Explanatory Memorandum to COM(2012)238 - Electronic identification and trust services for electronic transactions in the internal market

Please note

This page contains a limited version of this dossier in the EU Monitor.

1. CONTEXT OF THE PROPOSAL

This memorandum explains a proposed legal framework designed to enhance trust in electronic transactions in the internal market.

Building trust in the online environment is key to economic development. Lack of trust makes consumers, businesses and administrations hesitate to carry out transactions electronically and to adopt new services.

The Digital Agenda for Europe identifies existing barriers to Europe’s digital development and proposes legislation on e-signatures (Key Action 3) and the mutual recognition of e-identification and authentication (Key Action 16), establishing a clear legal framework so as to eliminate fragmentation and the lack of interoperability, enhance digital citizenship and prevent cybercrime. Legislation ensuring the mutual recognition of electronic identification and authentication across the EU and review the Directive on Electronic Signatures is also a key action in the Single Market Act, for the realisation of the digital single market. The Roadmap for Stability and Growth underlines the key role for the development of the digital economy of the future common legal framework for the mutual recognition and acceptance of electronic identification and authentication across borders.

The proposed legal framework, consisting of a ‘Regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market’, seeks to enable secure and seamless electronic interactions between businesses, citizens and public authorities, thereby increasing the effectiveness of public and private online services, e-business and electronic commerce in the EU.

The existing EU legislation, namely Directive 1999/93/EC on a ‘Community framework for electronic signatures’[4], essentially covers electronic signatures only. There is no comprehensive EU cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions that encompasses electronic identification, authentication and signatures.

The aim is to enhance existing legislation and to expand it to cover the mutual recognition and acceptance at EU level of notified electronic identification schemes and other essential related electronic trust services.

1.

RESULTS OF CONSULTATIONS


4.

WITH INTERESTED PARTIES AND IMPACT ASSESSMENTS


This initiative is the result of extensive consultations on a review of the current legal framework on electronic signatures in the course of which the Commission gathered feedback from Member States, the European Parliament and other stakeholders[5]. An online public consultation was complemented by an ‘SME Test Panel’ to identify the specific views and needs of SMEs; and other targeted consultations with stakeholders[6],[7]. The Commission also launched a number of studies in relation to electronic identification, authentication, signature and related trust services (eIAS).

The consultations made clear that a large majority of stakeholders agreed on the need to review the current framework to fill the gaps left by the electronic signature Directive. It was felt that this would better respond to challenges posed by the rapid development of new technologies (particularly online and mobile access) and by increased globalisation, while maintaining the technological neutrality of the legal framework.

In line with its ‘Better Regulation’ policy, the Commission conducted an impact assessment of policy alternatives. Three sets of policy options were assessed, dealing respectively with the scope of the new framework, the legal instrument and the level of supervision required[8]. The preferred policy option proved to be enhancing legal certainty, boosting coordination of national supervision, ensuring mutual recognition and acceptance of electronic identification schemes and incorporating essential related trust services. The impact assessment concluded that doing this would lead to considerable improvements to legal certainty, security and trust in terms of cross-border electronic transactions, resulting in less fragmentation of the market.

2.

LEGAL ELEMENTS OF THE PROPOSAL



5.

3.1 Legal Basis


This proposal is based on Article 114 TFEU, which concerns the adoption of rules to remove existing barriers to the functioning of the internal market. Citizens, businesses and administrations will be able to benefit from the mutual recognition and acceptance of electronic identification, authentication, signatures and other trust services across borders when needed for the access and completion of electronic procedures or transactions.

A Regulation is considered to be the most appropriate legal instrument. The direct applicability of a Regulation pursuant to Article 288 TFEU will reduce legal fragmentation and provide greater legal certainty by introducing a harmonised set of core rules contributing to the functioning of the internal market.

6.

3.2 Subsidiarity and proportionality


In order for EU action to be justified, the subsidiarity principle must be respected:

7.

a) Transnational nature of the problem (necessity test)


The transnational nature of eIAS requires EU action. Domestic (i.e. national) action alone would not suffice to meet the objectives, nor achieve the targets set out in the Europe 2020 Strategy[9]. Conversely, experience has shown that national measures have de facto created barriers to the EU-wide interoperability of electronic signatures, and that they are currently having the same effect on electronic identification, electronic authentication and related trust services. It is therefore necessary for the EU to create an enabling framework to address cross-border interoperability and to improve the coordination of national supervision schemes. However, electronic identification cannot be addressed in the proposed Regulation in the same generic manner as the other trust electronic services because issuing means of identification is a national prerogative. The proposal therefore focuses strictly on cross-border aspects of electronic identification.

The proposed Regulation creates a level playing field for businesses providing trust services where the currently existing differences in national legislation often lead to legal uncertainty and additional burden. Legal certainty is significantly increased through clear acceptance obligations by Member States of qualified trust services which will create additional incentive for businesses to go abroad. For example a company will be able to participate electronically to a public call for tenders launched by the administration of a different Member State without its electronic signature being blocked due to specific national requirements and interoperability problems. Similarly, a company will have the opportunity to sign contracts electronically with a counterpart based in a different Member State without fearing different legal requirements for trust services such as electronic seals, electronic documents or time stamping. Finally, a notice of default will be delivered from one Member State to another with the certainty of its legal validity in both Member States. Finally, online commerce will be more trustworthy when shoppers will have the means to verify that they indeed access the website of the merchant of their choice instead of a possibly fake website.

Mutually recognised electronic identification means and widely accepted electronic signatures will facilitate cross-border provision of numerous services in the internal market and enable businesses to go cross-border without facing obstacles in interactions with public authorities. In practice this will mean significant efficiency improvements both for businesses and citizens when complying with the administrative formalities. For example, giving the opportunity to a student to enrol electronically in a university abroad, to a citizen to submit tax declaration online to another Member State or to a patient to access his or her health data online. If there is no such mutually recognised electronic identification means, a doctor will not be able to access the patient medical data needed to treat him or her and the medical and laboratory tests that the patient has already undertaken will have to be repeated.

8.

b) Added value (effectiveness test)


The objectives outlined above are currently not being achieved by voluntary coordination among Member States, nor is this reasonably likely to happen in the future. This leads to duplication of efforts, setting different standards, transnational characteristics of the spill-overs generated by ICT, and administrative complexity of establishing such coordination by way of bilateral and multilateral agreements.

In addition, the need to overcome such problems, as (a) an absence of legal certainty due to heterogeneous national provisions stemming from divergent interpretations of the electronic signature Directive and (b) a lack of interoperability of the electronic signature systems set up at national level due to the non-uniformly application of technical standards, requires the kind of coordination across EU Member States which can be done more effectively at the EU level.

9.

3.3 Detailed explanation of the proposal


3.3.1 CHAPTER I – GENERAL PROVISIONS

Article 1 defines the subject matter of the Regulation.

Article 2 defines the material scope of the Regulation.

Article 3 contains definitions of the terms used in the Regulation. While some definitions are taken over from Directive 1999/93/EC, others are clarified, complemented with additional elements, or newly introduced.

Article 4 determines the internal market principles with regard to the territorial application of the Regulation. Explicit mention is made of the imposition of no restrictions on the freedom to provide services and the free circulation of products.

3.3.2 CHAPTER II – ELECTRONIC IDENTIFICATION

Article 5 provides for the mutual recognition and acceptance of electronic identification means falling under a scheme which will be notified to the Commission on the conditions laid down in the Regulation. Most EU Member States have introduced some form of electronic identification system. However, they differ in many aspects. The lack of a common legal basis requiring each Member State to recognise and accept electronic identification means issued in other Member States to access online services, along with the inadequate cross-border interoperability of national electronic identifications, creates barriers which prevent citizens and businesses from benefiting fully from the digital single market. The mutual recognition and acceptance of any electronic identification means falling under a notified scheme under this Regulation removes these legal barriers.

The Regulation does not oblige Member States to introduce or notify electronic identification schemes, but to recognise and accept notified electronic identifications for those online services where electronic identification is required to get access at national level. The potential increase of economies of scale created through the cross-border use of notified electronic identification means and authentication systems may stimulate Member States to notify to their electronic identification schemes.Article 6 sets out the five conditions for the notification of electronic identification schemes:

Member States can notify the electronic identification schemes that they accept under their jurisdiction where electronic identification is required for public services. A further requirement is that the respective electronic identification means must be issued by, on behalf of or at least under the responsibility of the Member State notifying a scheme.

Member States must ensure an unambiguous link between the electronic identification data and the person concerned. This obligation does not mean that a person cannot have multiple electronic identification means, but they must all link to the same person.

The reliability of an electronic identification depends on the availability of means of authentication (i.e. the possibility to check the validity of the electronic identification data). The Regulation obliges the notifying Member States to provide online authentication free of charge vis-à-vis third parties. The authentication possibility must be available without interruption. No specific technical requirements, such as hardware or software can be imposed on the parties relying on such authentication. This provision does not apply to any requirements vis-à-vis the users (holders) of the electronic identification means that are technically necessary for the use of the electronic identification means, such as card readers.

Member States must accept liability for the unambiguity of the link (i.e. that the identification data attributed to the person are not linked to any other person) and the authentication possibility (i.e. the possibility to check the validity of the electronic identification data). The liability of Member States does not cover other aspects of the identification process or any transaction that requires identification.

Article 7 contains rules on notifying the Commission of electronic identification schemes.

Article 8 aims to ensure the technical interoperability of the notified identification schemes through a coordination approach, including delegated acts.

3.3.3 CHAPTER III – TRUST SERVICES

3.3.3.1 Section 1 – General provisions

Article 9 sets out the principles relating to the liability of both non-qualified and qualified trust service providers. It builds on Article 6 of Directive 1999/93/EC and extends entitlement to compensation of damage caused by any negligent trust service provider for failure to comply with security good practices which result in a security breach which has a significant impact on the service.

Article 10 describes the mechanism for the recognition and acceptance of qualified trust services provided by a provider established in a third country. It builds on Article 7 of Directive 1999/93/EC but retains only the sole practically feasible option which is to allow such recognition under an international agreement between the European Union and third countries or international organisations.

Article 11 sets out the principles of data protection and minimisation. It builds on Article 8 of Directive 1999/93/EC.

Article 12 makes trust services accessible to disabled people.

3.3.3.2 Section 2 – Supervision

Article 13 obliges Member States to establish supervisory bodies, based on Article 3 of Directive 1999/93/EC, clarifying and enlarging their remit with regard to both trust service providers and qualified trust service providers.

Article 14 introduces an explicit mechanism of mutual assistance between supervisory bodies in Member States to facilitate the cross-border supervision of trust service providers. It introduces rules on joint operations and supervisory authorities’ right to participate in such operations.

Article 15 introduces an obligation for both qualified and non-qualified trust service providers to implement appropriate technical and organisational measures for the security of their activities. Furthermore, the competent supervisory bodies and other relevant authorities must be informed of any security breaches. If appropriate, they will in turn inform other Member States’ supervisory bodies and will, directly or via the trust service provider concerned, inform the public.

Article 16 sets out the conditions for the supervision of qualified trust service providers and qualified trust services provided by them. It obliges qualified trust service providers to be audited on a yearly basis by a recognised independent body to confirm to the supervisory body that they fulfil the obligations laid down in the Regulation. Moreover, Article 16 gives the supervisory body the right to carry out on-the-spot audits of the qualified trust service providers at any time. The supervisory body is also empowered to issue binding instructions to qualified trust service providers to remedy, in a proportionate manner, any failure to meet an obligation revealed by a security audit.

Article 17 concerns the activity carried out by the supervisory body at the request of a trust service provider wishing to initiate a qualified trust service.

Article 18 provides for the establishment of trusted lists[10] containing information on qualified trust service providers who are subject to supervision and to the qualified services they offer. This information must be made publicly available through a common template in order to facilitate its automated use and ensure an appropriate level of detail.

Article 19 sets out the requirements the qualified trust service providers must meet in order to be recognised as such. It draws on Annex II of Directive 1999/93/EC.

3.3.3.3 Section 3 – Electronic signature

Article 20 enshrines the rules related to the legal effect of natural persons’ electronic signatures. It clarifies and expands Article 5 of Directive 1999/93/EC introducing an explicit obligation to give to qualified electronic signatures the same legal effect as handwritten signatures. Moreover, Member States must ensure the cross-border acceptance of qualified electronic signatures, in the context of the provision of public services, and they must not introduce any additional requirements which might result in barriers to the use of such signatures.

Article 21 sets out the requirements for qualified signature certificates. It clarifies Annex I of Directive 1999/93/EC and removes provisions which did not work in practice (e.g. limitations on transactions value).

Article 22 sets out the requirements for qualified electronic signature creation devices. It clarifies the requirements for secure signature creation devices laid down in Article 3(5) of Directive 1999/93/EC, which now have to be considered as qualified signature creation devices under this Regulation. It also makes it clear that the scope of a signature creation device can be much wider than just something containing signature creation data. The Commission may also establish a list of reference numbers of standards for security requirements on devices.

Article 23, building on Article 3 i of Directive 1999/93/EC, introduces the concept of certification of qualified electronic signature devices to determine their conformity with the security requirements laid down in Annex II. These devices must be recognised by all Member States as matching the requirements when a certification procedure is conducted by a certification body designated by a Member State. The Commission will publish a positive list of such certified devices according to Article 24. The Commission may also establish a list of reference numbers of standards for the security assessment of information technology products referenced in Article 23.

Article 24 concerns publication of a list of qualified electronic signature creation devices by the Commission after notification of conformity by the Member States.

Article 25 builds on the recommendations of Annex IV of Directive 1999/93/EC to lay down binding requirements for the validation of qualified electronic signatures with a view to increasing the legal certainty of such a validation.

Article 26 sets out the conditions for qualified validation services.

Article 27 sets out the condition for the long-term preservation of qualified electronic signatures. This is possible due to the use of procedures and technologies capable of extending the trustworthiness of the qualified electronic signature validation data beyond the time of their technological validity when forgery may become easy to do for cyber criminals.

3.3.3.4 Section 4 – Electronic seals

Article 28 concerns the legal effect of electronic seals of legal persons. A specific legal presumption is bestowed on a qualified electronic seal which guarantees the origin and integrity of electronic documents to which it is linked.

Article 29 sets out the requirements for qualified certificates for electronic seals.

Article 30 sets out the requirements for and certification and publication of list for the qualified electronic seal creation devices.

Article 31 sets out the condition of validation and preservation of qualified electronic seals.

3.3.3.5 Section 5 – Electronic time stamp

Article 32 concerns the legal effect of electronic time stamps. A specific legal presumption is bestowed on qualified electronic time stamps with regard to the certainty of the time.

Article 33 sets out the requirements for qualified electronic time stamps.

3.3.3.6 Section 6 – Electronic documents

Article 34 is related to the legal effects and the conditions of acceptance of electronic documents. There is a specific legal presumption of the authenticity and integrity of any electronic document signed with a qualified electronic signature or bearing a qualified electronic seal. With regard to the acceptance of electronic documents, when an original document or a certified copy is required for the provision of a public service, at least electronic documents issued by the persons who are competent to issue the relevant documents and that are considered to be originals or certified copies in accordance with national law of the Member State of origin, shall be accepted in other Member States without additional requirements.

3.3.3.7 Section 7 – Electronic delivery services

Article 35 concerns the legal effect of data sent or received using an electronic delivery service. A specific legal presumption regarding the integrity of data which are sent or received and the accuracy of the time on which the data are sent or received is guaranteed for qualified electronic delivery services. It also ensures the mutual recognition of qualified electronic delivery services at EU level.

Article 36 sets out the requirements for qualified electronic delivery services.

3.3.3.8 Section 8 – Website authentication

This section is intended to ensure that the authenticity of a website with respect to the owner of the site will be guaranteed.

Article 37 sets out the requirements for qualified certificates for website authentication, which can be used to guarantee the authenticity of a website. A qualified certificate for website authentication will provide a minimal set of trustworthy information on the website and on the legal existence of its owner.

3.3.4 CHAPTER IV – DELEGATED ACTS

Article 38 contains the standard provisions for exercising the delegations in line with Article 290 TFEU (delegated acts). This allows the legislator to delegate to the Commission the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of a legislative act.

3.3.5 CHAPTER V – IMPLEMENTING ACTS

Article 39 contains the provision covering the Committee procedure needed to confer implementing powers on the Commission wherever, in accordance with Article 291 TFEU, uniform conditions for implementing legally binding acts of the Union are needed. The examination procedure applies.

3.3.6 CHAPTER VI – FINAL PROVISIONS

Article 40 obliges the Commission to evaluate the Regulation and report on its findings.

Article 41 repeals Directive 1999/93/EC and provides for the smooth transition of the existing electronic signature infrastructure to the new requirements of the Regulation.

Article 42 sets out the date of the entry into force of the Regulation.

3.

BUDGETARY IMPLICATIONS



The specific budgetary implications of the proposal relate to the tasks allocated to the European Commission as specified in the legislative financial statements accompanying this proposal.

The proposal has no implications on operational expenditure.

The legislative financial statement accompanying this proposal for a Regulation covers the budgetary impacts for the Regulation itself.