vaneecke etsi eidas workshop june 2015(final) 910/2014 of 23 july 2014 on electronic identification...
TRANSCRIPT
Prof. Dr. Patrick Van Eecke
University of Antwerp
Law firm DLA Piper
IAS2Study to support the implementation of a pan-European framework on electronic identification and trust services for electronic transactions in the internal market
SMART 2012/0001
Context of the Study
Regulation 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market
In parallel with the ordinary legislative procedure, there is a need to: 1. Start working on the analysis of the elements that would help develop
secondary legislation (delegated and implementing acts) foreseen in the proposal for a Regulation;
2. Ensure coherence of the proposed initiative vis-à-vis activities carried out by the European Institutions' services;
3. Foster take-up of electronic identification, authentication and trust services by raising SME and citizens' awareness on their potential, including leveraging the “Large Scale Pilots” to create a positive understanding and environment for the acceptance and uptake of the new legislative framework.
2
Study Experts Team
3
IAS2 - European Commission Study: SMART 2012/0001
Tasks1. Technical and Legal Building Blocks
Provide input for devising technical and legal building blocks needed for the preparatory work in the areas envisaged in the planned secondary legislation.
Provide input for standardisation activities related to planned secondary legislation in the proposal for a Regulation
2. Market take-up of eID and Trust Services Monitor the take-up of electronic identification (eID), electronic authentication and electronic trust services
(eTS) and evaluate the impact of national and EU legislation.
Build upon and further develop the results of the studies commissioned by the Commission on country profiles delivered in 2009.
Complement and enhance the Impact Assessment report accompanying the proposal for a Regulation and the existing market studies, by collecting additional and updated data and by defining and measuring core progress indicators.
3. Communication and Awareness Propose a communication strategy and outline an awareness raising campaign to promote the uptake
of trusted services by EU citizens and SMEs.
4. Technical assistance Provide technical assistance to the Commission on eID, authentication and eTS in particular by providing
thematic technical reports, briefings and analysis.
Status of the deliverables
Project details1.Project Duration
Start: January 2013
End: January 2015 (April 2015)
2.Project Deliverables Recommendations for implementing
acts
Monitoring eTS and eID
Enhancing eTS market analysis
Follow-up of mandate m460
3.Project Workshops1. 25 September 2013
2. 18 June 2014
3. 29 January 2015
Status of the deliverables1.Final Report
• approved by European Commission
2.Management Summary • currently being translated into
French and German
3.Deliverables • being published in the next few
weeks
Market take-up of eID and Trust Services
6
Overall analytical framework:What market do we want to analyse ?
The analytical framework for the eIDAS market is divided into two parts:
1) The national markets of (regulated) eID and eAuthentication
2) European Market of electronic Trust Services (eTS) Supply side: eTS are delivered by Trust Service Providers (TSPs), which
may integrate products/services from Solution Integrators, which may in turn incorporate products/services from Technology Providers.
Demand side: a distinction is made between intermediary and final users
Regulator: supervision of the regulated suppliers
The market analysis focusses on the interaction between the supply side and demand side of the eTS market.
7
Overall analytical framework: What market do we want to analyse ?
8
Data collection approach: Combination of primary and secondary sources
Data from primary sources
- Stakeholder consultation on market figures and a number of topical issues (by means of a survey, including some follow-up interviews)
- Sharing of draft report with stakeholders and WebEx for discussion
Limitations to primary data collectionLow response rate (< 10%) to survey, almost no figures were provided 37 supply-side answers, 45 demand side answers
Timing : study was conducted between the Commission’s proposed Regulation in June 2012 and the publication of the final text in August 2014
This timing implied uncertainty (development of secondary legislation, impact on national markets by developing the internal market, future of newly introduced services such as the ‘eSeal’ which barely exist today…) andreluctance to express views on the development of the (cross-border) EU market.
9
Data collection approach:Combination of primary and secondary sources
10
Data from secondary sources: desk research
- Identification of research reports, most interesting recent ones include:“Digital Signatures – Paving the Way to a Digital Europe” (Arthur D. Little – 2014);
“The Forrester Wave TM: E-Signatures, Q2 2013” (Forrester Research – 2013);
“The Electronic Signature Market Is Poised to Take Off” (Gartner – 2012).
- Collection of quantitative indicators on market development No relevant figures on supply side from Eurostat since NACE codes do not allow for
identifying actors in the eTS market Some figures of providers on the TSL were collected and aggregated. More general indicators for the demand-side were found in benchmarking reports (DG
CONNECT) and at Eurostat (services take-up)
Limitations to secondary data collectionOverall, very little economic information is available on the eTS market (mainly technical reports are available, no market intelligence reports).
Description of the eTS market:Main characteristics (1/2)
eTS Market is developing since over 15 years, but no mass market of eSignatures and related eServices yet.
Concept of “eTS market” needs to be broadly interpreted, since it is: Strongly heterogeneous: the market contains a large set of services which are
not substitutable given their very different technical and functional characteristics. Possible market segmentations continue to evolve while the market matures and following both technological and legal developments
Rather fragmented: there is a large number of actors with very different characteristics, e.g.: Larger European actors with an international customer base (e.g. Safelayer,
Opentrust, GlobalSign, GeoTrust, …) Actors with activities in specific regions (e.g. Skandinavia: Advania, Net’s
Dan/Nem ID, …) Actors focussing on local markets (e.g. DigiDoc, e-Boks.dk, etc.)
Some consolidation has however already taken place, e.g. based on initiatives such as TeleTrust’s European Bridge Certificate Authority (‘EBCA’).
Exception to this is the market of Website Authentication which is less fragmented and more global.
11
Description of the eTS market:Main characteristics (2/2)
Furthermore, the range of services offered by one provider can vary a lot.
Some eTS providers are niche-players, focussing on one sector (e.g. MediSignGmbH, focussing on medical doctors and dentists) or one service (e.g. AuthentiDate, focussing on time stamp services).
Other providers have a very differentiated offers (a “one-stop shop”). E.g. D-Trust (German Bundesdruckerei), offering signature cards, SSL certificates, ID-management, timestamping, softtokens, PKI-related products and services and many more).
In general, the market is dynamic. This is for example illustrated by the increased interest by US companies in the European eTS market: End of 2013: Adobe makes Echosign more robust for the EU and announces a new
datacenter in Amsterdam for coping with expected increased demand
March 2014: Partnership between DocuSign (US) and Opentrust (FR)
12
Description of the eTS market:Supply side - actors
Two categories of eTS provider: established providers and new entrants
Established providers (especially in the market of eSignatures): Public organisations (e.g. free eSignature is made available based on the official eID
in Belgium)
Private organisations (e.g. SK in Estonia, Safelayer, MediSign)
New entrants (diversifying their activities and developing additional business in the eTS market), e.g.: European Postal service operators: e.g. Francotyp-Postalia, BPost
European Internet Service Providers (ISPs), e.g. using the closed network of email accounts for setting up eRegistered Delivery Services (United Internet)
Security network providers: e.g. Barracuda, which took over the start-up ‘Sing Now‘
Software vendors: service vary from a plug-in of cloud-based SaaS services provided by expert eTS providers to integrating eTS in their own software. E.g. I.R.I.S. Solutions & Experts S.A., Advania, SAP
A specific category of new entrants are the Start-ups, especially active in the development of new (mobile) eTS. Examples are e.g. Signaturit (Spain) for signatures on mobile devices, E-Sign (UK)
for QR-Code based signatures13
Description of the eTS market:Supply side - evolution and profitability
Analysis based on sample of 34 qualified eTS providers on the European TSL (providers with eTS as core activity and sufficient data available for 2008-2012):
Assuming that sample is at least to some extent representative, it can be concluded that the market is growing (average compound annual growth of 6%) and profitability is increasing.
These figures seem conservative compared to other sources, e.g.:- Xerfi-Precepta (FR): expects between 2013 and 2017 12.5% growth of the digitization market- Gartner (US): growth rate of 48% between 2010-2011 for the overall market of eSignature
software and services and a similar market growth was expected for 2012.14
Description of the eTS market:Demand side indicators
EU Statistics on eTS are not / no longer (*) available, therefore we used some “proxies” for measuring the importance an evolution of eTS in Europe
The availability of eGovernment Services (Source: Eurostat)
On average, around 40% of cross-border Government services are available on-line, against around 70% of the eGovernment services at the Member State level.
(*) Statistics on eSignatures were collected by Eurostat between 2007-2010.
15
Description of the eTS market:Demand side indicators
The take-up of eGovernment Services (Source: Eurostat)
Take-up of eGovernment service by enterprises is rather high and further increasing, public procurement seems to be lagging behind (but depends on the overall proportion of enterprises offering goods and services to public authorities).
16
020406080
100120
Enterprises using Internet for offering goods or services in public authorities' electronic procurement systems (eTendering) ‐ 2011
Enterprises using Internet for offering goods or services in public authorities' electronic procurement systems (eTendering) ‐ 2013
Enterprises using Internet for returning filled in forms electronically ‐ 2011
Enterprises using Internet for returning filled in forms electronically ‐ 2013
Description of the eTS market:Demand side indicators
Take-up of eInvoices in a standard structure suitable for automatic processing (Source: Eurostat)
The picture in the EU is quite diverse: most EU MS experienced a substantial growth; some other however (BE, EE, EL, CY, LT, NL) seem to experience a
saturation.
17
Analysis of market dynamics:Supply-side: Barriers for development of eTS
18
Pre-defined possible barrier Stakeholder viewpoint (max. 37 responses)
Cost of eID/eTS infrastructure 2 out of 3 is in favour of infrastructure sharing for increasing the cost-efficiency of delivering eTS; 1 out of 2 believes this could be based on PPP.Cost savings would make it easier to launch projects, also for SMEs.
Diversity of standards Respondent tend to agree that the diversity of standards:- Reduces the interoperability between services (54%)- Reduces the cost-effectiveness of service delivery (48%)- Reduces the accessibility to the eTS market (43%)
Lack of regulatory framework for Value Added Services
Overall, the existence of 28 different frameworks is clearly hindering cross-border electronic transactions.National examples are given of use cases that required for boosting the market (e.g. Belgium: since April 2014, it is mandatory for notaries to register electronically, as such also ensuring RoI; Iceland: electronic registration of owner ship documents by the owner)
Analysis of market dynamics:Supply-side: Barriers for development of eTS
19
Pre-defined possible barrier Stakeholder viewpoint (max. 37 responses)
Sub-optimal alignment of EU intervention to business best practices
Areas for EU public intervention that were pointed out:- Technical standards- Homogeneous model for certification in all MS- Contribution to educating the market (awareness raising)Suggested approaches:- Facilitating of collaboration between MS- Definition of standards with industry involvement and
demand side representatives- A ‘Permanent Committee’ for regular contact with market
actors.
Crippling of innovation, caused by regulatory intervention
Only 11% pointed out that the EU regulatory framework do not or not sufficiently allow for innovative eTS
Analysis of market dynamicsDemand-side: drivers for adoption of eTS
20
Pre-defined driver for adoption Stakeholder viewpoint (max. 20 responses)
User convenience Strongly confirmed as a driver for adoptionMost important dissuasive aspects: (1) need to install software; (2) need to convince the contracting party; (3) need to use specific devices instead of existing (mobile) devices.The level of convenience is- especially for digital signatures -confirmed as the decisive factor in the choice of solution (cf. Study AD. Little)
Importance of preservation No pronounced agreement that the lack of availability of reliable preservation services should be dealt with for increasing the take-up of eTS .
Efficiency gains and cost savings Strongly confirmed as a driver for adoption.Some respondents see a particular role for the public sector in giving visibility to the advantages of eTS by setting up large scale and high-visibility projects.
Analysis of market dynamicsDemand-side: drivers for adoption of eTS
21
Pre-defined driver for adoption Stakeholder viewpoint (max. 20 responses)
End-user value of applications More than half of the respondents confirmed that the end-user value of eTS could be increased by:- The availability of eTS via on-line application stores- The creation of new applications- The adding of applications to existing services- The integration of eTS into social media
Diversifying business models Free access to a platform that allows using a range of free and paying services is preferred over :- Free but limited access (in time or scope) with the option to
pay for additional services- Paying access to a platform that allows using some
services for freeRaising awareness The following ways for raising awareness of the potential of
eTS are considered to be effective:- A European and/or national media campaign- Including awareness raising in student’s curriculum- Organising information/training sessions at local
communities;- Imposing the usage of certain public application by
businesses
Conclusions and recommendations
Market study was made while a number of previous recommendations are being implemented (e.g. need for improved interoperability, introduction of mutual recognition), but before their effect can become visible.
At this moment, we can only assume a further growth and development of the eTS market. The precise contribution of Regulation No 910/2014 will require further future assessment.
Overall, there is currently only very little market intelligence available on eTS. Some reasons: ‘the eTS market” is difficult to delimitate (very heterogeneous, evolving market segmentations);
For many large providers, eTS is only a small part of their activities so no particular reporting on eTS is available;
It is very challenging to compile an up-to-date comprehensive inventory of start-ups.
Recommendations for a future improved market monitoring Set-up of some kind of a market observatory for the supply side.
Inclusion of eTS indicators in the Community statistics on the information society (Regulation 1006/2009) – see examples of indicators in our report
Special Eurobarometer - eCommunications Household Survey; focussing on eTS, measuring also the impact of the introduction of the “e-Mark U Trust”, etc.
22
Country Analysis
3. Country profiles
Scope: 28 + 3 EEA (Norway, Iceland, Lichtenstein)
Layout:
24
Topic Information provided Introduction Situating the document as ‘Country Profile’
Electronic identification Starting from PRADO, summary of electronic identification alternatives of the country
• Main eID service providers and applications
Description of services and applications available
Electronic trust services Identification of regulator/approval bodyList of electronic trust services as per the country’s Trust List
• Main electronic trust serviceproviders
Description of the TSPs registered in the country’s TL
• Additional electronic trustservice providers
Description of additional TSPs, not registered on the TL
PRADO: the Council’s ‘Public Register of Authentic Identity and Travel Documents Online’Trusted List: each country’s list of TSPs as reported by Regulator/Approval Body
Country profiles (selected aspects)
25
Country eID Regulator/Approval Body
TSPs in TL Other
DK /No formal eID. (But NETS’ NemID is popular.)
DAD 2 NETS also provides signing solutions.
SE eID(discretionary)
PTS 1 Many eIDalternatives are more popular than thegovernment-issued.
FI FINEID(discretionary)
FICORA 1 Also MobileID
NO / Post ogTeletilsynet
13 Approximately 3 million people use the ID-portal based on various solutions)
IS / Consumer Agency
1 Debet cards/Mobile ID in use
Building blocks for secondary legislation
Building blocks
Suggestions for IA/DA
• Priorities of secondary legislation• Relevance for successful implementation of regulation
Creation of an ideal scenario
• Technical reality check• Legal reality check• Economic reality check• Societal reality check
Reality check
Recommendations
27
6/24/2015 29
eID
Building blocks for secondary legislation
eID topics
Four building blocks
•Notification• Interoperability framework•Cooperation•Assurance levels
Notification
Study team proposal:
Short and pragmatic notification template which focuses on policy information and verifiability rather than on technical details.
With respect to the peer review of the notified identification schemes, the review should rely on a consultation based mechanism, in which members of the cooperation group may provide questions or comments to the notifying Member State, inviting it to amend, clarify or revise the notification.
The notifying Member State is however not formally required to respond to this feedback, and other Member States cannot block the publication of a notification. However, they do retain the right to dispute the validity of the notification afterwards if they consider it to be non-compliant with the requirements of the Regulation.
32
Notification
Study team proposal: Defines circumstances, formats and procedures for notification
Circumstances: Practical requirements defining when Member States may notify a
specific scheme.
Formats: i.e. the template which must be used, including contents insofar as
these are not yet sufficiently specified in Article 7.1, and any requirements for the semantic structure.
Procedures: i.e. the process to be followed in relation to notification, including
initial submission; any verification of the submission’s contents, including any peer review; and publication in the Official Journal of the European Union.
Notification
Practical timeline
All four Implementing Acts (notification, interoperability framework, cooperation mechanism and quality assurance) enter into force;
The (aspiring) notifying Member State provides a description of its electronic identification scheme to the cooperation group;
Only six months thereafter may the notification be submitted to the Commission.
How to organise peer review? Mere conduit? Prima facie? Voting? Veto?
Only by cooperation group? Or also by Commission?
Notification
Our approach:
Cooperation group and Commission have no rejection power.
Peer review is done in good faith. If a notifying MS does not respond (adequately) to questions /criticisms, then the cooperation group might adopt a negative opinion, but this would not stop the notification from being published.
Important nuances and drivers! A ‘notification’ must still meet the mandatory requirements of the
Regulation. If a MS provides manifestly inappropriate information, then it is not a notification (and thus cannot be published).
If the notification is published but not trusted by other MS (notified eIDs are not accepted in practice), a legal stalemate arises that can only be resolved by the Court of Justice. This is a strong driver for good faith cooperation!
Interoperability framework
Study team proposal:
We support a very light-touch approach
The implementing act specifies competences and minimal ID dataset,
Governance of the framework (including any and all details) should be entrusted to the Cooperation Group
No technical details in the implementing act; these are decided and maintained by the Cooperation Group.
*
Interoperability framework
Competences:
Focused on deciding certain technical requirements for interoperability and on common operational security standards
Key topics: data formats for exchanging identity information (such as SAML),
definition of semantic specifications (variables and permitted values)
technical specifications of solutions for authentication service;
establishment of legal compliance guidelines
identification of security self-assessment templates and guidelines
operational and technical requirements for the integration of APs
definition of anonymisation policies and requirements
establishment of guidelines for the obfuscation of unique identifiers
Interoperability framework
Note: minimal data set is not a universal and automatic requirement! Data minimisation remains a key principle!
Unique ID – natural person
current first name, current last name, date of birth, and unique identifier
Unique ID – legal person official name, legal form, date and seat of establishment, and unique
identifier
natural person on behalf of legal person?Requires unique ID of natural and legal person, and linking + validation of their identities via business registersExact definition of competences? Not entirely feasible under the current state of the art
Cooperation Group
Study team proposal:
Creation and composition: 1 member per MS, plus observers from Commission, Article 29 Working Party and ENISA;
Management and governance: secretariat, chair, rules of procedure
Operational issues: Frequency /process for convening meetings Assessments in relation to the interoperability framework by adopting
opinions on appropriate solutions/standards.
Peer review? No decision making (acceptance/rejection); purely consensus based.
Quality Assurance
Study team proposal
a short implementing act should be created that includes a technical annex that specifies the assurance levels. adhere to international standards, as this is the only way of
ensuring future international interoperability
annex should be based on the ISO/IEC 29115 standard, and should consist of a specification that uses the three phases defined in this standard (enrolment, credential management, and entity authentication)
40
eID Assurance levels
The Implementing act should define 3 assurance levels on the basis of the criteria enumerated in the Regulation:
a)the procedure to prove and verify the identity of a “Person” applying for the issuance of electronic identification means;
b)the procedure for the issuance of the requested electronic identification means;
c)the authentication mechanism, in which the natural or legal person uses the electronic identification means to confirm its identity to a relying party.
d)the entity issuing electronic identification means;
e)any other body involved in the application for the issuance of the electronic ID means; and
f) the technical and security specifications of the issued electronic identification means.
In terms of the Regulation, a Person can be a natural or legal person , or a natural person representing a legal person.
eID Assurance levels
The Regulation specifies three assurance levels:Assurance level
Definition
Low limited degree of confidence in the claimed or asserted identity of a Person
reference to technical specifications, standards and procedures, including technical controls, the purpose of which is to decrease the risk of misuse or alteration of the identity
Substantial substantial degree of confidence in the claimed or asserted identity of a Person
reference to technical specifications, standards and procedures, including technical controls, the purpose of which is to decrease substantially the risk of misuse or alteration of the identity
High higher degree of confidence in the claimed or asserted identity of a Person
reference to technical specifications, standards and procedures, including technical controls, the purpose of which is to prevent misuse or alteration of the identity
eID Assurance levels
To provide the required confidence in a Person and the authentication, the implementing act should cover requirements for the following processes:
Enrolment
Credential management
Authentication
and additional guidance for management and operational aspects (information security management, legal compliance, …) which affect the identification and authentication of a Person
eID Assurance Framework (eIDAF)
Credential management
phase
Enrolmentphase
Entity authentication
phase
•Authentication•Record-keeping
•Credential creation•Credential pre-processing•Credential issuance•Credential activation•Credential storage
• Application and initiation• Identity proofing and identity information verification
• Record-keeping
•Credential suspension, revocation, and/or destruction•Credential renewal and/or replacement•Record-keeping
Managem
ent and Organisation
Elec
tron
ic id
entif
icat
ion
sche
me
Actors in the eIDAF
Registration Authority
Trusted Third Party
(e.g., Authentication service)
Credential Service Provider
Relying Party
(e‐Service provider)
Entity (Person)
Electronic identification in an e‐service
Electronic identification means issuance (credential + token)
Entity registration and identity proofing
RA
eID Assurance levels
To define the requirements for the different levels in the different processes the Study team used input from:
STORK QAA
ISO 29115
The Study team proposal for an eIDAF was delivered to the EC mid 2014:
Created an ISO compliant quality assurance specification while focusing on an outcome based approach
Draws on some normative requirements to integrate STORK experience
Filling in the identified gaps
eID Assurance levels
Comparison between eIDAF, STORK QAA and ISO/IEC 29115
AssurancelevelsinRegulation
STORK‐QAA ISO29115
Low QAA2 LoA2
Substantial QAA3 LoA3
High QAA4 LoA4
Supervision and trust servicesBuilding blocks for secondary legislation
Supervision and trust services
Seven building blocks:
Trust Mark
Trusted Lists
Conformity Assessment Bodies
QTSP initiation
Yearly supervisory body activities
Due diligence and data/security breach notification
Common provisions on QTSPs
Enhanced trust model for QTSP’s/QTS’s
Recital (1) Building trust in the online environment is key to economic and social development. Lack of trust, in particular because of a perceived lack of legal certainty, makes consumers, businesses and administrations hesitate to carry out transactions electronically and to adopt new services.
Recital (2)This Regulation seeks to enhance trust in electronic transactions in the internal market by providing a common foundation for secure electronic interaction between businesses, citizens and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union.
TRUSTED LISTS
SUPERVISION
QTSP & QTS they
provide
Initiation(initial assessment by CAB)
Ad-hoc audits
(at any time)
Regular Assessments(at least every 24m by CAB)
Termination
QTSP & QTS RELATED eIDAS PROVISIONS
BEST PRACTICES & STANDARDS
“Building trust …” through secondary legislation
Timed Implementing Act (I.A.) (Art.23.3) on Trust Mark
(1 July 2015)
Timed I.A. (Art.22.5) on Trusted Lists (18 Sep. 2015)
Optional I.A. (Art.20.4) on Conformity Assessment BodyOptional I.A. (Art.21.4) on QTSP initiationOptional I.A. (Art.17.8) on Yearly SB activities
Optional I.A. (Art.19.4) on common provisions on TSPs
Optional I.A. (Art.24.5) on common provisions on QTSPs
TRUSTED LISTS
SUPERVISION
QTSP & QTS they
provide
Initiation(initial assessment by CAB)
Ad-hoc audits
(at any time)
Regular Assessments(at least every 24m by CAB)
Termination
QTSP & QTS RELATED eIDAS PROVISIONS
BEST PRACTICES & STANDARDS Additional I.A. on specific provisions per type of (qualified) trust service & trust service provider
“Building trust …” through secondary legislation
Considering the aim of the eIDAS Regulation at – Increasing confidence in and convenience of online services– Have the market experiencing a real mark of trust, adopting
marked TS and massively using digital applications & services
Besides mandatory I.A., optional I.A foreseen in eIDAS Regulation are believed to significantly contribute
to increase the credibility of – the quality and trustworthiness of QTS / QTSPs– the truthful message of trust conveyed by
• Trusted lists • EU Trust Mark for QTSs
to support achieving the eIDAS aim in enhancing effectiveness of online services in the EU
Summary
Mandatory
• Mandatory I.A.: On track – Need for visual & textual specifications• Key service (e.g. from CEF) facilitating verification objective of the qualified status through the corresponding
trusted list Trust Mark
• Mandatory I.A.: On track• Leveraging on existing CD and underlying standardsTrusted Lists
Optional:
• Missing piece (standard): outcome based TSP Audit Criteria against eIDAS• Without such missing piece, I.A. would be inappropriate & counterproductiveConformity Assessment Bodies
• Efficient & practical guidelines & good practices documents could come firstQTSP initiation
• Not for the sake of reporting or statistics• Support improving supervision, increasing transparency, mutual assistance & trust
Yearly supervisory body activities
• DD TSP obligations on an “outcome based” approach & “recognized normative” approach• BN to be aligned with other similar notifications
Due diligence and data/security breach notification
• I.A. dependent on the availability of eligible standardsCommon provisions on QTSPs
Signatures/Seals/Devices:
Building blocks for secondary legislation
Building blocks for enhancing existing electronic signature and electronic seals
1. Interoperability of electronic signatures in public services
2. Reference formats of advanced electronic signatures or reference methods
3. Reference numbers of standards for qualified electronic signature creation devices
4. Standards for the security assessment of information technology products – Qualified electronic Signature Creation Devices
5. Specific criteria to be met by the designated bodies
55
etime stamp, registered delivery services and website authenticationBuilding blocks for secondary legislation
Time stamps
Different applications of the time stamps may have different requirements. The set of standards referenced in the implementing act should support a
broad spectrum of requirements to guarantee that the actual needs of the different applications are satisfied without excessive burden .
References to standards needed to bind the date and time to data
data sent to the time stamp provider
date/time indication included in the time stamps
Existing technical specifications could be used E.g. TS 102 023/TS 101 861/CEN/ISSS CWA 14167-2:2004
These technical specifications are currently being revised under the EC mandate M/460.
57
Registered Electronic Mail
As e-registered delivery is and remains open to innovation, any future scenario should:
Establish a mechanism that allows European standard organisations and international standardisation bodies as defined in the Regulation (EU) No 1025/2012, to submit a proposal for an e-registered delivery standard to be referenced by the EU Commission;
Mandate a transparent review of the proposed standard, checking that it does not lack any of the properties required by Regulation (EU) No 1025/2012, in particular: transparent standardisation process;
open standardisation process, that is accessible by everybody, either through membership to the standardisation committee or through a national standardisation body;
standard publicly available to everybody (free or upon payment).
58
Communication and Awareness
Communication and Awareness
Communication Strategy Plan• Communication strategy - scope• The business vision• Branding – public awareness• Communication messages• Stakeholders - segmentation and analysis
Communication Tools• Public awareness campaigns• Printed/online promotional and information material• Publicity events and activities• Media relations and social media
Evaluation and Monitoring• Variables to be monitored• Indicators of successful campaigns
60
Technical assistance
Technical assistance
Strategic advice on international trade law aspects;
Technical assistance on website certificates;
Comments and suggestions relating to the prioritization of the secondary legislation;
Ad-hoc questions relating to technical issues;
Strategic advice on Levels of Assurance.
62
Conclusions
63
Legal acceptance of eSignatures in the world
6/24/201564
Copyright DLA Piper
eSignature laws
Flexible approach towards use of electronic signatures for legal transactions
No specific technical requirements are being mandated when using electronic signatures for standard legal transactions. Still, for specific transactions and for specific sectors, additional technical criteria may be required.
Less flexible approach towards use of electronic signatures for legal transactions
For standard legal transactions no additional technical criteria are required but the use of specific electronic signature technology is often promoted by law (e.g. by introducing a presumption of conformity for specific electronic signature technology).
Stringent approach towards use of electronic signatures for legal transactions
Technology related specific requirements need to be taken into account when using electronic signatures for standard legal transactions.
65Copyright DLA Piper
Flexibility of eSignature legislation
66Copyright DLA Piper
Case law?
Plenty of cases on enforceability of
electronic signatures/contracts
Move towards trustworthiness of technology used
Less cases on qualified electronic
signatures
6/24/2015 67
Estonia A lawyer representing a client in a dispute sent a digitally signed
document (following the requirements of the Estonian electronic signature legislation) to court by e-mail. The Tallinn Administrative city court claimed that they were not able to read the document and thus rejected it.
The case was taken to the Tallin Administrative District Court, where it was ruled on 12 June 2003 that qualified signatures are equivalent to handwritten ones in Estonia and therefore the court should not have claimed that they can not use it. The district court declared that documents can be sent to court by e-mail if they have a valid qualified e-signature: "The reception of a digitally signed document was not obstructed by the lack of appropriate software - it was and still is possible to immediately install such software at courts when necessary."
Case law
Finland The Finnish Supreme Administrative (23 December 2005): a county government
could not require that conclusion of an electronic service contract used by a real estate broker with its customers was secured with a qualified certificate or other similar means under best practices requirements, since the requirement of using a qualified certificate or other such advanced verification mechanisms were not required under the letter of the law.
The county government had no right to impose additional form requirements such as a qualified certificate to the real estate broker, as the law does not mention the form of such contracts. The law does require that the terms of the broker’s assignment are provided in a manner that cannot be changed unilaterally.
Case law
Germany In three similar cases (OLG Köln, 19 U 16/02; LG Konstanz, 2 O 141/01 A; AG
Erfurt, 28 C 2354/01), German courts decided that an e-mail without a qualified electronic signature has almost no binding effect under German law. According to the courts, a contract concluded by e-mail without a qualified electronic signature is not convincing evidence, in particular when the purported sender denies authorship.
The contested emails were all sent from the website of an access provider, whereby it suffices to have a password in order to gain access to the email system. The cases were dismissed, because it could not be proved that the emails were effectively sent by the purported senders. The judges did not accept the presumption that the emails must have been sent by the owner of the email address, because almost anybody could have sent the e-mails using the password of the owner.
Case law
Italy The Italian Supreme Court ruled (decision nr. 11445 of 6 September 2001) that an
unsigned electronic document constitutes full evidence of the represented facts, unless proof to the contrary exists.
The Court of Cuneo ordered on 15 December 2003 a company to fulfil its obligations to another company on the basis of a claim proven with e-mail communications. The judge of Cuneo held that the use of authentication credentials such as a user ID and password to access the e-mail account represents a valid means of adducing evidence on the origin of the message. The judge held that the e-mails had the same validity as written documents and admitted them as trial evidence. ( German case law)
Case law
United Kingdom The case of Nilesh Mehta v J Pereira Fernandes SA [2006] concerned the nature of
electronic signatures in relation to a winding up petition. In this case, a director asked a member of staff to send an email to the solicitors acting to consider adjourning a winding-up petition hearing for one week in return for a personal guarantee. The email itself was not signed but the head of the email showed that it came from the employee's address. The proposal was accepted but then the employee did not honour the guarantee.
The High Court held that the email message satisfied the statutory requirement of writing, but could not be classed as a signature. The email in question had been sent from the address [email protected]. Previous messages
between the parties had been sent from that address. There was no further reference to Mr Mehta’s name in the body of the email. The judge concluded that it is not possible to hold that the automatic insertion of an e mail address is intended for a signature.
It would appear, however, that even a typed representation of the appellants name would have been sufficient evidence of his intention to be bound by the text of the email to be classed as a signature.
Case law
Delegated acts Implementing actsSupplement and amend ‘non essential elements’
Role Provide uniform conditions for implementing EU acts
General application Scope General or individual application
No (not formally) Expert committees
Yes
In individual legislation + ‘common
understanding’
Legal basis Horizontal EP/Council Regulation
EP/Council can veto or revoke delegation
Scrutiny Member states can block; EP/Council scrutiny
OVERVIEW
73
Broad Scope
Electronic signatures
Electronic identification
Electronic seals
Electronic time stamps
Electronic documents
Electronic delivery
Web authentication
services
Copyright DLA Piper
Principles
Notified eIDs• Notified• Mutual recognition• eGovernment purposes
Qualified services• Minimum of quality
criteria• Stronger supervision • Publication of trusted lists
Legal effect• Non-discrimination• Equivalence (legal
presumption)
Standards• Voluntary• Conformity of compliance • Published in OJ
Double scope of the Regulation
1. eID: Mutual recognition of electronic identification• eID interoperability and usability• Notification based system• Aimed to support eGovernment
2. Electronic trust services• Electronic signatures interoperability and
usability• Electronic seals interoperability and usability• Cross-border dimension of:
• Time stamping,• Electronic delivery service, • Electronic documents admissibility, • Website authentication.
Date of pre76