vaneecke etsi eidas workshop june 2015(final) 910/2014 of 23 july 2014 on electronic identification...

Prof. Dr. Patrick Van Eecke

University of Antwerp

Law firm DLA Piper

IAS2Study to support the implementation of a pan-European framework on electronic identification and trust services for electronic transactions in the internal market

SMART 2012/0001

Context of the Study

Regulation 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market

In parallel with the ordinary legislative procedure, there is a need to: 1. Start working on the analysis of the elements that would help develop

secondary legislation (delegated and implementing acts) foreseen in the proposal for a Regulation;

2. Ensure coherence of the proposed initiative vis-à-vis activities carried out by the European Institutions' services;

3. Foster take-up of electronic identification, authentication and trust services by raising SME and citizens' awareness on their potential, including leveraging the “Large Scale Pilots” to create a positive understanding and environment for the acceptance and uptake of the new legislative framework.

2

Study Experts Team

3

IAS2 - European Commission Study: SMART 2012/0001

Tasks1. Technical and Legal Building Blocks

Provide input for devising technical and legal building blocks needed for the preparatory work in the areas envisaged in the planned secondary legislation.

Provide input for standardisation activities related to planned secondary legislation in the proposal for a Regulation

2. Market take-up of eID and Trust Services Monitor the take-up of electronic identification (eID), electronic authentication and electronic trust services

(eTS) and evaluate the impact of national and EU legislation.

Build upon and further develop the results of the studies commissioned by the Commission on country profiles delivered in 2009.

Complement and enhance the Impact Assessment report accompanying the proposal for a Regulation and the existing market studies, by collecting additional and updated data and by defining and measuring core progress indicators.

3. Communication and Awareness Propose a communication strategy and outline an awareness raising campaign to promote the uptake

of trusted services by EU citizens and SMEs.

4. Technical assistance Provide technical assistance to the Commission on eID, authentication and eTS in particular by providing

thematic technical reports, briefings and analysis.

Status of the deliverables

Project details1.Project Duration

Start: January 2013

End: January 2015 (April 2015)

2.Project Deliverables Recommendations for implementing

acts

Monitoring eTS and eID

Enhancing eTS market analysis

Follow-up of mandate m460

3.Project Workshops1. 25 September 2013

2. 18 June 2014

3. 29 January 2015

Status of the deliverables1.Final Report

• approved by European Commission

2.Management Summary • currently being translated into

French and German

3.Deliverables • being published in the next few

weeks

Market take-up of eID and Trust Services

6

Overall analytical framework:What market do we want to analyse ?

The analytical framework for the eIDAS market is divided into two parts:

1) The national markets of (regulated) eID and eAuthentication

2) European Market of electronic Trust Services (eTS) Supply side: eTS are delivered by Trust Service Providers (TSPs), which

may integrate products/services from Solution Integrators, which may in turn incorporate products/services from Technology Providers.

Demand side: a distinction is made between intermediary and final users

Regulator: supervision of the regulated suppliers

The market analysis focusses on the interaction between the supply side and demand side of the eTS market.

7

Overall analytical framework: What market do we want to analyse ?

8

Data collection approach: Combination of primary and secondary sources

Data from primary sources

- Stakeholder consultation on market figures and a number of topical issues (by means of a survey, including some follow-up interviews)

- Sharing of draft report with stakeholders and WebEx for discussion

Limitations to primary data collectionLow response rate (< 10%) to survey, almost no figures were provided 37 supply-side answers, 45 demand side answers

Timing : study was conducted between the Commission’s proposed Regulation in June 2012 and the publication of the final text in August 2014

This timing implied uncertainty (development of secondary legislation, impact on national markets by developing the internal market, future of newly introduced services such as the ‘eSeal’ which barely exist today…) andreluctance to express views on the development of the (cross-border) EU market.

9

Data collection approach:Combination of primary and secondary sources

10

Data from secondary sources: desk research

- Identification of research reports, most interesting recent ones include:“Digital Signatures – Paving the Way to a Digital Europe” (Arthur D. Little – 2014);

“The Forrester Wave TM: E-Signatures, Q2 2013” (Forrester Research – 2013);

“The Electronic Signature Market Is Poised to Take Off” (Gartner – 2012).

- Collection of quantitative indicators on market development No relevant figures on supply side from Eurostat since NACE codes do not allow for

identifying actors in the eTS market Some figures of providers on the TSL were collected and aggregated. More general indicators for the demand-side were found in benchmarking reports (DG

CONNECT) and at Eurostat (services take-up)

Limitations to secondary data collectionOverall, very little economic information is available on the eTS market (mainly technical reports are available, no market intelligence reports).

Description of the eTS market:Main characteristics (1/2)

eTS Market is developing since over 15 years, but no mass market of eSignatures and related eServices yet.

Concept of “eTS market” needs to be broadly interpreted, since it is: Strongly heterogeneous: the market contains a large set of services which are

not substitutable given their very different technical and functional characteristics. Possible market segmentations continue to evolve while the market matures and following both technological and legal developments

Rather fragmented: there is a large number of actors with very different characteristics, e.g.: Larger European actors with an international customer base (e.g. Safelayer,

Opentrust, GlobalSign, GeoTrust, …) Actors with activities in specific regions (e.g. Skandinavia: Advania, Net’s

Dan/Nem ID, …) Actors focussing on local markets (e.g. DigiDoc, e-Boks.dk, etc.)

Some consolidation has however already taken place, e.g. based on initiatives such as TeleTrust’s European Bridge Certificate Authority (‘EBCA’).

Exception to this is the market of Website Authentication which is less fragmented and more global.

11

Description of the eTS market:Main characteristics (2/2)

Furthermore, the range of services offered by one provider can vary a lot.

Some eTS providers are niche-players, focussing on one sector (e.g. MediSignGmbH, focussing on medical doctors and dentists) or one service (e.g. AuthentiDate, focussing on time stamp services).

Other providers have a very differentiated offers (a “one-stop shop”). E.g. D-Trust (German Bundesdruckerei), offering signature cards, SSL certificates, ID-management, timestamping, softtokens, PKI-related products and services and many more).

In general, the market is dynamic. This is for example illustrated by the increased interest by US companies in the European eTS market: End of 2013: Adobe makes Echosign more robust for the EU and announces a new

datacenter in Amsterdam for coping with expected increased demand

March 2014: Partnership between DocuSign (US) and Opentrust (FR)

12

Description of the eTS market:Supply side - actors

Two categories of eTS provider: established providers and new entrants

Established providers (especially in the market of eSignatures): Public organisations (e.g. free eSignature is made available based on the official eID

in Belgium)

Private organisations (e.g. SK in Estonia, Safelayer, MediSign)

New entrants (diversifying their activities and developing additional business in the eTS market), e.g.: European Postal service operators: e.g. Francotyp-Postalia, BPost

European Internet Service Providers (ISPs), e.g. using the closed network of email accounts for setting up eRegistered Delivery Services (United Internet)

Security network providers: e.g. Barracuda, which took over the start-up ‘Sing Now‘

Software vendors: service vary from a plug-in of cloud-based SaaS services provided by expert eTS providers to integrating eTS in their own software. E.g. I.R.I.S. Solutions & Experts S.A., Advania, SAP

A specific category of new entrants are the Start-ups, especially active in the development of new (mobile) eTS. Examples are e.g. Signaturit (Spain) for signatures on mobile devices, E-Sign (UK)

for QR-Code based signatures13

Description of the eTS market:Supply side - evolution and profitability

Analysis based on sample of 34 qualified eTS providers on the European TSL (providers with eTS as core activity and sufficient data available for 2008-2012):

Assuming that sample is at least to some extent representative, it can be concluded that the market is growing (average compound annual growth of 6%) and profitability is increasing.

These figures seem conservative compared to other sources, e.g.:- Xerfi-Precepta (FR): expects between 2013 and 2017 12.5% growth of the digitization market- Gartner (US): growth rate of 48% between 2010-2011 for the overall market of eSignature

software and services and a similar market growth was expected for 2012.14

Description of the eTS market:Demand side indicators

EU Statistics on eTS are not / no longer (*) available, therefore we used some “proxies” for measuring the importance an evolution of eTS in Europe

The availability of eGovernment Services (Source: Eurostat)

On average, around 40% of cross-border Government services are available on-line, against around 70% of the eGovernment services at the Member State level.

(*) Statistics on eSignatures were collected by Eurostat between 2007-2010.

15


The take-up of eGovernment Services (Source: Eurostat)

Take-up of eGovernment service by enterprises is rather high and further increasing, public procurement seems to be lagging behind (but depends on the overall proportion of enterprises offering goods and services to public authorities).

16

020406080

100120

Enterprises using Internet for offering goods or services in public authorities' electronic procurement systems (eTendering) ‐ 2011

Enterprises using Internet for offering goods or services in public authorities' electronic procurement systems (eTendering) ‐ 2013

Enterprises using Internet for returning filled in forms electronically ‐ 2011

Enterprises using Internet for returning filled in forms electronically ‐ 2013


Take-up of eInvoices in a standard structure suitable for automatic processing (Source: Eurostat)

The picture in the EU is quite diverse: most EU MS experienced a substantial growth; some other however (BE, EE, EL, CY, LT, NL) seem to experience a

saturation.

17

Analysis of market dynamics:Supply-side: Barriers for development of eTS

18

Pre-defined possible barrier Stakeholder viewpoint (max. 37 responses)

Cost of eID/eTS infrastructure 2 out of 3 is in favour of infrastructure sharing for increasing the cost-efficiency of delivering eTS; 1 out of 2 believes this could be based on PPP.Cost savings would make it easier to launch projects, also for SMEs.

Diversity of standards Respondent tend to agree that the diversity of standards:- Reduces the interoperability between services (54%)- Reduces the cost-effectiveness of service delivery (48%)- Reduces the accessibility to the eTS market (43%)

Lack of regulatory framework for Value Added Services

Overall, the existence of 28 different frameworks is clearly hindering cross-border electronic transactions.National examples are given of use cases that required for boosting the market (e.g. Belgium: since April 2014, it is mandatory for notaries to register electronically, as such also ensuring RoI; Iceland: electronic registration of owner ship documents by the owner)

Analysis of market dynamics:Supply-side: Barriers for development of eTS

19

Pre-defined possible barrier Stakeholder viewpoint (max. 37 responses)

Sub-optimal alignment of EU intervention to business best practices

Areas for EU public intervention that were pointed out:- Technical standards- Homogeneous model for certification in all MS- Contribution to educating the market (awareness raising)Suggested approaches:- Facilitating of collaboration between MS- Definition of standards with industry involvement and

demand side representatives- A ‘Permanent Committee’ for regular contact with market

actors.

Crippling of innovation, caused by regulatory intervention

Only 11% pointed out that the EU regulatory framework do not or not sufficiently allow for innovative eTS

Analysis of market dynamicsDemand-side: drivers for adoption of eTS

20

Pre-defined driver for adoption Stakeholder viewpoint (max. 20 responses)

User convenience Strongly confirmed as a driver for adoptionMost important dissuasive aspects: (1) need to install software; (2) need to convince the contracting party; (3) need to use specific devices instead of existing (mobile) devices.The level of convenience is- especially for digital signatures -confirmed as the decisive factor in the choice of solution (cf. Study AD. Little)

Importance of preservation No pronounced agreement that the lack of availability of reliable preservation services should be dealt with for increasing the take-up of eTS .

Efficiency gains and cost savings Strongly confirmed as a driver for adoption.Some respondents see a particular role for the public sector in giving visibility to the advantages of eTS by setting up large scale and high-visibility projects.

Analysis of market dynamicsDemand-side: drivers for adoption of eTS

21

Pre-defined driver for adoption Stakeholder viewpoint (max. 20 responses)

End-user value of applications More than half of the respondents confirmed that the end-user value of eTS could be increased by:- The availability of eTS via on-line application stores- The creation of new applications- The adding of applications to existing services- The integration of eTS into social media

Diversifying business models Free access to a platform that allows using a range of free and paying services is preferred over :- Free but limited access (in time or scope) with the option to

pay for additional services- Paying access to a platform that allows using some

services for freeRaising awareness The following ways for raising awareness of the potential of

eTS are considered to be effective:- A European and/or national media campaign- Including awareness raising in student’s curriculum- Organising information/training sessions at local

communities;- Imposing the usage of certain public application by

businesses

Conclusions and recommendations

Market study was made while a number of previous recommendations are being implemented (e.g. need for improved interoperability, introduction of mutual recognition), but before their effect can become visible.

At this moment, we can only assume a further growth and development of the eTS market. The precise contribution of Regulation No 910/2014 will require further future assessment.

Overall, there is currently only very little market intelligence available on eTS. Some reasons: ‘the eTS market” is difficult to delimitate (very heterogeneous, evolving market segmentations);

For many large providers, eTS is only a small part of their activities so no particular reporting on eTS is available;

It is very challenging to compile an up-to-date comprehensive inventory of start-ups.

Recommendations for a future improved market monitoring Set-up of some kind of a market observatory for the supply side.

Inclusion of eTS indicators in the Community statistics on the information society (Regulation 1006/2009) – see examples of indicators in our report

Special Eurobarometer - eCommunications Household Survey; focussing on eTS, measuring also the impact of the introduction of the “e-Mark U Trust”, etc.

22

Country Analysis

3. Country profiles

Scope: 28 + 3 EEA (Norway, Iceland, Lichtenstein)

Layout:

24

Topic Information provided Introduction Situating the document as ‘Country Profile’

Electronic identification Starting from PRADO, summary of electronic identification alternatives of the country

• Main eID service providers and applications

Description of services and applications available

Electronic trust services Identification of regulator/approval bodyList of electronic trust services as per the country’s Trust List

• Main electronic trust serviceproviders

Description of the TSPs registered in the country’s TL

• Additional electronic trustservice providers

Description of additional TSPs, not registered on the TL

PRADO: the Council’s ‘Public Register of Authentic Identity and Travel Documents Online’Trusted List: each country’s list of TSPs as reported by Regulator/Approval Body

Country profiles (selected aspects)

25

Country eID Regulator/Approval Body

TSPs in TL Other

DK /No formal eID. (But NETS’ NemID is popular.)

DAD 2 NETS also provides signing solutions.

SE eID(discretionary)

PTS 1 Many eIDalternatives are more popular than thegovernment-issued.

FI FINEID(discretionary)

FICORA 1 Also MobileID

NO / Post ogTeletilsynet

13 Approximately 3 million people use the ID-portal based on various solutions)

IS / Consumer Agency

1 Debet cards/Mobile ID in use

Building blocks for secondary legislation

Building blocks

Suggestions for IA/DA

• Priorities of secondary legislation• Relevance for successful implementation of regulation

Creation of an ideal scenario

• Technical reality check• Legal reality check• Economic reality check• Societal reality check

Reality check

Recommendations

27

6/24/2015 29

eID


eID topics

Four building blocks

•Notification• Interoperability framework•Cooperation•Assurance levels

Notification

Study team proposal:

Short and pragmatic notification template which focuses on policy information and verifiability rather than on technical details.

With respect to the peer review of the notified identification schemes, the review should rely on a consultation based mechanism, in which members of the cooperation group may provide questions or comments to the notifying Member State, inviting it to amend, clarify or revise the notification.

The notifying Member State is however not formally required to respond to this feedback, and other Member States cannot block the publication of a notification. However, they do retain the right to dispute the validity of the notification afterwards if they consider it to be non-compliant with the requirements of the Regulation.

32

Notification

Study team proposal: Defines circumstances, formats and procedures for notification

Circumstances: Practical requirements defining when Member States may notify a

specific scheme.

Formats: i.e. the template which must be used, including contents insofar as

these are not yet sufficiently specified in Article 7.1, and any requirements for the semantic structure.

Procedures: i.e. the process to be followed in relation to notification, including

initial submission; any verification of the submission’s contents, including any peer review; and publication in the Official Journal of the European Union.

Notification

Practical timeline

All four Implementing Acts (notification, interoperability framework, cooperation mechanism and quality assurance) enter into force;

The (aspiring) notifying Member State provides a description of its electronic identification scheme to the cooperation group;

Only six months thereafter may the notification be submitted to the Commission.

How to organise peer review? Mere conduit? Prima facie? Voting? Veto?

Only by cooperation group? Or also by Commission?

Notification

Our approach:

Cooperation group and Commission have no rejection power.

Peer review is done in good faith. If a notifying MS does not respond (adequately) to questions /criticisms, then the cooperation group might adopt a negative opinion, but this would not stop the notification from being published.

Important nuances and drivers! A ‘notification’ must still meet the mandatory requirements of the

Regulation. If a MS provides manifestly inappropriate information, then it is not a notification (and thus cannot be published).

If the notification is published but not trusted by other MS (notified eIDs are not accepted in practice), a legal stalemate arises that can only be resolved by the Court of Justice. This is a strong driver for good faith cooperation!

Interoperability framework


We support a very light-touch approach

The implementing act specifies competences and minimal ID dataset,

Governance of the framework (including any and all details) should be entrusted to the Cooperation Group

No technical details in the implementing act; these are decided and maintained by the Cooperation Group.

*


Competences:

Focused on deciding certain technical requirements for interoperability and on common operational security standards

Key topics: data formats for exchanging identity information (such as SAML),

definition of semantic specifications (variables and permitted values)

technical specifications of solutions for authentication service;

establishment of legal compliance guidelines

identification of security self-assessment templates and guidelines

operational and technical requirements for the integration of APs

definition of anonymisation policies and requirements

establishment of guidelines for the obfuscation of unique identifiers


Note: minimal data set is not a universal and automatic requirement! Data minimisation remains a key principle!

Unique ID – natural person

current first name, current last name, date of birth, and unique identifier

Unique ID – legal person official name, legal form, date and seat of establishment, and unique

identifier

natural person on behalf of legal person?Requires unique ID of natural and legal person, and linking + validation of their identities via business registersExact definition of competences? Not entirely feasible under the current state of the art

Cooperation Group


Creation and composition: 1 member per MS, plus observers from Commission, Article 29 Working Party and ENISA;

Management and governance: secretariat, chair, rules of procedure

Operational issues: Frequency /process for convening meetings Assessments in relation to the interoperability framework by adopting

opinions on appropriate solutions/standards.

Peer review? No decision making (acceptance/rejection); purely consensus based.

Quality Assurance

Study team proposal

a short implementing act should be created that includes a technical annex that specifies the assurance levels. adhere to international standards, as this is the only way of

ensuring future international interoperability

annex should be based on the ISO/IEC 29115 standard, and should consist of a specification that uses the three phases defined in this standard (enrolment, credential management, and entity authentication)

40

eID Assurance levels

The Implementing act should define 3 assurance levels on the basis of the criteria enumerated in the Regulation:

a)the procedure to prove and verify the identity of a “Person” applying for the issuance of electronic identification means;

b)the procedure for the issuance of the requested electronic identification means;

c)the authentication mechanism, in which the natural or legal person uses the electronic identification means to confirm its identity to a relying party.

d)the entity issuing electronic identification means;

e)any other body involved in the application for the issuance of the electronic ID means; and

f) the technical and security specifications of the issued electronic identification means.

In terms of the Regulation, a Person can be a natural or legal person , or a natural person representing a legal person.


The Regulation specifies three assurance levels:Assurance level

Definition

Low limited degree of confidence in the claimed or asserted identity of a Person

reference to technical specifications, standards and procedures, including technical controls, the purpose of which is to decrease the risk of misuse or alteration of the identity

Substantial substantial degree of confidence in the claimed or asserted identity of a Person

reference to technical specifications, standards and procedures, including technical controls, the purpose of which is to decrease substantially the risk of misuse or alteration of the identity

High higher degree of confidence in the claimed or asserted identity of a Person

reference to technical specifications, standards and procedures, including technical controls, the purpose of which is to prevent misuse or alteration of the identity


To provide the required confidence in a Person and the authentication, the implementing act should cover requirements for the following processes:

Enrolment

Credential management

Authentication

and additional guidance for management and operational aspects (information security management, legal compliance, …) which affect the identification and authentication of a Person

eID Assurance Framework (eIDAF)

Credential management

phase

Enrolmentphase

Entity authentication

phase

•Authentication•Record-keeping

•Credential creation•Credential pre-processing•Credential issuance•Credential activation•Credential storage

• Application and initiation• Identity proofing and identity information verification

• Record-keeping

•Credential suspension, revocation, and/or destruction•Credential renewal and/or replacement•Record-keeping

Managem

ent and Organisation

Elec

tron

ic id

entif

icat

ion

sche

me

Actors in the eIDAF

Registration Authority

Trusted Third Party

(e.g., Authentication service)

Credential Service Provider

Relying Party

(e‐Service provider)

Entity (Person)

Electronic identification in an e‐service

Electronic identification means issuance (credential + token)

Entity registration and identity proofing

RA


To define the requirements for the different levels in the different processes the Study team used input from:

STORK QAA

ISO 29115

The Study team proposal for an eIDAF was delivered to the EC mid 2014:

Created an ISO compliant quality assurance specification while focusing on an outcome based approach

Draws on some normative requirements to integrate STORK experience

Filling in the identified gaps


Comparison between eIDAF, STORK QAA and ISO/IEC 29115

AssurancelevelsinRegulation

STORK‐QAA ISO29115

Low QAA2 LoA2

Substantial QAA3 LoA3

High QAA4 LoA4

Supervision and trust servicesBuilding blocks for secondary legislation

Supervision and trust services

Seven building blocks:

Trust Mark

Trusted Lists

Conformity Assessment Bodies

QTSP initiation

Yearly supervisory body activities

Due diligence and data/security breach notification

Common provisions on QTSPs

Enhanced trust model for QTSP’s/QTS’s

Recital (1) Building trust in the online environment is key to economic and social development. Lack of trust, in particular because of a perceived lack of legal certainty, makes consumers, businesses and administrations hesitate to carry out transactions electronically and to adopt new services.

Recital (2)This Regulation seeks to enhance trust in electronic transactions in the internal market by providing a common foundation for secure electronic interaction between businesses, citizens and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union.

TRUSTED LISTS

SUPERVISION

QTSP & QTS they

provide

Initiation(initial assessment by CAB)

Ad-hoc audits

(at any time)

Regular Assessments(at least every 24m by CAB)

Termination

QTSP & QTS RELATED eIDAS PROVISIONS

BEST PRACTICES & STANDARDS

“Building trust …” through secondary legislation

Timed Implementing Act (I.A.) (Art.23.3) on Trust Mark

(1 July 2015)

Timed I.A. (Art.22.5) on Trusted Lists (18 Sep. 2015)

Optional I.A. (Art.20.4) on Conformity Assessment BodyOptional I.A. (Art.21.4) on QTSP initiationOptional I.A. (Art.17.8) on Yearly SB activities

Optional I.A. (Art.19.4) on common provisions on TSPs

Optional I.A. (Art.24.5) on common provisions on QTSPs

TRUSTED LISTS

SUPERVISION

QTSP & QTS they

provide

Initiation(initial assessment by CAB)

Ad-hoc audits

(at any time)

Regular Assessments(at least every 24m by CAB)

Termination

QTSP & QTS RELATED eIDAS PROVISIONS

BEST PRACTICES & STANDARDS Additional I.A. on specific provisions per type of (qualified) trust service & trust service provider

“Building trust …” through secondary legislation

Considering the aim of the eIDAS Regulation at – Increasing confidence in and convenience of online services– Have the market experiencing a real mark of trust, adopting

marked TS and massively using digital applications & services

Besides mandatory I.A., optional I.A foreseen in eIDAS Regulation are believed to significantly contribute

to increase the credibility of – the quality and trustworthiness of QTS / QTSPs– the truthful message of trust conveyed by

• Trusted lists • EU Trust Mark for QTSs

to support achieving the eIDAS aim in enhancing effectiveness of online services in the EU

Summary

Mandatory

• Mandatory I.A.: On track – Need for visual & textual specifications• Key service (e.g. from CEF) facilitating verification objective of the qualified status through the corresponding

trusted list Trust Mark

• Mandatory I.A.: On track• Leveraging on existing CD and underlying standardsTrusted Lists

Optional:

• Missing piece (standard): outcome based TSP Audit Criteria against eIDAS• Without such missing piece, I.A. would be inappropriate & counterproductiveConformity Assessment Bodies

• Efficient & practical guidelines & good practices documents could come firstQTSP initiation

• Not for the sake of reporting or statistics• Support improving supervision, increasing transparency, mutual assistance & trust

Yearly supervisory body activities

• DD TSP obligations on an “outcome based” approach & “recognized normative” approach• BN to be aligned with other similar notifications

Due diligence and data/security breach notification

• I.A. dependent on the availability of eligible standardsCommon provisions on QTSPs

Signatures/Seals/Devices:


Building blocks for enhancing existing electronic signature and electronic seals

1. Interoperability of electronic signatures in public services

2. Reference formats of advanced electronic signatures or reference methods

3. Reference numbers of standards for qualified electronic signature creation devices

4. Standards for the security assessment of information technology products – Qualified electronic Signature Creation Devices

5. Specific criteria to be met by the designated bodies

55

etime stamp, registered delivery services and website authenticationBuilding blocks for secondary legislation

Time stamps

Different applications of the time stamps may have different requirements. The set of standards referenced in the implementing act should support a

broad spectrum of requirements to guarantee that the actual needs of the different applications are satisfied without excessive burden .

References to standards needed to bind the date and time to data

data sent to the time stamp provider

date/time indication included in the time stamps

Existing technical specifications could be used E.g. TS 102 023/TS 101 861/CEN/ISSS CWA 14167-2:2004

These technical specifications are currently being revised under the EC mandate M/460.

57

Registered Electronic Mail

As e-registered delivery is and remains open to innovation, any future scenario should:

Establish a mechanism that allows European standard organisations and international standardisation bodies as defined in the Regulation (EU) No 1025/2012, to submit a proposal for an e-registered delivery standard to be referenced by the EU Commission;

Mandate a transparent review of the proposed standard, checking that it does not lack any of the properties required by Regulation (EU) No 1025/2012, in particular: transparent standardisation process;

open standardisation process, that is accessible by everybody, either through membership to the standardisation committee or through a national standardisation body;

standard publicly available to everybody (free or upon payment).

58

Communication and Awareness

Communication and Awareness

Communication Strategy Plan• Communication strategy - scope• The business vision• Branding – public awareness• Communication messages• Stakeholders - segmentation and analysis

Communication Tools• Public awareness campaigns• Printed/online promotional and information material• Publicity events and activities• Media relations and social media

Evaluation and Monitoring• Variables to be monitored• Indicators of successful campaigns

60

Technical assistance

Technical assistance

Strategic advice on international trade law aspects;

Technical assistance on website certificates;

Comments and suggestions relating to the prioritization of the secondary legislation;

Ad-hoc questions relating to technical issues;

Strategic advice on Levels of Assurance.

62

Conclusions

63

Legal acceptance of eSignatures in the world

6/24/201564

Copyright DLA Piper

eSignature laws

Flexible approach towards use of electronic signatures for legal transactions

No specific technical requirements are being mandated when using electronic signatures for standard legal transactions. Still, for specific transactions and for specific sectors, additional technical criteria may be required.

Less flexible approach towards use of electronic signatures for legal transactions

For standard legal transactions no additional technical criteria are required but the use of specific electronic signature technology is often promoted by law (e.g. by introducing a presumption of conformity for specific electronic signature technology).

Stringent approach towards use of electronic signatures for legal transactions

Technology related specific requirements need to be taken into account when using electronic signatures for standard legal transactions.

65Copyright DLA Piper

Flexibility of eSignature legislation

66Copyright DLA Piper

Case law?

Plenty of cases on enforceability of

electronic signatures/contracts

Move towards trustworthiness of technology used

Less cases on qualified electronic

signatures

6/24/2015 67

Estonia A lawyer representing a client in a dispute sent a digitally signed

document (following the requirements of the Estonian electronic signature legislation) to court by e-mail. The Tallinn Administrative city court claimed that they were not able to read the document and thus rejected it.

The case was taken to the Tallin Administrative District Court, where it was ruled on 12 June 2003 that qualified signatures are equivalent to handwritten ones in Estonia and therefore the court should not have claimed that they can not use it. The district court declared that documents can be sent to court by e-mail if they have a valid qualified e-signature: "The reception of a digitally signed document was not obstructed by the lack of appropriate software - it was and still is possible to immediately install such software at courts when necessary."

Case law

Finland The Finnish Supreme Administrative (23 December 2005): a county government

could not require that conclusion of an electronic service contract used by a real estate broker with its customers was secured with a qualified certificate or other similar means under best practices requirements, since the requirement of using a qualified certificate or other such advanced verification mechanisms were not required under the letter of the law.

The county government had no right to impose additional form requirements such as a qualified certificate to the real estate broker, as the law does not mention the form of such contracts. The law does require that the terms of the broker’s assignment are provided in a manner that cannot be changed unilaterally.

Case law

Germany In three similar cases (OLG Köln, 19 U 16/02; LG Konstanz, 2 O 141/01 A; AG

Erfurt, 28 C 2354/01), German courts decided that an e-mail without a qualified electronic signature has almost no binding effect under German law. According to the courts, a contract concluded by e-mail without a qualified electronic signature is not convincing evidence, in particular when the purported sender denies authorship.

The contested emails were all sent from the website of an access provider, whereby it suffices to have a password in order to gain access to the email system. The cases were dismissed, because it could not be proved that the emails were effectively sent by the purported senders. The judges did not accept the presumption that the emails must have been sent by the owner of the email address, because almost anybody could have sent the e-mails using the password of the owner.

Case law

Italy The Italian Supreme Court ruled (decision nr. 11445 of 6 September 2001) that an

unsigned electronic document constitutes full evidence of the represented facts, unless proof to the contrary exists.

The Court of Cuneo ordered on 15 December 2003 a company to fulfil its obligations to another company on the basis of a claim proven with e-mail communications. The judge of Cuneo held that the use of authentication credentials such as a user ID and password to access the e-mail account represents a valid means of adducing evidence on the origin of the message. The judge held that the e-mails had the same validity as written documents and admitted them as trial evidence. ( German case law)

Case law

United Kingdom The case of Nilesh Mehta v J Pereira Fernandes SA [2006] concerned the nature of

electronic signatures in relation to a winding up petition. In this case, a director asked a member of staff to send an email to the solicitors acting to consider adjourning a winding-up petition hearing for one week in return for a personal guarantee. The email itself was not signed but the head of the email showed that it came from the employee's address. The proposal was accepted but then the employee did not honour the guarantee.

The High Court held that the email message satisfied the statutory requirement of writing, but could not be classed as a signature. The email in question had been sent from the address [email protected]. Previous messages

between the parties had been sent from that address. There was no further reference to Mr Mehta’s name in the body of the email. The judge concluded that it is not possible to hold that the automatic insertion of an e mail address is intended for a signature.

It would appear, however, that even a typed representation of the appellants name would have been sufficient evidence of his intention to be bound by the text of the email to be classed as a signature.

Case law

Delegated acts Implementing actsSupplement and amend ‘non essential elements’

Role Provide uniform conditions for implementing EU acts

General application Scope General or individual application

No (not formally) Expert committees

Yes

In individual legislation + ‘common

understanding’

Legal basis Horizontal EP/Council Regulation

EP/Council can veto or revoke delegation

Scrutiny Member states can block; EP/Council scrutiny

OVERVIEW

© [email protected]

73

Broad Scope

Electronic signatures

Electronic identification

Electronic seals

Electronic time stamps

Electronic documents

Electronic delivery

Web authentication

services

Copyright DLA Piper

Principles

Notified eIDs• Notified• Mutual recognition• eGovernment purposes

Qualified services• Minimum of quality

criteria• Stronger supervision • Publication of trusted lists

Legal effect• Non-discrimination• Equivalence (legal

presumption)

Standards• Voluntary• Conformity of compliance • Published in OJ

Double scope of the Regulation

1. eID: Mutual recognition of electronic identification• eID interoperability and usability• Notification based system• Aimed to support eGovernment

2. Electronic trust services• Electronic signatures interoperability and

usability• Electronic seals interoperability and usability• Cross-border dimension of:

• Time stamping,• Electronic delivery service, • Electronic documents admissibility, • Website authentication.

Date of pre76