Cross-Border Online Signatures

The European Commission has moved to create a reliable system for cross-border electronic identification in the EU – that is, a person in one country being able to provide an officially recognised signature to a service or authority in another country.

Rather than seek to impose an EU-wide technical standard, the approach is to require mutual recognition by Member States of their existing e-signature systems. These would be notified to the Commission and included in an official list; each national system on the list must then be able to recognise and accept signatures coming from another.

The new Regulation would, of course, set technical standards to ensure a functioning interoperability layer between national identity systems while leaving to Member States the competency of determining and controlling the technology of their own identify systems.

The current rules only cover electronic signatures and their legal recognition; the new rules would extend the scope to other electronic instruments such as electronic seals or stamps. A European framework for the recognition of national electronic identification schemes would be created and it would allow Member States to participate in it provided that they fulfil certain conditions. The purpose is to boost cross-border electronic transactions in Europe

Member States would be able to provide a “qualified status” to trust service providers that comply with the requirements set out in the proposed rules. Qualified service providers would be allowed to issue qualified electronic identification certificates, which are supposed to reach high quality and security standards and would enjoy legal advantages.

Scope

The proposed Regulation would lay down rules for electronic identification and electronic trust services. It would also create a framework under which Member State can notify their electronic identification schemes for their recognition within the EU.

It would establish a framework for the mutual recognition of trust services providers and the conditions for the cross-border operability of different electronic identification/documentation instruments. It would also set out rules on a qualified status for trust service providers, which would mean the inclusion of the service in a public trusted list.

It would not apply to (1) trust services based on voluntary agreements under private law and (2) to the validity of contracts.

Notification scheme

Member States interested in the cross-border recognition of their electronic identification schemes would notify to the Commission. The schemes would be examined and published in an official list if approved.

Under such schemes, the electronic identification means must be issued by, or on behalf of, the notifying Member State and at least used to access public services. Member States would be required to cooperate to ensure the interoperability of their electronic identification schemes.

The notifying Member State would be required make possible an online mechanism to check the validity of any electronic identification data, this mechanism must be available at any time and free of charge. It would not be permitted to impose any specific technical requirement to the users interested in using the online validation mechanism from a different Member State.

Mutual Recognition of national schemes

If a Member State requires electronic identification for the online access to a public service, it would be obliged to recognise and accept any electronic identification means issued in another Member State included in the official list.

Supervisory body

Member States would have to designate a supervisory body in charge of monitoring monitor the activities of trust service providers operating in their territory; particularly, the supervisory body would have to ensure the compliance with security requirements.

The proposed Regulation would set out security requirements applicable to all trust service providers, e.g. in case of a security breach, the service provider must notify the competent supervisory body within 24 hours. As this regard, the supervisory body would have powers to issue binding instruction.

Qualified Status

Supervisory bodies will grant a qualified status to trust services providers that comply with certain requirements (the qualified status would not be necessary to provide electronic identification services). Those qualified services would be included in a public trusted list.

In order to apply for the qualified status, a trust service provider shall provide the supervisory body with a security audit report carried out by a recognised independent body. Once the status is granted, qualified trust service providers must be subject to audits on an annual basis to confirm that they keep on fulfilling the qualifying requirements.

Member States would have to publish a trusted list with information related to the trust service providers holding a qualified status.

Requirements for Qualified Trust Service Providers

Apart from the basic obligation on the verification of the identity of the person to whom qualified services are provided, they would be required to comply with the following criteria:
• employ staff who possess the necessary expertise regarding security and personal data protection rules;
• bear the risk of liability for damage;
• use trustworthy systems to store data;
• take measures against forgery and theft of data;
• record for an appropriate period of time all relevant information concerning data issued and received, particularly for the purpose of providing evidence in legal proceedings;
• have an updated termination plan to ensure continuity of service;
• ensure lawful processing of data.

The supervisory body would be responsible for the supervision of qualified trust service providers established in that territory. It may at any time audit a qualified trust service provider to confirm the compliance with the requirements set out in the proposed rules. In the case of incompliance, the supervisory body would have the power to issue binding instructions aimed at remedying the failure to fulfil the requirements. If the qualified service does not remedy the failure, it would lose its qualified status.

Electronic identification instruments

Electronic identification instruments are electronic reproductions of signatures, seals, documents or stamps. The proposed Regulation would set out the general prohibition on denying legal effect and admissibility as evidence in legal proceedings of electronic identification instruments on the solely grounds that they are an electronic form.

For qualified electronic instruments, the proposed rules would lay down further privileges:
1. Principle of equivalent legal effect as of handwritten for qualified electronic signatures, 
2. Legal presumption of ensuring the origin and integrity of the data to which qualified electronic identification instrument is linked, 
3. Legal presumption of the integrity of the data and the accuracy of the date and time indicated by a qualified electronic delivery system, 
4. Mutual recognition of qualified electronic instruments among Member States.

Qualified Requirements for electronic identification instruments

The proposed regulation would set out technical requirements that qualified trust service providers must observe in order to provide qualified electronic certificates on the following electronic instruments or services:
• Electronic signatures, which must be created by a certified device fulfilling certain technical and security requirements. It must contain a link capable of identifying the issuing qualified trust service provider. 
• Electronic documents, an electronic document is a document bearing an electronic signature or an electronic seal.
• Electronic stamps, which must be accurately linked to Coordinated Universal Time (UTC).
• Electronic seals, which must be created by a certified device fulfilling certain technical and security requirements. It must contain a link capable of identifying the issuing qualified trust service provider.
• Electronic delivery services, which must be provided by a system complying certain security conditions.

Website authentication

The proposed Regulation would set out requirements for qualified certificates for website authentication. Such qualified certificates would be recognised and accepted in all Member States.

The qualified certificates for websites would contain: information about the address of the legal person to whom the certificate was issued, the domain name(s) operated by the legal person and an electronic seal that is uniquely linked to the issuing qualified trust service provider.