Amardeo Sarma, Chairman of Trust in Digital Life association’s Board of Directors & Jörg Hladjk, Chairman of Trust in Digital Life association’s Advisory Board
On July 23, 2014, the Council of the European Union adopted a regulation on electronic identification and trust services for electronic transactions (the “Regulation”). The Regulation is an element of the European Commission’s Digital Agenda for Europe, which aims to reboot Europe’s economy and help Europe’s citizens and businesses to get the most out of digital technologies. According to the Council, the Regulation seeks to increase the effectiveness of public and private online services, electronic business and electronic commerce in the EU and to enhance trust in electronic transactions in the internal market. Mutual recognition of electronic identification and authentication is considered to be vital for a number of cross-border scenarios.
With a view to ensuring the proper functioning of the internal market while aiming at an adequate level of security of electronic identification means and trust services, the Regulation
lays down conditions for mutual recognition of electronic identification;
- sets out rules for trust services, in particular for electronic transactions; and
- creates a legal framework for electronic signatures, electronic seals and time stamps, electronic documents as well as electronic registered delivery services and certificate services for website authentication.
The Regulation only applies to electronic identification schemes that have been notified by one of the 28 EU Member States and to trust service providers established in the European Union. It includes comprehensive definitions for electronic signatures and trust services, which are important to understand for any provider offering such services. Any products or services that comply with the Regulation can circulate freely in the internal market. All processing of personal data must be carried out in accordance with the General EU Data Protection Directive.
Electronic identification, security breaches and liability
The new rules set out by the Regulation require EU Member states to recognize, under certain conditions, means of electronic identification of natural and legal persons falling under another EU Member State’s electronic identification scheme which has been notified to the European Commission. It is up to the EU Member States to choose whether they want to notify all, some or none of the electronic identification schemes used at national level to access a service provided by a public sector body online. However, these rules only cover cross-border aspects of electronic identification. Issuing means of electronic identification remains a national prerogative. Those member states wishing to do so may join the scheme for recognizing each other’s notified e-identification means as soon as the necessary implementing acts are in place. Although this is expected to take place in the second half of 2015, it may take longer to have these implementing acts in place.
In case of a security breach, where either the electronic identification scheme notified or the authentication is breached or partly compromised in a manner that affects the reliability of the cross-border authentication of that scheme, the notifying EU Member State must, without delay, suspend or revoke that cross-border authentication or the compromised parts concerned, and must inform other EU Member States and the European Commission.
Further, the Regulation introduces rules on liability. According to these rules, the party issuing the electronic identification is liable for damage caused intentionally or negligently to any natural or legal person due to a failure to comply with certain obligations of the Regulation in a cross-border transaction. In addition, the party operating the authentication procedure is liable for damage caused intentionally or negligently to any natural or legal person due to a failure to ensure the correct operation of the authentication in a cross-border transaction.
Trust services, security requirements, incident notification and audits
In addition, to a comprehensive legal framework for electronic signatures, the Regulation also introduces, for the first time, EU-wide rules concerning trust services, such as
the legal effects of electronic seals,
- the legal effects of and requirements for electronic time stamps and electronic registered delivery services,
- the requirements for website authentication and the legal effects for electronic documents.
The Regulation includes strict rules on security requirements. Trust service providers will be required to implement organizational and security measures that are appropriate for the level of risk presented by their activities, in particular for the purpose of preventing and minimizing the impact of security incidents. They must also inform stakeholders about the adverse effects of such incidents. In case of any breach of security or loss of integrity that has a significant impact on the trust service provided or on the personal data maintained therein, trust service providers are obliged to notify the relevant supervisory authority without undue delay, but in any event within 24 hours after becoming aware of the incident. In case of adverse effects on a natural or legal person to whom the trusted service has been provided, these parties must also be informed about the breach.
Further, trust services providers must be audited at their own expense at least every 24 months by a conformity assessment body for compliance with the Regulation. Trust services providers may also be able to use an EU trust mark, the specifications of which will be further defined by implementing acts to be adopted by July 1, 2015.
The Regulation will come into full force in July 2016.