Annexes to COM(2006)120 - Report on the operation of Directive 1999/93/EC on a Community framework for electronic signatures - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2006)120 - Report on the operation of Directive 1999/93/EC on a Community framework for electronic signatures. |
|---|---|
| document | COM(2006)120  |
| date | March 15, 2006 |
The “ signatory ” is identified in the Directive as “a person who holds the signature creation device and acts either on his own behalf or on behalf of the natural or legal person or entity he represents”. Though the Directive does not state that the electronic signature has to refer to a natural person the signatory of a qualified electronic signature (article 5.1 of the Directive) can only be a natural person as this form of signature is considered as the equivalent of the handwritten signature.[7]
2.3.3. Internal market issues
To promote the emergence of the internal market for certification products and services and to ensure that a Certification Service Provider (CSP) established in one Member State can provide services in another Member State, Article 3 states that market access shall not be subject to prior authorisation. In order to ensure that Certification Service Providers that issue qualified certificates to the public comply with the requirements laid down in the Annexes, Member States do, however, have to establish appropriate systems for supervision. No mandatory requirements are imposed on supervision systems. Different models have been implemented by Member States, which up to know operate mainly in their country of origin and have not demonstrated to be the source of barriers. A rise in cross border certification services could however be affected by the divergences between the Member States systems.
As regards the cross-border provision of certification services in the internal market, no restriction can be imposed on certification services provided from another Member State.
2.3.4 Legal recognition
Article 5.2 establishes the general principle of the legal recognition of all kinds of electronic signatures established by the Directive.
It requires Member States to ensure that the qualified electronic signature (Article 5.1) is recognised as meeting the legal requirements of hand-written signatures and that it is admissible as evidence in legal proceedings in the same way as hand-written signatures are in relation to traditional documents.
Concerning the legal effect of e-signatures, there is yet no representative case law that allows for any assessment of the recognition of electronic signatures in practice.
3. EFFECT OF THE DIRECTIVE ON THE INTERNAL MARKET
3.1. General remarks on the relationship between the Directive and market development
With the adoption of the Directive, there were some expectations that this legislation would help the market for electronic signatures to take off. Generally legislation is not introduced to create market demand, nor was it in the case of the Directive. The Directive should, however, grant greater legal security with respect to the use of electronic signatures and related services. In that respect the Directive could provide a platform of trust that would have allowed for the market to take off.
Although the Study focussed its investigations on the use of advanced or qualified electronic signatures and found a very slow take up, it showed that many other electronic signature applications had become available that use the simpler form of electronic signatures.
3.2. The market for electronic certificates: applications in use
The two dominating electronic signature applications are related to e-government and personal e-banking services. Many Member States and several other European countries have launched e-government applications or are planning to do so. A number of these e-government applications are based on the use of electronic ID cards. The electronic ID card can be used both as an identification document and to provide on-line access to public services for the citizens. In most cases these ID cards will contain the three functionalities: identification, authentication and signing.
The other major application for electronic signatures - personal e-banking - is now taking off in most EU countries. Most of the authentication systems for personal e-banking services are relying on one-time passwords (OTP) and tokens, which means the simplest form of electronic signature according to the Directive. Many e-banking applications are only using these technologies for authentication of the user but electronic signing of transactions is increasing. For corporate e-banking (business-to-business) and inter-bank clearing, it is more common to use smart cards which are considered to provide a higher level of security.
At the same time, the spectrum of services requiring a level of authentication corresponding to the simple form of electronic signature is being widened in several Members States.
3.3. Technological developments
3.3.1. Standardisation
Article 3.5 of the Directive allows the Commission to establish and publish reference numbers of “generally recognised standards”[8]for e-signature products. As a consequence compliance with the requirements laid down in Annex II f) and in Annex III when an e-signature product meets those standards is presumed.
The Commission issued a mandate to the European Standards Organisations to carry out the standardisation work. EESSI (European Electronic Signature Standardisation Initiative, composed by members from CEN/ISSS and ETSI) was set up and produced standards for e-signature products and services.[9]
In July 2003, the Commission published a Decision based on Article 3.5 of the Directive[10] including references to CEN standards (CWAs) for the requirements related to the creation of qualified electronic signatures. The validity of CWAs expires after three years of their publication; however, CEN can extend their validity for another term if needed.
According to Article 3.5, other standards can also be developed and accepted by the Commission to fulfil the requirements of the Directive as long as they can be considered to be “generally recognised standards”. In general, the requirements of the Annexes can also be fulfilled by other standards than those referenced in the OJ.
It is important for the market that future standardisation work takes into account new technological developments as in the future, users will move their e-signature key from device to device in a connected world.
3.3.2. Technological challenges
There is no simple answer to why the market for electronic signatures has not developed faster, but the market is facing a number of technical challenges. One frequently highlighted problem that could contribute to the slow take up of advanced or qualified electronic signatures in Europe is the complexity of the PKI technology. The often stressed advantage of PKI is that this technology uses the system of the “trusted third party” which allows parties that have never met to trust each other on the internet. In many of the current applications there seems, however, to be little interest from the service providers, essentially for liability reasons, to allow their customers to use their authentication device for other services. This is probably why the use of different one-time passwords (OTPs) is still dominating the market and there is little indication of this changing in the near future.
Other factors could explain this slow take up: the lack of provisions in the Directive on criteria for electronic signature verification services to be provided by the CSP to the end user and, the lack of provisions regarding the mutual recognition between CSPs. Depending of the countries, there are various solutions to validate a certificate such as the Root CA, the Bridge CA and the Trust Status List. In the framework of cross-border eGovernment transactions, in the IDA II Programme, action on Bridge/Gateway Certification Authority[11] has resulted in a Bridge/Gateway CA Pilot project which has identified not only technological problems but also legal and organisational ones.
The lack of technical interoperability at national and at cross-border level causes another obstacle for the market acceptance of e-signatures. It has resulted in many “isolated” islands of e-signature applications, where certificates can only be used for one single application. EESSI has worked on common interoperability standards but most of the Member states have specified national standards in order to promote interoperability.[12]
Today, in the PKI environment, the smart card is the mostly used signature-creation-device because the smart card provides a means to store the private key securely. This technology is expensive and requires physical infrastructure investments (distribution of cards and card readers etc). There are already a number of alternatives to the smart card that can be used to store the cryptographic key securely.
Another practical reason for the reluctance to implement e-signature applications is that the archiving of electronically signed documents is considered too complex and uncertain. Legal obligations to keep documents for as long as over 30 years require costly and cumbersome technology and procedures to ensure readability and verification of such period of time.
4. THE IMPACT OF DIRECTIVE ON OTHER REGULATION
Even if the demand for the deployment of PKI is something that cannot be created by legislation, the Commission still sees the introduction of electronic signatures as an important tool for the development of the information society services and to encourage secure electronic commerce.
The introduction of e-signatures and reference to the Directive 1999/93/EC has been made in some recently adopted Directives and Decisions.
4.1. The Directive 2001/115/EC
The Directive 2001/115/EC[13] recognises the possibility to send invoices electronically. In this case, the authenticity of the origin of the invoice and the integrity of its content must be guaranteed, for example by the use of advanced electronic signatures.
The function of the advanced e-signature as referred in this Directive is to ensure that technical security during the transmission and storage process is fulfilled. In fact, in the paper-environment, not all national legislations require such a document to be signed with a handwritten signature and the Directive states that Member States shall not require invoices to be signed. It can, therefore, be said that the notion of e-signature in this case refers to a technical rather than a legal concept.
4.2. The new Public Procurement Directives
The new Public Procurement Directives, which entered into force on 30 April 2004, complete the legislative framework for the use of electronic signatures in public procurement.[14]
Use of e-signatures is central to establishing operational e-procurement systems across the EU. E-procurement can be expected to be one of the major fields of application, especially for more advanced forms of e-signatures. E-procurement illustrates the challenges to be overcome when promoting the use of e-signatures.
The new Public Procurement Directives do not define which type of e-signatures should be used in electronic tendering but leave the choice to the Member States provided it is consistent with national law implementing Directive 1999/93/EC.[15] This reflects the current practice for the submission of paper offers for which EU procurement Directives do not regulate the modalities for signing and securing offers.
The fact that Member States may choose different levels of electronic signatures implies the risk that e-procurement solutions will be designed taking into account nationally developed products. This risks fragmenting the procurement market and causing barriers to the internal market for electronic signatures.
The challenge is now to implement electronic signatures across Europe for e-procurement without creating barriers to cross border trade.
The new directives are complemented by an action plan[16] which sets targets and identifies possible actions for the Commission and Member States in 2005 to 2007 to ensure that e-procurement is generalised in Europe by 2010. It calls for an operational solution for e-signatures based on mutual recognition, which mustn’t be different from those used in other fields of activity.
4.3 The Commission Decision on electronic and digitised documents
The Commission Decision 2004/563 on electronic and digitised documents was adopted on 7 July 2004 [17]. This Decision amends the internal Rules of Procedure of the Commission.
This Decision determines the conditions of validity of electronic and digitised documents for the Commission’s purposes. It applies to electronic documents established or received and held by the Commission and the e-signature will be used to attest the validity of electronic documents when necessary [18]
The Commission has drafted the implementing rules of this Decision. They contain the principles necessary for the implementation of the e-signatures technical infrastructure.
5. CONCLUSIONS
5.1. The legal aspect
The Directive has introduced legal certainty with respect to the general admissibility of electronic signatures: the need for the legal recognition of electronic signatures has been met by the transposition of the Directive into the legislation of the Member States.
Against this background the Commission considers that the objectives of the Directive have been largely fulfilled and that no clear need for its revision has emerged at this stage.
Nonetheless, given the problems of mutual recognition of e-signatures and interoperability at a general level, the Commission will organise a series of meetings with the Member States and the relevant stakeholders to address the following issues in view of considering complementary measures, where appropriate: the differences in the transposition of the Directive; the clarifications of specific articles of the Directive; the technical and standardisation aspects; interoperability problems. In this context, account will be taken of the results from the relevant activities of the Commission services.
5.2. The effect on the market
The use of qualified electronic signatures has been much less than expected and the market is not very well developed today. Today, users do not have a single electronic certificate to sign documents or transactions in the digital environment in the same way as on paper. Therefore, the internal market objective of the Directive, the free circulation of qualified electronic signatures, cannot be assessed comprehensively at this stage.
The main reason for the slow take-off of the market is economic: service providers have little incentive to develop multi-application electronic signature and prefer to offer solutions for their own services, for instance, solutions developed by the banking sector. This slows down the process of developing interoperable solutions. The lack of applications, such as comprehensive solutions for electronic archives, might also prevent the development of a multi-purpose e-signature, which requires reaching a critical mass of users and usage.
A number of applications in the future might however trigger market growth. The use of e-signatures in e-government services has already reached a certain volume and will probably be an important driver in the future. The strategic role of eGovernment applications is recognised in the i2010 initiative[19], which fosters the deployment and efficient use of ICT by the private and public sectors. The need for secure electronic means of identification to access and use public services is essential for citizens and businesses and will promote the use of electronic signatures[20]. Different forms of eID will be emerging and will require some degree of interoperability. The Commission has set a high priority on eID initiatives, through for instance, the eProcurement action plan or the harmonisation of security features of travel documents, the IDABC programme action on the interoperability aspects of eID for pan-European eGovernment services, the IST or the eTen Programmes. Internally, the Commission intends to continue the modernization of its own administration.[21] The future deployment of e-signatures to reduce paper circulation is one of these measures.
The Commission will continue to encourage the development of e-signatures services and applications and will monitor the market. Beyond the support through eGovernment activities, particular emphasis will be on interoperability and cross-border use of electronic signatures. The Commission will encourage further standardisation work in order to promote the interoperability and use of all kinds of technologies for qualified electronic signature in the internal market. It will prepare a report on standards for electronic signatures in 2006.
[1] Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, OJ L 13, 19.1.2000, p.12.
[2] Study on the legal and market aspects of electronic signatures, K.U.L., 2003, http://europa.eu.int/information_society/eeurope/2005/all_about/trust/electronic_sig_report.pdf
[3] In 2003 the Commission launched an informal consultation for all the interested parties to collect comments on the operation of the Directive. The comments received are integrated in this report.
[4] COM(97) 503 of 8 October 1997.
[5] OJ C 325, 23.10.1998, p.5.
[6] The elimination of legal obstacles for the conclusion of contracts by electronic means is regulated by Article 9 of the Electronic Commerce Directive (Directive 2000/31/EC, OJ L 178, p.1)
[7] Restricting the use of advanced electronic signatures to natural persons shows that a lot of regulators consider e-signatures to be merely electronic equivalents of traditional handwritten signatures. However, the most common use of digital signatures is exclusively to enhance message authenticity and integrity, without the aim of showing intent to sign in the traditional sense which has also been pointed out by e.g. ICC during the informal consultation.
[8] This concept refers to the requirements of technological updatedness and of acceptance by practitioners or sufficient participation of them in its development.
[9] The list of standards produced is available on the EESSI web site http://www.ict.etsi.org/EESSI_home.htm
[10] Decision 2003/511/EC of 14 July 2003 on the publication of reference numbers of generally recognised standards for electronic signature products in accordance with Directive 1999/93/EC of the European Parliament and of the Council, OJ L 175, 15.7.2003, p.45.
[11] The BGCA action of the IDA II Programme : http://europa.eu.int/idabc/en/document/2318/556
[12] For example, the ISIS-MTT specifications in Germany aim at creating technical interoperability between the e-signatures products
[13] Council Directive 2001/115/EC of 20 December 2001 amending Directive 77/388/EEC with a view to simplifying, modernizing and harmonizing the conditions laid down for invoicing in respect of value added tax, OJ L 15, 17.1.2002, p.24
[14] Directive 2004/17/EC of the European Parliament and of the Council of 31 march 2004 coordinating the procurement procedures of entities operating in the water, energy, transports and postal services sectors, OJ L 134, 30.4.2004, p.1 and Directive 2004/18/EC of the European Parliament and of the Council of 31 march 2004 on the coordination of procedures for the award of public works contracts, public supply contracts and public service contracts, OJ L 134, 30.4.2004, p.114
[15] Cf. Annex X of procurement Directive 2004/18
[16] Communication from the Commission to the Council, the European Parliament, The European Economic and Social Committee and the Committee of the Regions, Action plan for the implementation of the legal framework for electronic public procurement, 14.10.2004
[17] Commission Decision of 7 July 2004 amending its rule of procedure, OJ L 251, 27.7.2004, p.9
[18] It can also apply, with an agreement, for bodies or entities responsible for the implementation of certain Community policies, and with the national administrations, where a procedure involves the Commission and these other entities.
[19] COM(2005) 229 final
[20] see also the Ministerial Declaration approved unanimously in Manchester during the Ministerial e-government Conference « Transforming Public Services », 24/11/05
[21] “e-Commission 2006-2010: enabling efficiency and transparency” - strategic framework - C/2005/44 73