org/deliver/etsi_ts/103100_103199/103174/02.02.01_60/ts_103174v020201p.pdf

 

List of technical specifications for XML, CMS or PDF advanced electronic seals and the associated seal container

Advanced electronic seals mentioned in Article 3 of the Decision must comply with one of the following ETSI technical specifications, with the exception of clause 9 thereof:

XAdES Baseline Profile – ETSI TS 103171 v.2.1.1

CAdES Baseline Profile – ETSI TS 103173 v.2.2.1

PAdES Baseline Profile – ETSI TS 103172 v.2.2.2

Associated seal container mentioned in Article 3 of the Decision must comply with the following ETSI technical specifications:

Associated Seal Container Baseline Profile – ETSI TS 103174 v.2.2.1