REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC
The European Commission,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trustworthy services for electronic transactions in the internal market and repealing Directive 1999/93 / EC (1), and in particular Article 30 (3) and Article 39 (2) thereof,
Whereas:
|
(1) |
Annex II of Regulation (EU) No 910/2014 sets out the applicable requirements to qualified electronic signature creation devices and to qualified electronic stamp creation devices. |
|
(2) |
The task of developing the technical specifications necessary for the production and marketing of products which are appropriate to the current state of the art is carried out by the competent organizations in the field of standardization. |
|
(3) |
IOS / IEC (International Organization for Standardization / International Electrotechnical Commission) establishes the general concepts and principles of information technology security and specifies the general evaluation model to be used as a basis for assessing the safety properties of computer products. |
|
(4) |
Under the standardization mandate M/460 granted by the Commission, the European Committee for Standardization (CEN) has developed standards for qualified electronic signatures and electronic seals where electronic signature creation data or electronic stamp creation data are preserved entirely, but not necessarily exclusively, in a user-managed environment. These standards are considered appropriate to assess the conformity of such products with the relevant requirements set out in Annex II to Regulation (EU) No 910/2014. |
|
(5) |
Annex II of Regulation (EU) No 910/2014 determines that only a qualified provider of trusted services may manage electronic signature creation data on behalf of the signatory. The safety requirements and their respective certification specifications differ when the signatory physically owns a product and when a qualified provider of trusted services acts on behalf of the signatory. In order to address both situations and to promote over time the development of products and assessment criteria tailored to specific needs, the Annex to this Decision should list standards covering both situations. |
|
(6) |
At the time of adoption of this Decision of the Commission, a number of trusted service providers already offer solutions to manage electronic signature creation data on behalf of their customers. Product certifications are currently limited to security modules of computer hardware certified under different standards, but are not yet specifically certified according to the requirements applicable to qualified stamp and signature creation devices. However, there are no published standards, such as EN 419 211 (applicable to electronic signatures created in a fully managed environment, but not necessarily exclusively by the user), for an equally important market for certified distance products . As standards are currently being developed which could be suitable for this purpose, the Commission will complete this Decision when those standards are available and are considered to comply with the requirements set out in Annex II to Regulation (EU) No 910/2014. Until the list of such standards is established, an alternative process may be used to assess the conformity of those products under the conditions laid down in Article 30 (3) (b) of Regulation (EU) No 910/2014. |
|
(7) |
The Annex contains the standard EN 419 211, which consists of different parts (1 to 6) covering different situations. Parts 5 and 6 of this standard present extensions related to the environment of qualified signature creation devices, such as communication with trusted signature creation applications. Product manufacturers are free to apply such extensions. In accordance with recital 56 of Regulation (EU) No 910/2014, the purpose of certification under Articles 30 and 39 of that Regulation is to protect signature creation data, while firms are excluded from the scope of certification. |
|
(8) |
In order to ensure that electronic signatures or seals generated by a qualified signature or stamp device are securely protected against counterfeiting, as required by Annex II to Regulation (EU) No 910/2014, an essential condition for the security of the certified product is to apply cryptographic algorithms, key lengths and appropriate hash functions. As this aspect has not been harmonized at European level, Member States should cooperate in order to agree on cryptographic algorithms, key lengths and hash functions for use in the field of electronic signatures and signatures. |
|
(9) |
The adoption of this Decision renders Commission Decision 2003/511 / EC (2) obsolete. It should therefore be repealed. |
|
(10) |
The measures provided for in this Decision are in accordance with the judgement of the Committee referred to in Article 48 of Regulation (EU) No 910/2014. |
HAS ADOPTED THE FOLLOWING DECISION:
Article 1.
The Annex to this Decision sets out the standards for the assessment of the security of information technology products which apply to the certification of qualified electronic signature creation devices or qualified electronic stamp creation devices in accordance with , Article 30 (3) (a) or Article 39 (2) of Regulation (EU) No 910/2014 where the electronic signature creation data or the electronic stamp creation data are fully preserved, though not necessarily exclusively, in a user-managed environment.
- Until the Commission establishes a list of standards for the assessment of the security of information technology products that apply to the certification of qualified electronic signature creation devices or qualified electronic stamp creation devices, when a qualified trust service provider manages the electronic signature creation data or the electronic seal creation data on behalf of a signatory or a creator of a seal, the certification of those products shall be based on a process which, in accordance with Article 30 (3) (b) makes use of security levels equivalent to those required by Article 30 (3) (a) and notified to the Commission by the public or private body concerned referred to in Article 30 (1) of Regulation (EU) No 910/2014.
Article 2
Decision 2003/511 / EC is hereby repealed.
Article 3
This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
Done in Brussels, April 25 2016.
By the Commission
President
Jean-Claude JUNCKER
(1) DO L 257 de 28.8.2014, p. 73.
(2) Commission Decision 2003/511 / EC of 14 July 2003 on the publication of the reference numbers of standards with general recognition for electronic signature products, in accordance with Directive 1999/93 / EC of the European Parliament and of the Council (DO L 175 de 15.7.2003, p. 45).
ANNEX
LIST OF STANDARDS REFERRED TO IN ARTICLE 1 (1)
|
— |
ISO/IEC 15408 — Information technology — Security techniques — Evaluation criteria for IT security (Tecnología de la información — Técnicas de seguridad —Evaluation Criteria for IT Security, Parts 1 to 3 listed below:
e |
|
— |
ISO/IEC 18045:2008: Information technology — Security techniques — Methodology for IT security evaluation (Information Technology — Security Techniques —Methodology fot IT Security Assessment). and |
|
— |
EN 419 211 — Protection profiles for secure signature creation device, Parts 1 to 6 —where appropiate— listed below:
|
Español