Category

#eIdAS

Degree of EIDAS implementation within the European Union

By | #eIdAS | No Comments

Regulation (EU) No. 910/2014 of the European Parliament and of the Council of July 23, 2014, on electronic identification and trust services in electronic transactions in the internal market (eIDAS), which entered into force on the 1st of July 2016, has experienced an uneven implementation in the different countries of the European Union.

We analyze below the degree of implementation of the eIDAS Regulation in the main countries of the EU:

 

  • France:

There is not a national law yet but there are different procedures and requirements based on ETSI regulations.

Supervisory Body: ANSSI (Agence nationale de la sécurité des systèmes d’information).

Link: www.ssi.gouv.fr

 

  • Germany:

There is not a national law yet either, but there are different procedures and requirements based on ETSI regulations.

Supervisory Body: BSI (Federal Office for Information Security).

Link: www.bsi.bund.de

 

  • Belgium:

The current national law is applied, without connection with the ETSI or CEN regulations.

The Conformity Assessment Bodies are accredited according to ISO / IEC 17065 + ETSI EN 319 403.

Supervisory Body: Service Publique fédéral Economie, PME, Moyennes Classes and Energie.

Link: economie.fgov.be/fr

 

  • Spain:

Current National Law 39/2015 applies. There are no specific procedures for Trust Service Providers.

Supervisory Body: Ministry of Energy, Tourism and Digital Agenda (MINETUR).

Link: https://sede.minetur.gob.es/

 

  • Italy:

There is no national law yet, but this country has a national accreditation system, based on EN 319 403, administered by ACCREDIA (2 CAB accredited – VERITAS and CSQA).

Supervisory Body: Agenzia per l’Italia Digitale.

Link: www.agid.gov.it/

 

  • Netherlands

There is no national law yet, but they have national procedures for notifications of non-compliance and accreditation of the CAB.

Supervisory Body: Authority for Consumers and Markets and Agentschap Telecom.

Links: https://www.acm.nl/en and https://www.agentschaptelecom.nl/

 

  • United Kingdom:

The national law for the eIDAS application defines the applicable procedures for each type of trust service in the UK.

Supervisory body: The Information Commissioner.

Link: https://ico.org.uk/

 

Please, click here to view the full chart.

EIDAS celebrates its first anniversary

By | #eIdAS | No Comments

eIDAS first anniversary deserves a brief review on how this Regulation has changed in many aspects the outlook of the trust services in the European Union.

We analyze the main keys of eIDAS first anniversary:

 

  • The main novelty of this new Regulation is the harmonization of the requirements for the mutual recognition of electronic identification at EU level. Therefore, it repeals the previous Directive 1999/93/EC and the respective national laws.

 

  • The Regulation has created the “EU trust mark”, which clearly distinguishes qualified trust services from other trusted services.

 

  • The Regulation has also introduced the concept of Qualified Trust Services Providers and Electronic Trust Services.

In particular, it has created the following qualified services (those that meet the requirements applicable in Regulation (EU) No 910/2014): electronic signatures and electronic stamps. Electronic signatures are intended for individuals and electronic stamps to legal entities. In addition, it regulates other trusted services such as electronic time stamps, electronic documents, electronic delivery services and website authentication.

Qualified Trusted Service Providers obtain this status through a Conformity Assessment Report and a Supervisory Body must audit them at least every 24 months.

 

  • It specifies new levels of electronic identification, low and substantial. They improve identification mechanisms, such as handwritten signatures on mobile devices or cloud signature solutions.

 

  • The Regulation has introduced the concept of Electronic Signature in three different levels:

Electronic Signature: The definition  remains the same under eIDAS. The electronic signature has legal effects and is admissible as evidence in legal proceedings.

Advanced Electronic Signature: It allows the unique identification and authentication of the signer of a document and allows checking the integrity of the signed document. The issuance of a digital certificate by a Certification Authority (CA) allows the authentication.

Qualified Electronic Signature: They are the electronic equivalent of handwritten signatures. Qualified certificates are their foundation. These are the only signatures that ensure the mutual recognition of their validity by all EU Member States.

 

  • Recognition of electronic signatures as evidence at trial within the EU.

Article 25 of eIDAS reflects this concept.It provides that legal effects and admissibility as evidence in court proceedings are not denied to an electronic signature by the fact of being an electronic signature or because it does not meet the requirements. In fact, a qualified electronic signature has a legal effect equivalent to that of a handwritten signature.

 

  • The regulation recognizes admissibility as evidence in a trial and its legal effect for electronic signatures.

 

  • The Regulation creates the EU Trusted Lists. They reflect the Qualified Electronic Trust Services Providers and the services they offer. The TSPs and its services will be qualified if they appear on these lists.

 

  • Regulation of Qualified signature creation devices. They must meet the requirements listed in Annex II of Regulation (EU) 910/2014. The European Commission shall establish, publish and maintain a list of qualified electronic signature/stamp devices with the information provided by the Member States.

 

  • Acceptance of remote identification for electronic signatures. Therefore, the on-site identification is no longer needed. To ensure the safety of the process,you can use other identification means. These can be prior on-site identification, qualified electronic seals or qualified electronic signature certificates.

 

  • The Regulation establishes thatConformity Assessment Bodies must audit TSPs every 24 months.
    The purpose of the audit is to confirm that both Qualified TSPs and the electronic trust services they provide meet the requirements of eIDAS.

 

Main benefits of the introduction of eIDAS

The introduction of the eIDAS Regulation was a necessity at EU level. Prior to its entry into force the identity documents of citizens from one Member State were not valid in other EU Member States.

Therefore, eIDAS facilitates the provision of cross-border services and allows companies to operate outside their borders. Ultimately, it benefits citizens, businesses and Public Administration.

The main services where citizens can benefit from eIDAS  are the following: paying taxes, public tenders, signing online contracts, economic transactions through electronic banking and online health services, among others.

 

Source: European Commission

 

Some keys to Regulation No 910/2014 (EIDAS)

By | #eIdAS | No Comments

We analyze the main keys to Regulation 910 2014 (eIDAS):

I.- Use of cross-border identification and signature systems in eIDAS

The transposition of Directive 1999/93 was uneven and it has never seemed clear enough that electronic signature and identification certificates issued by Certification Service Providers in one Member State had to be accepted by the rest of the Member States.

Since July 1st 2016, the direct application of EU Regulation 910/2014 definitely clarifies this concept.

II.-CSPs (Certification Services Providers) will be called ETSPs (Electronic Trust Services Providers) in eIDAS

From now on, they are Trust Services Providers (TSPs). And they can issue qualified certificates (equivalent to recognized certificates of Law 59/2003) or non-qualified certificates.

The issuance of natural person certificates is an specific type of trust service and, among them, there are qualified certificates (in the aforementioned law they were called “recognized”). In order to issue this kind of certificates, the Conformity Assessment Body (in Spain, Entidad Nacional de Acreditación (ENAC)) shall submit a notification of its intention together with a Conformity Assessment Report to the Supervisory Body (in Spain, the State Secretariat for Telecommunications and Information Society).

If it has the possibility of issuing qualified certificates, it will be placed in a trusted list (which each Member State publishes with information of all qualified providers of Trust Services) and may use the trust tag “EU” to indicate the services it provides.

It should be noted that the control mechanisms on all service providers are increased (whether they issue qualified certificates or not), which will be audited every 24 months to confirm that they comply with the provisions of the Regulation.

III.- Liability of Service Providers

They remain liable for the damages caused deliberately or negligently to any person due to any breach of the obligations established in the Regulation. However, the limitations on the liability of Article 23 of Law 59/2003 no longer exist, being the burden of proof (i) of the person claiming the damage, when the Provider issues non-qualified certificates, or (ii) a service provider issuing qualified certificates, who must prove that the damages occurred without intention or negligence on his part.

IV.- Legal Person Certificates

The Regulation does not foresee the issuance of electronic signature certificates in favor of legal persons or entities without legal personality. This type of entities only have electronic stamps, which allow to prove the authenticity of the origin and the integrity of the sealed document.

V.- New regulated services

Apart from the electronic signature (defined in Law 59/2003, in 3 types, electronic signature, advanced and qualified), the Regulation also regulates the electronic seal (there are also 3 kinds), electronic timestamp, certified electronic delivery service, electronic document and website authentication. Recital 55 of the Regulation also opens the possibility of generating qualified electronic signatures such as the mobile signature or the cloud signature, which can greatly boost the market for electronic signatures.

 

Click here to read Regulation 910/2014 (eIDAS).