PURPOSE: to enhance trust in electronic transactions in the internal market and ensure the mutual recognition of electronic identification, authentication, signatures and other trust services across borders.
PROPOSED ACT: Regulation of the European Parliament and of the Council.
BACKGROUND: building trust in the online environment is key to economic development.
The existing EU legislation, namely Directive 1999/93/EC on a Community framework for electronic signatures, essentially covers electronic signatures only.
There is no comprehensive EU cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions that encompasses electronic identification, authentication and signatures.
The Digital Agenda for Europe identifies existing barriers to Europe’s digital development and proposes legislation on e-signatures and the mutual recognition of eIdentification and authentication, establishing a clear legal framework so as to eliminate fragmentation and the lack of interoperability, enhance digital citizenship and prevent cybercrime. Legislation ensuring the mutual recognition of electronic identification and authentication across the EU is also a key action in the Single Market Act, as well as the Roadmap for Stability and Growth. The European Parliament stressed the importance of the security of electronic services, especially of electronic signatures, and of the need to create a public key infrastructure at pan-European level, and called on the Commission to set up a European validation authorities gateway to ensure the cross-border interoperability of electronic signatures and to increase the security of transactions carried out using the internet.
The aim of this proposal is to enhance existing legislation and to expand it to cover the mutual recognition and acceptance at EU level of notified electronic identification schemes and other essential related electronic trust services.
IMPACT ASSESSMENT: three sets of policy options were assessed, dealing respectively with (1) the scope of the new framework, (2) the legal instrument and (3) the level of supervision required. The preferred policy option proved to be enhancing legal certainty, boosting coordination of national supervision, ensuring mutual recognition and acceptance of electronic identification schemes and incorporating essential related trust services. The impact assessment concluded that doing this would lead to considerable improvements to legal certainty, security and trust in terms of cross-border electronic transactions, resulting in less fragmentation of the market.
LEGAL BASIS: Article 114 of the Treaty on the Functioning of the European Union (TFEU).
CONTENT: the proposed regulation seeks to enable secure and seamless electronic interactions between businesses, citizens and public authorities, thereby increasing the effectiveness of public and private online services, e-business and electronic commerce in the EU.
The main points of the proposal are as follows:
1) Electronic identification: the proposal provides for the mutual recognition and acceptance of electronic identification means falling under a scheme, which will be notified, to the Commission on the conditions laid down in the Regulation. It does not oblige Member States to introduce or notify electronic identification schemes, but to recognise and accept notified electronic identifications for those online services where electronic identification is required to get access at national level.
Electronic identification schemes shall be eligible for notification if all five of the following conditions are met:
· the electronic identification means are issued by, on behalf of or under the responsibility of the notifying Member State;
· the electronic identification means can be used to access at least public services requiring electronic identification in the notifying Member State;
· Member States must ensure an unambiguous link between the electronic identification data and the person concerned;
· the notifying Member State ensures the availability of an authentication possibility online, at any time and free of charge. No specific technical requirements, such as hardware or software can be imposed on the parties relying on such authentication;
· Member States must accept liability for the unambiguity of the link (i.e. that the identification data attributed to the person are not linked to any other person) and the authentication possibility (i.e. the possibility to check the validity of the electronic identification data).
The proposal also aims to ensure the technical interoperability of the notified identification schemes through a coordination approach, including delegated acts.
2) Trust services: the proposal sets out the principles relating to the liability of both non-qualified and qualified trust service providers. It builds on Directive 1999/93/EC and extends entitlement to compensation of damage caused by any negligent trust service provider for failure to comply with security good practices which result in a security breach which has a significant impact on the service. It also describes the mechanism for the recognition and acceptance of qualified trust services provided by a provider established in a third country.
3) Supervision: the proposal (i) requires Member States to establish supervisory bodies, clarifying and enlarging the remit of the latter with regard to both trust service providers and qualified trust service providers; (ii) introduces an explicit mechanism of mutual assistance between supervisory bodies in Member States to facilitate the cross-border supervision of trust service providers; (iii) introduces an obligation for both qualified and non-qualified trust service providers to implement appropriate technical and organisational measures for the security of their activities ; (iv) sets out the conditions for the supervision of qualified trust service providers and qualified trust services provided by them ; (v) provides for the establishment of trusted lists containing information on qualified trust service providers who are subject to supervision and to the qualified services they offer.
4) Electronic signature: the proposal enshrines the rules related to the legal effect of natural persons’ electronic signatures, introducing an explicit obligation to give to qualified electronic signatures the same legal effect as handwritten signatures. Furthermore, Member States must ensure the cross-border acceptance of qualified electronic signatures, in the context of the provision of public services.
The proposal also sets out: the requirements for qualified signature certificates and the requirements for qualified electronic signature creation devices; the conditions for qualified validation services, and the condition for the long-term preservation of qualified electronic signatures.
5) Electronic seals: the provisions concern the legal effect of electronic seals of legal persons. A specific legal presumption is bestowed on a qualified electronic seal which guarantees the origin and integrity of electronic documents to which it is linked.
6) Electronic time stamp: a specific legal presumption is bestowed on qualified electronic time stamps with regard to the certainty of the time.
7) Electronic documents: there is a specific legal presumption of the authenticity and integrity of any electronic document signed with a qualified electronic signature or bearing a qualified electronic seal. With regard to the acceptance of electronic documents, when an original document or a certified copy is required for the provision of a public service, at the least electronic documents issued by the persons who are competent to issue the relevant documents and that are considered to be originals or certified copies in accordance with national law of the Member State of origin, shall be accepted in other Member States without additional requirements.
8) Website authentication: the proposal ensures that the authenticity of a website with respect to the owner of the site will be guaranteed.
BUDGETARY IMPLICATION: EUR 9 408 million for the period 2014-2020 (human resources). The specific budgetary implications of the proposal relate to the tasks allocated to the European Commission. The proposal has no implications on operational expenditure.
DELEGATED ACTS: the proposal contains provisions empowering the Commission to adopt delegated acts in accordance with Article 290 of the Treaty on the Functioning of the EU.