Supervision and accreditation of CSPs within the EU legal framework Ulrich Latzenhofer Forum of European Supervisory Authorities for Electronic Signatures (FESA) 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 1
Terminology eSignature Directive Supervision vs. accreditation FESA Outline Terminology eSignature Directive Supervision vs. accreditation FESA 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 2
Terminology eSignature Directive Supervision vs. accreditation FESA Terminology 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 3
Terminology eSignature Directive Supervision vs. accreditation FESA 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 4
Terminology eSignature Directive Supervision vs. accreditation FESA eSignature Definition from European eSignature Directive Data in electronic form Attached to or logically associated with other electronic data Serving as a method of authentication Simple examples Scanned signature attached to electronic document Transaction authentication number as used by online banking services 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 5
Terminology eSignature Directive Supervision vs. accreditation FESA Advanced eSignature Criteria from European eSignature Directive Uniquely linked to signatory Capable of identifying signatory Created using means under sole control of signatory Subsequent changes of signed data detectable Non-binding interpretation by FESA Example: Digital signature based on public-key cryptography 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 6
Terminology eSignature Directive Supervision vs. accreditation FESA Secure signature creation device (SSCD) 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 7
Terminology eSignature Directive Supervision vs. accreditation FESA SSCD requirements Requirements from European eSignature Directive Uniqueness and secrecy of signature creation data Protection against illegitimate use and forgery Possible presentation, no alteration of data to be signed Conformity with requirements To be assessed by body referred to in Directive, Article 3(4) Presumed for SSCDs meeting “generally recognised standards” ( CWA 14169) 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 8
Terminology eSignature Directive Supervision vs. accreditation FESA Qualified certificate (QC) Link between natural person and signature verification data Confirmed by trusted third party Policy identifier for QC with SSCD 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 9
Terminology eSignature Directive Supervision vs. accreditation FESA QC: Content requirements QC statement Identification of certification service provider (CSP) and State of establishment Name of the signatory or pseudonym Signature verification data Period of validity Identity code of certificate Advanced eSignature of CSP 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 10
Terminology eSignature Directive Supervision vs. accreditation FESA QC: Requirements for CSP Directory and revocation services Verification of identity Reliability and qualifications of personnel Trustworthy systems Financial resources Records Information for signatories 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 11
Terminology eSignature Directive Supervision vs. accreditation FESA Qualified eSignature Criteria from European eSignature Directive Advanced eSignature Based on QC Created by SSCD Legal equivalence with handwritten signature (provided that electronic form is admissible) 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 12
Terminology eSignature Directive Supervision vs. accreditation FESA Qualified Types of eSignature eSignature s Advanced eSignatures Based on QC Created by SSCD 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 13
Terminology eSignature Directive Supervision vs. accreditation FESA eSignature Directive 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 14
Terminology eSignature Directive Supervision vs. accreditation FESA Important provisions Market access Internal market principles Legal effects of eSignatures Liability of CSPs International aspects Data protection 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 15
Terminology eSignature Directive Supervision vs. accreditation FESA Market access No prior authorisation for certification services Voluntary accreditation schemes possible on EU Member State level CSPs issuing QCs to be supervised by EU Member States Conformity of SSCDs to be assessed by designated bodies Criteria for additional public sector requirements 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 16
Terminology eSignature Directive Supervision vs. accreditation FESA Internal market principles Home state regulation National provisions to be applied only to CSPs established on that nation’s territory No restriction of certification services originating in another Member State Free circulation of eSignature products complying with eSignature Directive 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 17
Terminology eSignature Directive Supervision vs. accreditation FESA Legal effects of eSignatures Qualified eSignatures Legal equivalence with handwritten signatures Admissibility as evidence in legal proceedings Other eSignatures Legal effectiveness and admissibility as evidence not to be denied solely due to “quality level” 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 18
Terminology eSignature Directive Supervision vs. accreditation FESA Liability of CSPs For damage to party relying in QC Accuracy of information contained in QC Corresponding signature creation data held by signatory Complementarity of signature creation data and signature verification data Revocation of QC Possible limitations Use of QC Value of transactions 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 19
Terminology eSignature Directive Supervision vs. accreditation FESA International aspects Recognition of QC from third country CSP accredited in EU Member State or QC guaranteed by CSP established within European Community or Recognition under agreement between European Community and third country or international organisation Proposals and mandates of European Commission 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 20
Terminology eSignature Directive Supervision vs. accreditation FESA Data protection Compliance with Data Protection Directive CSPs Bodies responsible for supervision and accreditation Collection of personal data Only from data subject or with consent of data subject Only as far as necessary for purpose of certification service Pseudonyms not to be prevented 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 21
Terminology eSignature Directive Supervision vs. accreditation FESA Supervision vs. accreditation 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 22
Terminology eSignature Directive Supervision vs. accreditation FESA Types of CSPs to be supervised CSPs issuing QCs to the public Other CSPs if required by national law Non-qualified certificates Directory and revocation Time-stamping eSignature verification Closed systems exempted 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 23
Terminology eSignature Directive Supervision vs. accreditation FESA Supervision modality determined by national law Supervision system (e.g., public or private sector) Obligations of bodies involved with supervision Scope of supervision Directory of CSPs Obligations of CSPs to support supervision Supervisory measures and enforcement 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 24
Terminology eSignature Directive Supervision vs. accreditation FESA Bodies typically involved with supervision Supervisory authority and its office Designated bodies Bodies recognised under Common Criteria Recognition Arrangement (CCRA) Certification/Validation Bodies Evaluation Facilities Independent experts Other administrative authorities and courts 2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 25
Recommend
More recommend