PURPOSE: to enhance trust in electronic transactions in the internal market and ensure the mutual recognition of electronic identification, authentication, signatures and other trust services across borders.
LEGISLATIVE ACT: Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
CONTENT: this new Regulation provides a common foundation for secure electronic interaction between citizens, businesses and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union and enhancing trust in electronic transactions in the internal market.
In doing so, the Regulation:
- lays down the conditions under which Member States recognise electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another Member State;
- lays down rules for trust services, in particular for electronic transactions; and
- establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificate services for website authentication.
System for mutual recognition of electronic identification: the new rules require member states to recognise, under certain conditions, means of electronic identification of natural and legal persons falling under another Member State's electronic identification scheme which has been notified to the Commission. It is up to the Member States to choose whether they want to notify all, some or none of the electronic identification schemes used at national level to access at least public online services or specific services. These rules only cover cross-border aspects of electronic identification, and issuing means of electronic identification remains a national prerogative.
Conditions for mutual recognition: the principle of mutual recognition should apply if the notifying Member State’s electronic identification scheme meets the conditions of notification and the notification was published in the Official Journal of the European Union.
The obligation to recognise electronic identification should only apply when the public sector body in question uses the assurance level ‘substantial’ or ‘high’ in relation to accessing that service online.
This Regulation should provide for the liability of the notifying Member State, the party issuing the electronic identification means and the party operating the authentication procedure for failure to comply with the relevant obligations under this Regulation.
In the case of a breach of security, the notifying Member State shall, without delay, suspend or revoke that cross-border authentication or the compromised parts concerned, and shall inform other Member States and the Commission.
Member States should cooperate with regard to the security and interoperability of the electronic identification schemes at Union level through the exchange of information and the sharing of best practices between Member States.
Timeline for mutual recognition: those Member States which so wish may join the scheme for recognising each others' notified e-identification means as soon as the necessary implementing acts are in place. This is expected to take place on 18 September 2015 at the latest. The mandatory mutual recognition is expected to kick off in the second half of 2018.
Trustworthy services: Directive 1999/93/EC of the European Parliament and of the Council dealt with electronic signatures without delivering a comprehensive cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions. This Regulation enhances and expands the acquis of that Directive.
More specifically, the new Regulation also introduces, for the first time, EU-wide rules concerning trust services, such as the creation and verification of electronic time stamps and electronic registered delivery services, or the creation and validation of certificates for website authentication.
Trust services which comply with the regulation can circulate freely within the single market. In addition, an EU trust mark will be created to identify trust services which meet certain strict requirements. Trust services provided by trust service providers established in a third country shall be recognised as legally equivalent to qualified trust services provided by qualified trust service providers established in the Union where the trust services originating from the third country are recognised under an agreement concluded between the Union and the third country in question or an international organisation.
Where feasible, trust services provided and end-user products used in the provision of those services shall be made accessible for persons with disabilities.
An EU trust mark should be created to identify the qualified trust services provided by qualified trust service providers. The use of the trust mark will be voluntary.
Supervisory body: Member States should designate a supervisory body or supervisory bodies to carry out the supervisory activities under this Regulation.
Supervisory bodies should cooperate with data protection authorities, for example by informing them about the results of audits of qualified trust service providers, where personal data protection rules appear to have been breached.
Supervision of qualified trust service providers: qualified trust service providers should be audited, at least every 24 months, at their own expense by a conformity assessment body
The Commission shall review the application of this Regulation and shall report to the European Parliament and to the Council no later than 1 July 2020.
ENTRY INTO FORCE: 17.09.2014. The Regulation shall apply from 1 January 2016.
DELEGATED ACTS: the Commission may adopt delegated acts to adopt the regulatory technical standards. Power to adopt such acts is conferred on the Commission for an indeterminate period of time from 17 September 2014. The European Parliament or the Council may formulate objections to a delegated act within a period of two months of notification of that act (that period may be extended by two months). If Parliament or Council raise objections, the delegated act will not enter into force.