European Commissions proposal for a Regulation on Electronic

European Commission’s proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market Alessandra SBORDONI European Commission - DG CONNECT alessandra. sbordoni@ec. europa. eu

What is the legislative proposal's ambition? • To strengthen EU Single Market by boosting TRUST and CONVENIENCE in secure and seamless cross-border and cross -sector electronic TRANSACTIONS • To stimulate new business opportunities

What is the scope of the proposed Regulation? 1. Mutual recognition of electronic identification 2. Electronic trust services: • Electronic signatures interoperability and usability • Electronic seals interoperability and usability • Cross-border dimension of: 1. Time stamping, 2. Electronic delivery service, 3. Electronic documents admissibility, 4. Website authentication. 3

Provisions of the proposed Regulation • Ch 1: General Provisions • Ch 2: Electronic identification • Ch 3: Trust services • Sec 1: General Provisions • Sec 2: Supervision • Sec 3: Electronic signature • Sec 4: Electronic seals • Sec 5: Electronic time stamp • Sec 6: Electronic documents • Sec 7: Qualified electronic delivery service • Sec 8: Website authentication • Ch 4: Delegated acts • Ch 5: Implementing acts • Ch 6: Final provisions • Annexes I, III, IV: Qualified certificates • Annex II: Qualified e. Sig creation devices 4

General Provisions • Legal basis: Art 114 TFEU (internal market) • Subject matter and scope: • Cover mutual recognition & acceptance of e. ID" • « Toolbox » of trust services: usage is NOT mandatory • Definitions • • Trust services do not encompass e. ID (subsidiarity) Qualified = matching the requirements of the Regulation Qualified trust service providers (QTSP) and trust services (QTS) e. Sig creation device: SW or HW used to create an e. Sig • Internal market • • Free “movement” of trust services and related products Mutual recognition and acceptance of trust services 5

Electronic identification • Legal effect • Mutual recognition and acceptance of “notified” e-identification schemes • Natural and legal persons • Notification mechanism A Member State: 1. May ‘notify’ to Commission the ‘national’ electronic identification scheme(s) used at home, at least, for access to public services; 2. Must recognise and accept ‘notified’ e. IDs of other Member States for cross-border access to its online services requiring e-identification under its national laws; 3. Must provide online free ID data authentication facility; 4. Is liable for unambiguous identification of persons and for authentication; 5. May allow the private sector to use ‘notified’ e. ID • Coordination mechanism between Member States to ensure e. ID means interoperability and enhance security 6

What is not covered? • The proposal does not require / address / contain: • • • Member States to have an e. ID scheme Member States to notify their e. ID scheme(s) «soft ID» (ex. Facebook) «Notified» e. IDs are not necessarily ID cards "EU database" of any kind "EU e. ID" Prior authorisation to start qualified service or accreditation Details on trust services other than e. Sig / e. Seals Persons’ roles and/or attributes Format of e-documents Establishment of proof Encryption 7

Electronic trust services Common Principles: • Technological neutrality • Mutual recognition of qualified electronic trust services • Strengthens and harmonises national supervision of qualified trust service providers and trust services • Reinforces data protection + obligation for data minimisation • Uses delegated and implementing acts as a mechanism to ensure flexibility vis-à-vis technological developments and best practice 8

Supervision (1/3) • National or «regional» supervision authority • Common essential supervision requirements of Q-TSPs • Cooperation between Supervisors: Mutual supervision assistance Yearly supervision report Collection of market statistics from Q-TSPs and Supervisors Exchange of good practices between Supervisors ( FESA) • MS to ensure long term availability of trust data of QTSPs 9

Supervision (2/3) • Requirements on Q and non Q-TSPs (Art. 15): • Obligation of security due diligence for Q and non QTSPs • Security breach notification obligation for Q and non Q -TSPs • Binding instructions by Supervisors to Q and non QTSPs • Supervision of Q-TSPs (Art. 16) • Q-TSP subject to at least yearly audit • Supervisor can issue binding instructions to Q-TSP. Supervisor can remove “Qualified” status. 10

Supervision (3/3) • Initiation of Q-Trust services (Art. 17) • Mandatory notification to Supervisory body • No prior authorisation • Trusted Lists (Art. 18) • EU trusted lists of Q-TSs and Q-TSPs ( SD Decision 2009/767/EU) • Requirements for Q-TSPs (Art. 19) • Issuance certificates: face-to-face OR remotely using «notified» e. ID • Mandatory on-line standardised certificate status info Other reliability and professionalism requirements similar to Annex II of e. Signature directive 11

Electronic signature (1/3) • Builds on existing e. Signature infrastructure and clarifies concepts related to e. Sig. (natural persons) • Introduces e. Seals (legal persons) • Allows for full reference to standards • Clarifies validation of qualified e. Signatures • Ensures long term preservation • Allows «server / remote» and «mobile» signing 12

Electronic Signatures (2/3) • Definitions of e. Signature (Art. 3. 6) • Data in e-form attached to or logically associated with other edata and which are used by the signatory to sign • Natural persons only • Advanced e. Sig. (Ae. S): adapted to allow server signing and make « sole control » manageable • Legal effect and acceptance of e. Signatures (Art. 20) • Qualified e. Sig. (Qe. S) has “equivalent legal effect” to handwritten signature • Mutual recognition and acceptance of Qe. S • Allows for classification of e. Signatures with security assurance levels < Qe. S • Security of Ae. S may be defined via standards • Security assurance requirements higher than Qe. S are forbidden for public services 13

Trust services (1/2) • Electronic Seals • Legal persons only (but not identification means) • definition: “data in e-form attached to or logically associated with other e -data to ensure origin and integrity of the associated data” • «mutatis mutandis» like e. Signature • Electronic Time stamping • Legal existence of time stamps • Defines qualified time stamps ( «date certaine» ) • Electronic Documents • Non discrimination «paper vs e-documents» • Admissibility as evidence in legal proceedings, having regard to its assurance level of authenticity and integrity • Presumption of authenticity and integrity of Q-signed/sealed e. Documents 14

Trust services (2/2) • Qualified electronic delivery service • Legal effect: certainty of cross-border electronic delivery • Establishes qualified e. Delivery services • NB. national legislation to establish legal equivalence of e-delivery and paper registered letter • Website authentication • Only establishes legal existence of qualified website authentication certificates 15

Secondary legislation • Delegated acts (Art. 38) • To make the Regulation a technologically neutral and flexible legal instrument vis-à-vis technical evolution and adoption of new best practices by stakeholdres and MS Example: Article 15. 5 • Delegated acts may specify, by taking into account state of the art practices and standards, what security measures are appropriate in relation with a specific level of risk • Basic act (article 15. 1) aims at ensuring that TSPs set up and document via a security audit an appropriate system to manage security risks based on a risk assessment should the level of harmonisation ensured by art. 15, 1 be insufficient to guarantee a high level of security. 16

Secondary legislation Implementing acts (Art 39) • Will replace Art. 9 Committee (e. Sig directive) composed of representatives of Member States • “Examination procedure” • the Commission may only adopt an implementing act if the committee delivers a positive opinion (qualified majority). • In case of negative opinion, the Commission may either propose an amended version of the draft act within two months, or refer the matter to the appeal committee. • If the appeal committee is seized, its opinion must be positive for the draft act to be adopted 17

Final provisions • Art 40: reporting every four years • Art 41: Repeal Directive 1999/93/EC • SSCDs already certified as SSCDs become QSCDs • Existing Q-Certificates will remain valid max. five years • Art 42: Entry into force • 20 days after official publication following adoption by European Parliament and Council by the «ordinary procedure» (excodecision) • Transitional clause to be probably discussed by the co-legislators 18

Why will it make a difference? (1/2) • Creates confidence in electronic trust services: • Effective state supervision • Systematic usage of "trusted lists“ • De facto world class «trustmark» for EU qualified services • Easy e. Signature: • Harmonisation power of Regulation • Full e. Sig specification via secondary legislation + standards • Related trust services: • Address clear market needs: e. Seals, e. Delivery, e. Documents, … • Harmonise national legislation: time stamping, e. Delivery • e-Document admissibility: « big bang » for de-materialisation • Website authentication is an implicit expectation of the citizens 19

Why will it make a difference? (2/2) • Comprehensive “toolbox” of trust building instruments • One single legislation across EU • Harmonisation power of Regulation • Foster e. ID usage (“world premiere”): • Leverage e. ID cards and mobile ID infrastructure • Reliable e. ID to allow cross border e. Business and enable e. Gov services • Private sector is invited to build on «notified» e. IDs • Leverage Large Scale Pilot project STORK 20

Indicative timeline Legislative process Commission Cyprus Proposal Presidency 4. 6. 2012 report Parliament + Council adoption Standardisation mandate m 460 Standards Delegated/Implementing acts Commission Decisions 2011 2012 2013 2014 2015 2016 NB. Dates are indicative 21

For further information • Website: http: //ec. europa. eu/information_society/policy/esignature • Draft Regulation: • European Commission’s “Proposal for a Regulation of the European Parliament and Council on electronic identification and trust services for electronic transactions in the internal market”, COM(2012) 238, 4. 6. 2012 http: //ec. europa. eu/information_society/policy/esignature/eu_legi slation/regulation • Impact assessment: SWD(2012)135 and SWD(2012)136 22