The European Parliament adopted by 534 votes to 76, with 17 abstentions, a legislative resolution on electronic identification and trust services for electronic transactions in the internal market.
Parliament adopted its position at first reading following the ordinary legislative procedure. The amendments adopted in plenary are the result of an agreement negotiated between the European Parliament and the Council. They amend the proposal as follows:
Purpose: the Regulation seeks to enhance trust in electronic transactions in the internal market by providing a common foundation for secure electronic interaction between businesses, citizens and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union.
A “trust service” means an electronic service normally provided for remuneration which consists in:
· the creation, verification, and validation of electronic signatures , electronic seals or electronic time stamps, electronic registered delivery services and certificates related to these services or
· the creation, verification and validation of certificates for website authentication or
· the preservation of electronic signatures, seals or certificates related to these services.
Scope: this Regulation should apply to electronic identification schemes notified by Member States, and to trust service providers established in the Union. This Regulation does not apply to the provision of trust services used exclusively within closed systems resulting from national legislation or from agreements between a defined set of participants.
This Regulation should be applied in full compliance with the principles relating to the protection of personal data provided for in Directive 95/46/EC.
Mutual recognition: electronic identification systems notified according to the Regulation should specify the assurance levels“low”, “substantial” and/or “high” for electronic identification means issued.
The obligation to recognise electronic identification means should only apply when the public sector body in question uses the assurance level “substantial” or “high in relation to accessing that service online.
Notification of electronic identification systems: systems notified by the Member States should be accompanied by, among other things, the following information: (i) a description of the notified electronic identification scheme, including its assurance levels and the issuer(s) of electronic identification means under that scheme; (ii) the applicable supervisory regime and information on liability regime with respect to the party issuing the electronic identification means, and the party operating the authentication procedure; (iii) information on the entity or entities which manage the registration of the unique person identification data.
Security breach: when either the electronic identification scheme notified or the authentication is breached or partly compromised in a manner that affects the reliability of the cross border authentication of that scheme, the notifying Member State should suspend or revoke without delay that cross border authentication or the compromised parts concerned and inform other Member States and the Commission.
Liability: Parliament and the Council introduced a new provision whereby the notifying Member State, the party issuing the electronic identification means, as well as the party operating the authentication procedure, would be liable for damage caused intentionally or negligently to any natural or legal person for failing in a cross border transaction to comply with its obligations under the Regulation.
The intention or negligence of a qualified trust service provider should be presumed unless he proves that the damage occurred without the intention or negligence on his part.
Cooperation and interoperability: the national electronic identification schemes notified should be interoperable. The interoperability framework should aim to be technology neutral and should not discriminate between any specific national technical solutions for electronic identification within the Member State. Member States should cooperate as regards the interoperability of electronic identification systems and the security of electronic identification systems.
Third country trust service providers: according to the amended text, trust services provided by trust service providers established in a third country should be recognised as legally equivalent to qualified trust services provided by qualified trust service providers established in the Union if the trust services originating from the third country are recognised under an agreement concluded between the Union and third countries or international organisations.
Accessibility for persons with disabilities: where feasible, trust services provided and end-user products used in the provision of those services should be made accessible for persons with disabilities
Supervisory body: Member States should designate a supervisory body or supervisory bodies to carry out the supervisory activities under this Regulation. Member States should be also able to decide, upon a mutual agreement with another Member State, to designate a supervisory body in the territory of that other Member State.
Supervisory bodies should cooperate with data protection authorities, for example by informing them about the results of audits of qualified trust service providers, where personal data protection rules appear to have been breached.
Supervision of qualified trust service providers: qualified trust service providers should be audited, at least every 24 months, at their own expense by a conformity assessment body.
EU trust mark: an EU trust mark should be created to identify the qualified trust services provided by qualified trust services providers. The use of an EU trust mark by qualified trust service providers should be voluntary and should not lead to any other requirement than those already provided for in this Regulation.
By 1 July 2015, the Commission should, by means of implementing acts, lay down specification relating to the form and in particular the presentation, composition, size and design of the EU trust mark for qualified trust services.