Annotated Legal Text - COM/2021/281 (eIDAS v2)
This is the original legal
text merged with the proposed amendments and
further provided with the following:
- Cross-references are converted into links and marked purle
- Term definitions are converted into links, are abbreviated and marked blue
- Next to each article/paragraph incoming references are listed
- A table of contents is added
This document may contain mistakes. No rights can be derived from this document.
If you have any feedback, feel free to contact me at Tim.Speelman@MinBZK.nl
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL
amending Regulation (EU) No 910/2014 as regards
establishing a framework for a European Digital Identity
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN
UNION,
Having regard to the Treaty on the Functioning of the
European Union, and in particular Article 114 thereof,
Having regard to the proposal from the European
Commission,
After transmission of the draft legislative act to the
national parliaments,
Having regard to the opinion of the European Economic
and Social Committee[1],
Acting in accordance with the ordinary legislative
procedure,
1.The Commission
Communication of 19 February 2020, entitled Shaping Europes Digital
Future[2] announces a revision of Regulation (EU) No 910/2014 of the
European Parliament and of the Council with the aim of improving its
effectiveness, extend its benefits to the private sector and promote
trusted digital identities for all Europeans.
2.In its conclusions of 1-2 October 2020[3], the
European Council called on the
Commission to propose the development of a Union-wide framework for secure public electronic identification,
including interoperable digital signatures, to provide people with
control over their online identity and data as well as to enable access
to public, private and cross-border digital services.
3.The Commission
Communication of 9 March 2021 entitled 2030 Digital Compass: the
European way for the Digital Decade[4] sets the objective of a Union
framework which, by 2030, leads to wide deployment of a trusted,
user-controlled identity, allowing each user to control their own online
interactions and presence.
4.A
more harmonised approach to digital identification should reduce the
risks and costs of the current fragmentation due to the use of divergent
national solutions and will strengthen the Single Market by allowing
citizens, other residents as defined by national law and businesses to
identify online in a convenient and uniform way across the Union.
Everyone should be able to securely access public and private services
relying on an improved ecosystem for trust services and on verified proofs of identity and attestations of attributes,
such as a university degree legally recognised and accepted everywhere
in the Union. The framework for a European Digital Identity aims to
achieve a shift from the reliance on national digital identity solutions
only, to the provision of electronic attestations of attributes valid at European level. Providers of electronic
attestations of attributes should benefit from a clear and uniform set of rules and public
administrations should be able to rely on electronic documents in a given format.
5.To
support the competitiveness of European businesses, online service
providers should be able to rely on digital identity solutions
recognised across the Union, irrespective of the Member State
in which they have been issued, thus benefiting from a harmonised
European approach to trust, security and interoperability. Users and
service providers alike should be able to benefit from the same legal
value provided to electronic attestations of attributes across the Union.
6.Regulation (EU) No 2016/679[5] applies to the
processing of personal data
in the implementation of this Regulation. Therefore, this Regulation
should lay down specific safeguards to prevent providers of electronic identification means
and electronic
attestation of attributes from combining personal data from other services with the personal data relating to the services falling
within the scope of this Regulation.
7.It is necessary to set out the harmonised
conditions for the establishment of a framework for European Digital Identity
Wallets to be issued by Member
States,
which should empower all Union citizens and other residents as defined
by national law to share securely data related to their identity in a
user friendly and convenient way under the sole control of the user.
Technologies used to achieve those objectives should be developed aiming
towards the highest level of security, user convenience and wide
usability. Member States should ensure
equal access to digital identification to all their nationals and residents.
8.In
order to ensure compliance within Union law or national law compliant
with Union law, service providers should communicate their intent to
rely on the European
Digital Identity Wallets to Member
States. That will allow Member
States to protect users from fraud and prevent the unlawful use of identity data and electronic attestations of
attributes as well as to ensure that the processing of sensitive data, like health data, can be
verified by relying parties in
accordance with Union law or national law.
9.All European Digital Identity
Wallets
should allow users to electronically identify and authenticate online
and offline across borders for accessing a wide range of public and
private services. Without prejudice to Member
States
prerogatives as regards the identification of their nationals and
residents, Wallets can also serve the institutional needs of public
administrations, international organisations and the Unions
institutions, bodies, offices and agencies. Offline use would be
important in many sectors, including in the health sector where services
are often provided through face-to-face interaction and ePrescriptions
should be able to rely on QR-codes or similar technologies to verify
authenticity. Relying on the level of assurance high, the European Digital Identity
Wallets
should benefit from the potential offered by tamper-proof solutions
such as secure elements, to comply with the security requirements under
this Regulation. The European Digital Identity Wallets should also allow users to create and use qualified electronic
signatures
and seals which are accepted across the EU. To achieve simplification
and cost reduction benefits to persons and businesses across the EU,
including by enabling powers of representation and e-mandates, Member States should issue European Digital Identity
Wallets relying on common standards to ensure seamless interoperability and a high level of security.
Only Member States
competent authorities can provide a high degree of confidence in
establishing the identity of a person and therefore provide assurance
that the person claiming or asserting a particular identity is in fact
the person he or she claims to be. It is therefore necessary that the European Digital Identity
Wallets rely on the legal identity of citizens, other residents or legal entities. Trust in the European Digital
Identity Wallets
would be enhanced by the fact that issuing parties are required to
implement appropriate technical and organisational measures to ensure a
level of security commensurate to the risks raised for the rights and
freedoms of the natural persons, in line with Regulation (EU) 2016/679.
10.In order to achieve a high level of security
and trustworthiness, this Regulation establishes the requirements for European Digital Identity
Wallets. The conformity of European Digital Identity Wallets with those requirements should be certified by
accredited public or private sector bodies designated by Member States. Relying on a certification scheme based on the availability of
commonly agreed standards with Member
States
should ensure a high level of trust and interoperability. Certification
should in particular rely on the relevant European cybersecurity
certifications schemes established pursuant to Regulation (EU)
2019/881[6]. Such certification should be without prejudice to
certification as regards personal
data processing pursuant to Regulation (EC) 2016/679
11.European Digital Identity
Wallets should ensure the highest level of security for the personal data used for authentication
irrespective of whether such data is stored locally or on cloud-based
solutions, taking into account the different levels of risk. Using
biometrics to authenticate is one of the identifications methods
providing a high level of confidence, in particular when used in
combination with other elements of authentication.
Since biometrics represents a unique characteristic of a person, the
use of biometrics requires organisational and security measures,
commensurate to the risk that such processing may entail to the rights
and freedoms of natural persons and in accordance with Regulation
2016/679.
12.To ensure that the European Digital Identity
framework is open to innovation, technological development and future-proof, Member States
should be encouraged to set-up jointly sandboxes to test innovative
solutions in a controlled and secure environment in particular to
improve the functionality, protection of personal data,
security and interoperability of the solutions and to inform future
updates of technical references and legal requirements. This environment
should foster the inclusion of European Small and Medium Enterprises,
start-ups and individual innovators and researchers.
13.Regulation (EU) No 2019/1157[7] strengthens the
security of identity cards with enhanced security features by August 2021. Member States should consider the feasibility of
notifying them under electronic identification schemes to extend the cross-border availability of electronic
identification means.
14.The process of notification of electronic identification
schemes should be simplified and accelerated to promote the access to convenient, trusted, secure and
innovative authentication and
identification solutions and, where relevant, to encourage private identity providers to offer electronic
identification schemes to Member
States authorities for notification as national electronic identity card schemes under Regulation
910/2014.
15.Streamlining
of the current notification and peer-review procedures will prevent
heterogeneous approaches to the assessment of various notified electronic identification
schemes and facilitate trust-building between Member States. New, simplified, mechanisms should foster Member States cooperation on the security and
interoperability of their notified electronic identification schemes.
16.Member States
should benefit from new, flexible tools to ensure compliance with the
requirements of this Regulation and of the relevant implementing acts.
This Regulation should allow Member States
to use reports and assessments performed by accredited conformity assessment bodies
or voluntary ICT security certification schemes, such as certification
schemes to be established at Union level under Regulation (EU) 2019/881,
to support their claims on the alignment of the schemes or of parts
thereof with the requirements of the Regulation on the interoperability
and the security of the notified electronic identification schemes.
17.Service providers use the identity data
provided by the set of person identification data available from electronic identification
schemes pursuant to Regulation (EU) No 910/2014 in order to match users from another Member State
with the legal identity of that user. However, despite the use of the
eIDAS data set, in many cases ensuring an accurate match requires
additional information about the user and specific unique identification procedures at national level. To further support the
usability of electronic identification means, this Regulation should require Member States to take specific measures to ensure a
correct identity match in the process of electronic identification.
For the same purpose, this Regulation should also extend the mandatory
minimum data set and require the use of a unique and persistent
electronic identifier in conformity with Union law in those cases where
it is necessary to legally identify the user upon his/her request in a
unique and persistent way.
18.In line with Directive (EU) 2019/882[8],
persons with disabilities should be able to use the European digital identity
wallets, trust services and
end-user products used in the provision
of those services on an equal basis with other users.
19.This
Regulation should not cover aspects related to the conclusion and
validity of contracts or other legal obligations where there are
requirements as regards form laid down by national or Union law. In
addition, it should not affect national form requirements pertaining to
public registers, in particular commercial and land registers.
20.The provision and use of trust services
are becoming increasingly important for international trade and
cooperation. International partners of the EU are establishing trust
frameworks inspired by Regulation (EU) No 910/2014. Therefore, in order
to facilitate the recognition of such services and their providers,
implementing legislation may set the conditions under which trust
frameworks of third countries could be considered equivalent to the
trust framework for qualified
trust services and providers in this Regulation, as a complement to the possibility of the mutual
recognition of trust services and
providers established in the Union and in third countries in accordance with Article 218 of the Treaty.
21.This
Regulation should build on Union acts ensuring contestable and fair
markets in the digital sector. In particular, it builds on the
Regulation XXX/XXXX [Digital Markets Act], which introduces rules for
providers of core platform services designated as gatekeepers and, among
others, prohibits gatekeepers to require business users to use, offer
or interoperate with an identification service of the gatekeeper in the
context of services offered by the business users using the core
platform services of that gatekeeper. Article 6(1)(f) of the Regulation
XXX/XXXX [Digital Markets Act] requires gatekeepers to allow business
users and providers of ancillary services access to and interoperability
with the same operating system, hardware or software features that are
available or used in the provision by the gatekeeper of any ancillary
services. According to Article 2 (15) of [Digital Markets Act]
identification services constitute a type of ancillary services.
Business users and providers of ancillary services should therefore be
able to access such hardware or software features, such as secure
elements in smartphones, and to interoperate with them through the European Digital Identity
Wallets or Member States notified electronic
identification means.
22.In order to streamline the cybersecurity
obligations imposed on trust
service providers,
as well as to enable these providers and their respective competent
authorities to benefit from the legal framework established by Directive
XXXX/XXXX (NIS2 Directive), trust
services
are required to take appropriate technical and organisational measures
pursuant to Directive XXXX/XXXX (NIS2 Directive), such as measures
addressing system failures, human error, malicious actions or natural
phenomena in order to manage the risks posed to the security of network
and information systems which those providers use in the provision of
their services as well as to notify significant incidents and cyber
threats in accordance with Directive XXXX/XXXX (NIS2 Directive). With
regard to the reporting of incidents, trust service providers
should notify any incidents having a significant impact on the
provision of their services, including such caused by theft or loss of
devices, network cable damages or incidents occurred in the context of
identification of persons. The cybersecurity risk management
requirements and reporting obligations under Directive XXXXXX [NIS2]
should be considered complementary to the requirements imposed on trust service providers
under this Regulation. Where appropriate, established national
practices or guidance in relation to the implementation of security and
reporting requirements and supervision of compliance with such
requirements under Regulation (EU) No 910/2014 should continue to be
applied by the competent authorities designated under Directive
XXXX/XXXX (NIS2 Directive). Any requirements pursuant to this Regulation
do not affect the obligation to notify personal data breaches under Regulation (EU) 2016/679.
23.Due consideration should be given to ensure
effective cooperation between the NIS and eIDAS authorities. In cases where the supervisory body
under this Regulation is different from the competent authorities
designated under Directive XXXX/XXXX [NIS2], those authorities should
cooperate closely, in a timely manner by exchanging the relevant
information in order to ensure effective supervision and compliance of trust service providers with the
requirements set out in this Regulation and Directive XXXX/XXXX [NIS2]. In particular, the supervisory bodies
under this Regulation should be entitled to request the competent
authority under Directive XXXXX/XXXX [NIS2] to provide the relevant
information needed to grant the qualified status and to carry out
supervisory actions to verify compliance of the trust service providers with the relevant requirements under NIS 2 or require them
to remedy non-compliance.
24.It
is essential to provide for a legal framework to facilitate
cross-border recognition between existing national legal systems related
to electronic
registered delivery services. That framework could also open new market opportunities for Union trust service providers to
offer new pan-European electronic registered delivery services
and ensure that the identification of the recipients is ensured with a
higher level of confidence than the identification of the sender.
25.In
most cases, citizens and other residents cannot digitally exchange,
across borders, information related to their identity, such as
addresses, age and professional qualifications, driving licenses and
other permits and payment data, securely and with a high level of data
protection.
26.It should be possible to issue and handle
trustworthy digital attributes
and contribute to reducing administrative burden, empowering citizens
and other residents to use them in their private and public
transactions. Citizens and other residents should be able, for instance,
to demonstrate ownership of a valid driving license issued by an
authority in one Member State, which can
be verified and relied upon by the relevant authorities in other Member States, to rely on their social security credentials or on future digital travel documents in a
cross border context.
27.Any entity that collects, creates and issues
attested attributes such as diplomas,
licences, certificates of birth should be able to become a provider of electronic attestation of
attributes. Relying parties
should use the electronic attestations of attributes as equivalent to attestations in paper
format. Therefore, an electronic attestation of attributes
should not be denied legal effect on the grounds that it is in an
electronic form or that it does not meet the requirements of the qualified electronic
attestation of attributes. To that effect, general requirements should be laid down to ensure that a
qualified electronic attestation of attributes
has the equivalent legal effect of lawfully issued attestations in
paper form. However, those requirements should apply without prejudice
to Union or national law defining additional sector specific
requirements as regards form with underlying legal effects and, in
particular, the cross-border recognition of qualified electronic
attestation of attributes, where appropriate.
28.Wide availability and usability of the European Digital
Identity Wallets require theiracceptance by private service providers. Private relying parties
providing services in the areas of transport, energy, banking and
financial services, social security, health, drinking water, postal
services, digital infrastructure, education or telecommunications should
accept the use of European Digital Identity Wallets for the provision of services where strong user
authentication
for online identification is required by national or Union law or by
contractual obligation. Where very large online platforms as defined in
Article 25.1. of Regulation [reference DSA Regulation] require users to
authenticate to access online services, those platforms should be
mandated to accept the use of European Digital Identity Wallets
upon voluntary request of the user. Users should be under no obligation
to use the wallet to access private services, but if they wish to do
so, large online platforms should accept the European Digital Identity Wallet
for this purpose while respecting the principle of data minimisation.
Given the importance of very large online platforms, due to their reach,
in particular as expressed in number of recipients of the service and
economic transactions this is necessary to increase the protection of
users from fraud and secure a high level of data protection.
Self-regulatory codes of conduct at Union level (codes of conduct)
should be developed in order to contribute to wide availability and
usability of electronic identification means including European Digital Identity
Wallets within the scope of this Regulation. The codes of conduct should facilitate wide acceptance of
electronic
identification means including European Digital Identity Wallets by those service providers which do not qualify
as very large platforms and which rely on third party electronic identification services for
user authentication. They should be
developed within 12 months of the adoption of this Regulation. The Commission should assess the effectiveness of these provisions for the
availability and usability for the user of the European Digital Identity
Wallets
after 18 months of their deployment and revise the provisions to ensure
their acceptance by means of delegated acts in the light of this
assessment.
29.The European Digital Identity Wallet
should technically enable the selective disclosure of attributes to relying parties. This feature should become a basic design feature thereby
reinforcing convenience and personal
data protection including minimisation of processing of personal data.
30.Attributes provided by the qualified trust service
providers as part of the qualified attestation of attributes should be verified against the authentic sources either directly by the qualified trust
service provider
or via designated intermediaries recognised at national level in
accordance with national or Union law for the purpose of secure exchange
of attested attributes between identity
or attestation of attributes service
providers and relying parties.
31.Secure electronic identification and the
provision of attestation of attributes
should offer additional flexibility and solutions for the financial
services sector to allow identification of customers and the exchange of
specific attributes
necessary to comply with, for example, customer due diligence
requirements under the Anti Money Laundering Regulation, [reference to
be added after the adoption of the proposal], with suitability
requirements stemming from investor protection legislation, or to
support the fulfilment of strong customer authentication requirements for account login and initiation of transactions in the
field of payment services.
32.Website authentication
services provide users with assurance that there is a genuine and
legitimate entity standing behind the website. Those services contribute
to the building of trust and confidence in conducting business online,
as users will have confidence in a website that has been authenticated.
The use of website authentication
services by websites is voluntary. However, in order for website authentication
to become a means to increasing trust, providing a better experience
for the user and furthering growth in the internal market, this
Regulation lays down minimal security and liability obligations for the
providers of website authentication
services and their services. To that end, web-browsers should ensure support and interoperability with
Qualified certificates for website authentication pursuant to Regulation (EU) No 910/2014.
They should recognise and display Qualified certificates for website
authentication
to provide a high level of assurance, allowing website owners to assert
their identity as owners of a website and users to identify the website
owners with a high degree of certainty. To further promote their usage,
public authorities in Member States should
consider incorporating Qualified certificates for website authentication in their websites.
33.Many Member States
have introduced national requirements for services providing secure and
trustworthy digital archiving in order to allow for the long term
preservation of electronic
documents and associated trust
services.
To ensure legal certainty and trust, it is essential to provide a legal
framework to facilitate the cross border recognition of qualified electronic archiving
services. That framework could also open new market opportunities for Union trust service providers.
34.Qualified electronic ledgers
record data in a manner that ensures the uniqueness, authenticity and
correct sequencing of data entries in a tamper proof manner. An electronic ledger
combines the effect of time stamping of data with certainty about the
data originator similar to e-signing and has the additional benefit of
enabling more decentralised governance models that are suitable for
multi-party co-operations. For example, it creates a reliable audit
trail for the provenance of commodities in cross-border trade, supports
the protection of intellectual property rights, enables flexibility
markets in electricity, provides the basis for advanced solutions for
self-sovereign identity and supports more efficient and transformative
public services. To prevent fragmentation of the internal market, it is
important to define a pan-European legal framework that allows for the
cross-border recognition of trust
services for the recording of data in electronic ledgers.
35.The certification as qualified trust service
providers should provide legal certainty for use cases that build on electronic ledgers. This trust service for electronic ledgers and qualified electronic ledgers and the
certification as qualified trust service provider for electronic ledgers
should be notwithstanding the need for use cases to comply with Union
law or national law in compliance with Union law. Use cases that involve
the processing of personal data
must comply with Regulation (EU) 2016/679. Use cases that involve
crypto assets should be compatible with all applicable financial rules
for example with the Markets in Financial Instruments Directive[9], the
Payment Services Directive[10] and the future Markets in Crypto Assets
Regulation[11].
36.In
order to avoid fragmentation and barriers, due to diverging standards
and technical restrictions, and to ensure a coordinated process to avoid
endangering the implementation of the future European Digital Identity
framework, a process for close and structured cooperation between the Commission, Member States and the private sector is needed. To
achieve this objective, Member States
should cooperate within the framework set out in the Commission
Recommendation XXX/XXXX [Toolbox for a coordinated approach towards a
European Digital Identity Framework][12] to identify a Toolbox for a
European Digital Identity framework. The Toolbox should include a
comprehensive technical architecture and reference framework, a set of
common standards and technical references and a set of guidelines and
descriptions of best practices covering at least all aspects of the
functionalities and interoperability of the European Digital Identity
Wallets including eSignatures and of the qualified trust service for attestation of attributes as laid out in this regulation. In this
context, Member States should also reach
agreement on common elements of a business model and fee structure of the European Digital Identity
Wallets,
to facilitate take up, in particular by small and medium sized
companies in a cross-border context. The content of the toolbox should
evolve in parallel with and reflect the outcome of the discussion and
process of adoption of the European Digital Identity Framework.
37.The
European Data Protection Supervisor has been consulted pursuant to
Article 42 (1) of Regulation (EU) 2018/1525 of the European Parliament
and of the Council[13].
38.Regulation (EU) 910/2014 should therefore be
amended accordingly,
1.Building
trust in the online environment is key to economic and social
development. Lack of trust, in particular because of a perceived lack of
legal certainty, makes consumers, businesses and public authorities
hesitate to carry out transactions electronically and to adopt new
services.
2.This
Regulation seeks to enhance trust in electronic transactions in the
internal market by providing a common foundation for secure electronic
interaction between citizens, businesses and public authorities, thereby
increasing the effectiveness of public and private online services,
electronic business and electronic commerce in the Union.
3.Directive 1999/93/EC of the European Parliament
and of the Council (3), dealt with electronic signatures
without delivering a comprehensive cross-border and cross-sector
framework for secure, trustworthy and easy-to-use electronic
transactions. This Regulation enhances and expands the acquis of that
Directive.
4.The Commission
communication of 26 August 2010 entitled A Digital Agenda for Europe
identified the fragmentation of the digital market, the lack of
interoperability and the rise in cybercrime as major obstacles to the
virtuous cycle of the digital economy. In its EU Citizenship Report
2010, entitled Dismantling the obstacles to EU citizens rights, the Commission
further highlighted the need to solve the main problems that prevent
Union citizens from enjoying the benefits of a digital single market and
cross-border digital services.
5.In its conclusions of 4 February 2011 and of 23
October 2011, the European Council invited the Commission
to create a digital single market by 2015, to make rapid progress in
key areas of the digital economy and to promote a fully integrated
digital single market by facilitating the cross-border use of online
services, with particular attention to facilitating secure electronic identification and authentication.
6.In its conclusions of 27 May 2011, the Council
invited the Commission
to contribute to the digital single market by creating appropriate
conditions for the mutual recognition of key enablers across borders,
such as electronic
identification, electronic
documents, electronic
signatures and electronic delivery services, and for interoperable e-government services across the
European Union.
7.The
European Parliament, in its resolution of 21 September 2010 on
completing the internal market for e-commerce (4), stressed the
importance of the security of electronic services, especially of electronic signatures, and of the need to
create a public key infrastructure at pan-European level, and called on the Commission to set up a European validation authorities gateway to
ensure the cross-border interoperability of electronic signatures and to increase the security of transactions carried out
using the internet.
8.Directive 2006/123/EC of the European Parliament
and of the Council (5) requires Member
States
to establish points of single contact (PSCs) to ensure that all
procedures and formalities relating to access to a service activity and
to the exercise thereof can be easily completed, at a distance and by
electronic means, through the appropriate PSC with the appropriate
authorities. Many online services accessible through PSCs require electronic identification, authentication and signature.
9.In most cases, citizens cannot use their electronic identification
to authenticate themselves in another Member
State because the national electronic identification schemes in their country are not recognised in other Member States.
That electronic barrier excludes service providers from enjoying the
full benefits of the internal market. Mutually recognised electronic identification means
will facilitate cross-border provision of numerous services in the
internal market and enable businesses to operate on a cross-border basis
without facing many obstacles in interactions with public authorities.
10.Directive
2011/24/EU of the European Parliament and of the Council (6) set up a
network of national authorities responsible for e-health. To enhance the
safety and the continuity of cross-border healthcare, the network is
required to produce guidelines on cross-border access to electronic
health data and services, including by supporting common identification
and authentication measures to
facilitate transferability of data in cross-border healthcare. Mutual recognition of electronic identification and authentication
is key to making cross-border healthcare for European citizens a
reality. When people travel for treatment, their medical data need to be
accessible in the country of treatment. That requires a solid, safe and
trusted electronic
identification framework.
11.This Regulation should be applied in full
compliance with the principles relating to the protection of personal data
provided for in Directive 95/46/EC of the European Parliament and of
the Council (7). In this respect, having regard to the principle of
mutual recognition established by this Regulation, authentication
for an online service should concern processing of only those
identification data that are adequate, relevant and not excessive to
grant access to that service online. Furthermore, requirements under
Directive 95/46/EC concerning confidentiality and security of processing
should be respected by trust
service providers and supervisory
bodies.
12.One of the objectives of this Regulation is to
remove existing barriers to the cross-border use of electronic identification means
used in the Member States
to authenticate, for at least public services. This Regulation does not
aim to intervene with regard to electronic identity management systems
and related infrastructures established in Member States. The aim of this Regulation is to ensure that for access to
cross-border online services offered by Member
States, secure electronic identification and authentication is possible.
13.Member States should remain free to use or to introduce means for the purposes of
electronic
identification
for accessing online services. They should also be able to decide
whether to involve the private sector in the provision of those means. Member States should not be obliged to notify their
electronic
identification schemes to the
Commission. The choice to notify the
Commission of all, some or none of the electronic identification
schemes used at national level to access at least public online services or specific services is up to
Member States.
14.Some conditions need to be set out in this
Regulation with regard to which electronic identification means have to be recognised and how the electronic identification
schemes should be notified. Those conditions should help Member States to build the necessary trust in each others electronic identification
schemes and to mutually recognise electronic identification means falling under their notified schemes. The principle
of mutual recognition should apply if the notifying Member States electronic identification scheme
meets the conditions of notification and the notification was published
in the Official Journal of the European Union. However, the principle
of mutual recognition should only relate to authentication
for an online service. The access to those online services and their
final delivery to the applicant should be closely linked to the right to
receive such services under the conditions set out in national
legislation.
15.The obligation to recognise electronic identification means
should relate only to those means the identity assurance level
of which corresponds to the level equal to or higher than the level
required for the online service in question. In addition, that
obligation should only apply when the public sector body in question uses the assurance level substantial or high
in relation to accessing that service online. Member States should remain free, in accordance with Union law, to recognise electronic
identification means having lower identity assurance levels.
16.Assurance levels should characterise the degree of confidence in electronic identification means
in establishing the identity of a person, thus providing assurance that
the person claiming a particular identity is in fact the person to
which that identity was assigned. The assurance level depends on the degree of confidence that electronic identification means
provides in claimed or asserted identity of a person taking into
account processes (for example, identity proofing and verification, and authentication), management activities (for
example, the entity issuing electronic identification means and the procedure to issue such means) and
technical controls implemented. Various technical definitions and descriptions of assurance levels
exist as the result of Union-funded Large-Scale Pilots, standardisation
and international activities. In particular, the Large-Scale Pilot
STORK and ISO 29115 refer, inter alia, to levels 2, 3 and 4, which
should be taken into utmost account in establishing minimum technical
requirements, standards and procedures for the assurances levels low,
substantial and high within the meaning of this Regulation, while
ensuring consistent application of this Regulation in particular with
regard to assurance level
high
related to identity proofing for issuing qualified certificates. The
requirements established should be technology-neutral. It should be
possible to achieve the necessary security requirements through
different technologies.
17.Member States should encourage the private sector to voluntarily use electronic
identification means
under a notified scheme for identification purposes when needed for
online services or electronic transactions. The possibility to use such electronic identification means
would enable the private sector to rely on electronic identification and authentication already largely used in many Member States
at least for public services and to make it easier for businesses and
citizens to access their online services across borders. In order to
facilitate the use of such electronic identification means across borders by the private sector, the authentication possibility provided
by any Member State should be available to
private sector relying parties
established outside of the territory of that Member State under the same conditions as applied to private sector relying parties established within
that Member State. Consequently, with
regard to private sector relying
parties, the notifying Member State
may define terms of access to the authentication means. Such terms of access may inform whether the authentication means related to the notified
scheme is presently available to private sector relying parties.
18.This Regulation should provide for the
liability of the notifying Member State,
the party issuing the electronic identification means and the party operating the authentication
procedure for failure to comply with the relevant obligations under
this Regulation. However, this Regulation should be applied in
accordance with national rules on liability. Therefore, it does not
affect those national rules on, for example, definition of damages or
relevant applicable procedural rules, including the burden of proof.
19.The security of electronic identification
schemes is key to trustworthy cross-border mutual recognition of electronic identification means.
In this context, Member States should
cooperate with regard to the security and interoperability of the electronic identification
schemes at Union level. Whenever electronic identification schemes require specific hardware or software to be used
by relying parties at the national
level, cross-border interoperability calls for those Member States not to impose such requirements and related costs on relying parties
established outside of their territory. In that case appropriate
solutions should be discussed and developed within the scope of the
interoperability framework. Nevertheless technical requirements stemming
from the inherent specifications of national electronic identification means
and likely to affect the holders of such electronic means (e.g. smartcards), are unavoidable.
20.Cooperation by Member States should facilitate the technical
interoperability of the notified electronic identification schemes
with a view to fostering a high level of trust and security appropriate
to the degree of risk. The exchange of information and the sharing of
best practices between Member States with
a view to their mutual recognition should help such cooperation.
21.This Regulation should also establish a general
legal framework for the use of trust
services. However, it should not create a general obligation to use them or to install an access point
for all existing trust services.
In particular, it should not cover the provision of services used
exclusively within closed systems between a defined set of participants,
which have no effect on third parties. For example, systems set up in
businesses or public administrations to manage internal procedures
making use of trust services should
not be subject to the requirements of this Regulation. Only trust services
provided to the public having effects on third parties should meet the
requirements laid down in the Regulation. Neither should this Regulation
cover aspects related to the conclusion and validity of contracts or
other legal obligations where there are requirements as regards form
laid down by national or Union law. In addition, it should not affect
national form requirements pertaining to public registers, in particular
commercial and land registers.
22.In order to contribute to their general
cross-border use, it should be possible to use trust services as evidence in legal proceedings in all Member States. It is for the national law to define
the legal effect of trust services,
except if otherwise provided in this Regulation.
23.To the extent that this Regulation creates an
obligation to recognise a trust
service, such a trust service
may only be rejected if the addressee of the obligation is unable to
read or verify it due to technical reasons lying outside the immediate
control of the addressee. However, that obligation should not in itself
require a public body to obtain the hardware and software necessary for
the technical readability of all existing trust services.
24.Member States may maintain or introduce national provisions, in conformity with
Union law, relating to trust
services as far as those services are not fully harmonised by this Regulation. However, trust services that comply with this
Regulation should circulate freely in the internal market.
25.Member States should remain free to define other types of trust services in addition to those making part of
the closed list of trust services
provided for in this Regulation, for the purpose of recognition at national level as qualified trust services.
26.Because of the pace of technological change,
this Regulation should adopt an approach which is open to innovation.
27.This
Regulation should be technology-neutral. The legal effects it grants
should be achievable by any technical means provided that the
requirements of this Regulation are met.
28.To
enhance in particular the trust of small and medium-sized enterprises
(SMEs) and consumers in the internal market and to promote the use of trust services and products, the notions of qualified trust services and qualified trust
service provider should be introduced with a view to indicating requirements and obligations that
ensure high-level security of whatever qualified trust services and products are used or provided.
29.In
line with the obligations under the United Nations Convention on the
Rights of Persons with Disabilities, approved by Council Decision
2010/48/EC (8), in particular Article 9 of the Convention, persons with
disabilities should be able to use trust services and end-user products used in the provision of those services on an equal basis with other
consumers. Therefore, where feasible, trust services provided and end-user products
used in the provision of those services should be made accessible for
persons with disabilities. The feasibility assessment should include,
inter alia, technical and economic considerations.
30.Member States should designate a supervisory body or supervisory bodies to carry out the supervisory activities under this Regulation.
Member States should also be able to
decide, upon a mutual agreement with another Member State, to designate a supervisory body in the territory of that other Member State.
31.Supervisory bodies should cooperate with data
protection authorities, for example, by informing them about the results of audits of qualified trust service
providers, where personal
data protection rules appear to have been breached. The provision of information should in particular
cover security incidents and personal
data breaches.
32.It should be incumbent on all trust service providers
to apply good security practice appropriate to the risks related to
their activities so as to boost users trust in the single market.
33.Provisions on the use of pseudonyms in
certificates should not prevent Member
States from requiring identification of persons pursuant to Union or national law.
34.All Member States should follow common essential supervision requirements to ensure a
comparable security level of qualified trust services. To ease the consistent application of those requirements
across the Union, Member States
should adopt comparable procedures and should exchange information on
their supervision activities and best practices in the field.
35.All trust service providers
should be subject to the requirements of this Regulation, in particular
those on security and liability to ensure due diligence, transparency
and accountability of their operations and services. However, taking
into account the type of services provided by trust service providers, it is appropriate to distinguish as far as those
requirements are concerned between qualified and non-qualified trust service
providers.
36.Establishing a supervisory regime for all trust service providers
should ensure a level playing field for the security and accountability
of their operations and services, thus contributing to the protection
of users and to the functioning of the internal market. Non-qualified trust service
providers
should be subject to a light touch and reactive ex post supervisory
activities justified by the nature of their services and operations. The
supervisory body should therefore
have no general obligation to supervise non-qualified service providers. The supervisory body should only take action when it
is informed (for example, by the non-qualified trust service provider itself, by another supervisory body, by a notification from a user
or a business partner or on the basis of its own investigation) that a non-qualified trust service provider
does not comply with the requirements of this Regulation.
37.This Regulation should provide for the
liability of all trust service
providers. In particular, it establishes the liability regime under which all trust service providers
should be liable for damage caused to any natural or legal person due
to failure to comply with the obligations under this Regulation. In
order to facilitate the assessment of financial risk that trust service providers might have to bear
or that they should cover by insurance policies, this Regulation allows trust service providers
to set limitations, under certain conditions, on the use of the
services they provide and not to be liable for damages arising from the
use of services exceeding such limitations. Customers should be duly
informed about the limitations in advance. Those limitations should be
recognisable by a third party, for example by including information
about the limitations in the terms and conditions of the service
provided or through other recognisable means. For the purposes of giving
effect to those principles, this Regulation should be applied in
accordance with national rules on liability. Therefore, this Regulation
does not affect those national rules on, for example, definition of
damages, intention, negligence, or relevant applicable procedural rules.
38.Notification
of security breaches and security risk assessments is essential with a
view to providing adequate information to concerned parties in the event
of a breach of security or loss of integrity.
39.To enable the Commission and the Member States to assess the effectiveness of the
breach notification mechanism introduced by this Regulation, supervisory bodies should be requested to
provide summary information to the
Commission and to European Union Agency for Network and Information Security (ENISA).
40.To enable the Commission and the Member States to assess the effectiveness of the
enhanced supervision mechanism introduced by this Regulation, supervisory bodies
should be requested to report on their activities. This would be
instrumental in facilitating the exchange of good practice between supervisory bodies
and would ensure the verification of the consistent and efficient
implementation of the essential supervision requirements in all Member States.
41.To ensure sustainability and durability of qualified trust services
and to boost users confidence in the continuity of qualified trust services, supervisory bodies should verify the existence
and the correct application of provisions on termination plans in cases where qualified trust service
providers cease their activities.
42.To facilitate the supervision of qualified trust
service providers, for example, when a provider is providing its services in the territory of another
Member State and is not subject to
supervision there, or when the computers of a provider are located in the territory of a Member State other than the one where it is
established, a mutual assistance system between supervisory bodies in the Member States should be established.
43.In order to ensure the compliance of qualified trust
service providers
and the services they provide with the requirements set out in this
Regulation, a conformity assessment should be carried out by a conformity assessment body and the
resulting conformity assessment reports should be submitted by the qualified trust service
providers to the supervisory
body. Whenever the supervisory
body requires a qualified trust service provider to submit an ad hoc conformity assessment report,
the supervisory body
should respect, in particular, the principles of good administration,
including the obligation to give reasons for its decisions, as well as
the principle of proportionality. Therefore, the supervisory body should duly justify its decision to require an ad hoc conformity
assessment.
44.This Regulation aims to ensure a coherent
framework with a view to providing a high level of security and legal certainty of trust services. In this regard, when addressing the
conformity assessment of products and
services, the Commission
should, where appropriate, seek synergies with existing relevant
European and international schemes such as the Regulation (EC) No
765/2008 of the European Parliament and of the Council (9) which sets
out the requirements for accreditation of conformity assessment bodies and market surveillance of products.
45.In order to allow an efficient initiation
process, which should lead to the inclusion of qualified trust service
providers and the qualified trust services they provide into trusted lists, preliminary interactions between
prospective qualified trust service providers and the competent supervisory body should be encouraged with a
view to facilitating the due diligence leading to the provisioning of qualified trust services.
46.Trusted lists
are essential elements in the building of trust among market operators
as they indicate the qualified status of the service provider at the
time of supervision.
47.Confidence
in and convenience of online services are essential for users to fully
benefit and consciously rely on electronic services. To this end, an EU
trust mark should be created to identify the qualified trust services provided by qualified trust service
providers. Such an EU trust mark for qualified trust services would clearly differentiate qualified trust services from other trust services thus contributing to
transparency in the market. The use of an EU trust mark by qualified trust service
providers should be voluntary and should not lead to any requirement other than those provided for in
this Regulation.
48.While a high level of security is needed to
ensure mutual recognition of electronic signatures, in specific cases, such as in the context of Commission
Decision 2009/767/EC (10), electronic signatures with a lower security assurance should also be accepted.
49.This Regulation should establish the principle
that an electronic signature
should not be denied legal effect on the grounds that it is in an
electronic form or that it does not meet the requirements of the qualified electronic signature.
However, it is for national law to define the legal effect of electronic signatures, except for the
requirements provided for in this Regulation according to which a qualified electronic signature
should have the equivalent legal effect of a handwritten signature.
50.As competent authorities in the Member States currently use different formats of advanced electronic
signatures to sign their documents electronically, it is necessary to ensure that at least a number of
advanced electronic
signature formats can be technically supported by Member States when they receive documents signed electronically. Similarly, when
competent authorities in the Member States
use advanced electronic
seals, it would be necessary to ensure that they support at least a number of advanced electronic seal formats.
51.It should be possible for the signatory to entrust qualified electronic
signature creation devices to the care of a third party, provided that appropriate mechanisms and
procedures are implemented to ensure that the signatory has sole control over the use of his electronic signature creation
data, and the qualified electronic signature requirements are met by the use of the device.
52.The creation of remote electronic signatures, where the electronic signature creation
environment is managed by a trust service provider on behalf of the signatory, is set to increase in the light of its
multiple economic benefits. However, in order to ensure that such electronic signatures receive the same legal
recognition as electronic
signatures created in an entirely user-managed environment, remote electronic signature service providers
should apply specific management and administrative security procedures and use trustworthy systems and products, including secure electronic
communication channels, in order to guarantee that the electronic signature creation environment is
reliable and is used under the sole control of the signatory. Where a qualified electronic signature has
been created using a remote electronic signature creation device, the requirements applicable to qualified trust
service providers set out in this Regulation should apply.
53.The suspension of qualified certificates is an
established operational practice of trust service providers in a number of Member States,
which is different from revocation and entails the temporary loss of
validity of a certificate. Legal certainty calls for the suspension
status of a certificate to always be clearly indicated. To that end, trust service providers
should have the responsibility to clearly indicate the status of the
certificate and, if suspended, the precise period of time during which
the certificate has been suspended. This Regulation should not impose
the use of suspension on trust
service providers or Member States,
but should provide for transparency rules when and where such a practice is available.
54.Cross-border interoperability and recognition
of qualified certificates is a precondition for cross-border recognition of qualified electronic signatures.
Therefore, qualified certificates should not be subject to any
mandatory requirements exceeding the requirements laid down in this
Regulation. However, at national level, the inclusion of specific attributes, such as unique identifiers, in qualified
certificates should be allowed, provided that such specific attributes do not hamper cross-border interoperability and recognition of qualified
certificates and electronic
signatures.
55.IT
security certification based on international standards such as ISO
15408 and related evaluation methods and mutual recognition arrangements
is an important tool for verifying the security of qualified electronic
signature creation devices
and should be promoted. However, innovative solutions and services such
as mobile signing and cloud signing rely on technical and
organisational solutions for qualified electronic
signature creation devices
for which security standards may not yet be available or for which the
first IT security certification is ongoing. The level of security of
such qualified electronic signature creation devices
could be evaluated by using alternative processes only where such
security standards are not available or where the first IT security
certification is ongoing. Those processes should be comparable to the
standards for IT security certification insofar as their security levels
are equivalent. Those processes could be facilitated by a peer review.
56.This Regulation should lay down requirements
for qualified electronic signature creation devices to ensure the functionality of advanced electronic
signatures.
This Regulation should not cover the entire system environment in which
such devices operate. Therefore, the scope of the certification of qualified signature creation
devices
should be limited to the hardware and system software used to manage
and protect the signature creation data created, stored or processed in
the signature creation device. As detailed in relevant standards, the
scope of the certification obligation should exclude signature creation
applications.
57.To ensure legal certainty as regards the
validity of the signature, it is essential to specify the components of a qualified electronic signature,
which should be assessed by the relying
party carrying out the validation. Moreover, specifying the requirements for qualified trust service
providers that can provide a qualified validation service to relying parties unwilling or unable to carry out the validation of qualified electronic signatures
themselves, should stimulate the private and public sector to invest in such services. Both elements should
make qualified
electronic signature validation
easy and convenient for all parties at Union level.
58.When a transaction requires a qualified electronic
seal from a legal person, a qualified electronic signature from the authorised representative of the legal
person should be equally acceptable.
59.Electronic seals should serve as evidence that an
electronic document was
issued by a legal person, ensuring certainty of the documents origin and integrity.
60.Trust service providers issuing qualified
certificates for electronic seals
should implement the necessary measures in order to be able to
establish the identity of the natural person representing the legal
person to whom the qualified certificate for the electronic seal is provided, when such identification is necessary at national
level in the context of judicial or administrative proceedings.
61.This Regulation should ensure the long-term
preservation of information, in order to ensure the legal validity of electronic signatures and electronic seals over extended periods of time
and guarantee that they can be validated irrespective of future technological changes.
62.In order to ensure the security of qualified electronic
time stamps, this Regulation should require the use of an advanced electronic seal or an advanced electronic
signature
or of other equivalent methods. It is foreseeable that innovation may
lead to new technologies that may ensure an equivalent level of security
for time stamps. Whenever a method other than an advanced electronic seal or an advanced electronic
signature is used, it should be up to the qualified trust service provider
to demonstrate, in the conformity assessment report, that such a method
ensures an equivalent level of security and complies with the
obligations set out in this Regulation.
63.Electronic documents
are important for further development of cross-border electronic
transactions in the internal market. This Regulation should establish
the principle that an electronic
document
should not be denied legal effect on the grounds that it is in an
electronic form in order to ensure that an electronic transaction will
not be rejected only on the grounds that a document is in electronic
form.
64.When addressing formats of advanced electronic signatures and
seals, the Commission should build on
existing practices, standards and legislation, in particular Commission Decision 2011/130/EU (11).
65.In addition to authenticating the document
issued by the legal person, electronic seals can be used to authenticate any digital asset of the legal person,
such as software code or servers.
66.It
is essential to provide for a legal framework to facilitate
cross-border recognition between existing national legal systems related
to electronic
registered delivery services. That framework could also open new market opportunities for Union trust service providers to
offer new pan-European electronic registered delivery services.
67.Website authentication
services provide a means by which a visitor to a website can be assured
that there is a genuine and legitimate entity standing behind the
website. Those services contribute to the building of trust and
confidence in conducting business online, as users will have confidence
in a website that has been authenticated. The provision and the use of
website authentication services are
entirely voluntary. However, in order for website authentication
to become a means to boosting trust, providing a better experience for
the user and furthering growth in the internal market, this Regulation
should lay down minimal security and liability obligations for the
providers and their services. To that end, the results of existing
industry-led initiatives, for example the Certification
Authorities/Browsers Forum CA/B Forum, have been taken into account. In
addition, this Regulation should not impede the use of other means or
methods to authenticate a website not falling under this Regulation nor
should it prevent third country providers of website authentication
services from providing their services to customers in the Union.
However, a third country provider should only have its website authentication
services recognised as qualified in accordance with this Regulation, if
an international agreement between the Union and the country of
establishment of the provider has been concluded.
68.The
concept of legal persons, according to the provisions of the Treaty on
the Functioning of the European Union (TFEU) on establishment, leaves
operators free to choose the legal form which they deem suitable for
carrying out their activity. Accordingly, legal persons, within the
meaning of the TFEU, means all entities constituted under, or governed
by, the law of a Member State,
irrespective of their legal form.
69.The Union institutions, bodies, offices and
agencies are encouraged to recognise electronic identification and trust services
covered by this Regulation for the purpose of administrative
cooperation capitalising, in particular, on existing good practices and
the results of ongoing projects in the areas covered by this Regulation.
70.In
order to complement certain detailed technical aspects of this
Regulation in a flexible and rapid manner, the power to adopt acts in
accordance with Article 290 TFEU should be delegated to the Commission in respect of criteria to be met by the bodies responsible for the
certification of qualified electronic signature creation devices. It is of particular importance
that the Commission carry out
appropriate consultations during its preparatory work, including at expert level. The Commission,
when preparing and drawing up delegated acts, should ensure a
simultaneous, timely and appropriate transmission of relevant documents
to the European Parliament and to the Council.
71.In order to ensure uniform conditions for the
implementation of this Regulation, implementing powers should be conferred on the Commission,
in particular for specifying reference numbers of standards the use of
which would raise a presumption of compliance with certain requirements
laid down in this Regulation. Those powers should be exercised in
accordance with Regulation (EU) No 182/2011 of the European Parliament
and of the Council (12).
72.When adopting delegated or implementing acts,
the Commission
should take due account of the standards and technical specifications
drawn up by European and international standardisation organisations and
bodies, in particular the European Committee for Standardisation (CEN),
the European Telecommunications Standards Institute (ETSI), the
International Organisation for Standardisation (ISO) and the
International Telecommunication Union (ITU), with a view to ensuring a
high level of security and interoperability of electronic identification and trust services.
73.For reasons of legal certainty and clarity,
Directive 1999/93/EC should be repealed.
74.To
ensure legal certainty for market operators already using qualified
certificates issued to natural persons in compliance with Directive
1999/93/EC, it is necessary to provide for a sufficient period of time
for transitional purposes. Similarly, transitional measures should be
established for secure signature creation devices, the conformity of
which has been determined in accordance with Directive 1999/93/EC, as
well as for certification service providers issuing qualified
certificates before 1 July 2016. Finally, it is also necessary to
provide the Commission with the means to
adopt the implementing acts and delegated acts before that date.
75.The application dates set out in this
Regulation do not affect existing obligations that Member States already have under Union law, in particular under Directive
2006/123/EC.
76.Since the objectives of this Regulation cannot
be sufficiently achieved by the Member
States
but can rather, by reason of the scale of the action, be better
achieved at Union level, the Union may adopt measures, in accordance
with the principle of subsidiarity as set out in Article 5 of the Treaty
on European Union. In accordance with the principle of proportionality,
as set out in that Article, this Regulation does not go beyond what is
necessary in order to achieve those objectives.
77.The
European Data Protection Supervisor was consulted in accordance with
Article 28(2) of Regulation (EC) No 45/2001 of the European Parliament
and of the Council (13) and delivered an opinion on 27 September 2012
(14),
HAVE ADOPTED THIS REGULATION:
Chapter I GENERAL PROVISIONS
This Regulations aims at ensuring the proper
functioning of the internal market and providing an adequate level of security of electronic identification means
and trust services. For these
purposes, this Regulation:
(a)lays down the
conditions under which Member States shall
provide and recognise electronic identification means of natural and legal persons, falling under a
notified electronic
identification scheme of another Member
State;
(b)lays down rules for
trust services, in particular for
electronic transactions;
(d)lays down the
conditions for the issuing of European Digital Identity Wallets by Member States.
1.This Regulation applies to electronic identification
schemes that have been notified by a Member State, European Digital Identity Wallets issued by Member States and to trust service providers that are
established in the Union.
2.This Regulation does not apply to the provision
of trust services
that are used exclusively within closed systems resulting from national
law or from agreements between a defined set of participants.
3.This
Regulation does not affect national or Union law related to the
conclusion and validity of contracts or other legal or procedural
obligations relating to sector specific requirements as regards form
with underlying legal effects.
For the purposes of this Regulation, the following
definitions apply:
(1)electronic identification means the process of using person identification
data in electronic form uniquely representing either a natural or legal person, or a natural person
representing a legal person;
(2)electronic identification means
means a material and/or immaterial unit, including European Digital Identity
Wallets or ID cards following Regulation 2019/1157, containing person identification data and which
is used for authentication for an
online or offline service;
(3)person identification data
means a set of data enabling the identity of a natural or legal person,
or a natural person representing a legal person to be established;
(4)electronic identification scheme
means a system for electronic identification under which electronic identification means,
are issued to natural or legal persons or natural persons representing legal persons;
(5)authentication means an electronic process that
enables the electronic
identification of a natural or legal person, or the origin and integrity of data in electronic form to
be confirmed;
(6)relying party means a natural or legal person that
relies upon an electronic
identification or a trust
service;
(7)public sector body means a state, regional or
local authority, a body
governed by public law or an association formed by one or several such authorities or one or several
such bodies governed by
public law,
or a private entity mandated by at least one of those authorities,
bodies or associations to provide public services, when acting under
such a mandate;
(8)body governed by public law means a
body defined in point (4) of Article 2(1) of Directive 2014/24/EU of the European Parliament and of the
Council (15);
(9)signatory means a natural person who creates an electronic signature;
(10)electronic signature
means data in electronic form which is attached to or logically
associated with other data in electronic form and which is used by the signatory to sign;
(14)certificate for electronic
signature means an electronic attestation or set of attestations which links electronic signature validation data to a natural person and confirms
at least the name or the pseudonym of that person;
(16)trust service means an electronic service normally
provided against payment which consists of:
(c)the
preservation of electronic
signatures, seals or certificates related to those services;
(e)the management
of remote electronic
signature and seal creation devices;
(17)qualified trust service means a trust service that meets the
applicable requirements laid down in this Regulation;
(18)conformity assessment body
means a body defined in point 13 of Article 2 of Regulation (EC) No
765/2008, which is accredited in accordance with that Regulation as
competent to carry out conformity assessment of a qualified trust service provider
and the qualified trust
services it provides;
(19)trust service provider means a natural or
a legal person who provides one or more trust services either as a qualified or as a non-qualified trust service
provider;
(21)product
means hardware or software, or relevant components of hardware and / or
software, which are intended to be used for the provision of electronic identification and trust services;
(22)electronic signature creation
device means configured software or hardware used to create an electronic signature;
(24)creator of a seal means a legal person who
creates an electronic seal;
(25)electronic seal
means data in electronic form, which is attached to or logically
associated with other data in electronic form to ensure the latters
origin and integrity;
(26)advanced electronic seal means an electronic seal, which meets the
requirements set out in Article 36;
(28)electronic seal creation data means
unique data, which is used by the creator of the electronic seal to create an electronic seal;
(29)certificate for electronic seal
means an electronic attestation or set of attestations that links electronic seal validation data to a legal person and confirms
the name of that person;
(31)electronic seal creation device
means configured software or hardware used to create an electronic seal;
(33)electronic time stamp
means data in electronic form which binds other data in electronic form
to a particular time establishing evidence that the latter data existed
at that time;
(35)electronic document means any content stored
in electronic form, in particular text or sound, visual or audiovisual recording;
(36)electronic registered delivery
service
means a service that makes it possible to transmit data between third
parties by electronic means and provides evidence relating to the
handling of the transmitted data, including proof of sending and
receiving the data, and that protects transmitted data against the risk
of loss, theft, damage or any unauthorised alterations;
(38)certificate for website
authentication
means an attestation that makes it possible to authenticate a website
and links the website to the natural or legal person to whom the
certificate is issued;
(40)validation data means data that is used to
validate an electronic
signature or an electronic
seal;
(42)European Digital Identity Wallet
is a product and service that allows the
user to store identity data, credentials and attributes linked to her/his identity, to provide them to relying parties on request and to use them for authentication, online and offline,
for a service in accordance with Article 6a; and
to create qualified
electronic signatures and seals;
(43)attribute is a feature, characteristic or quality of a
natural or legal person or of an entity, in electronic form;
(44)electronic attestation of
attributes means an attestation in electronic form that allows the authentication of attributes;
(46)authentic source is a repository or system, held
under the responsibility of a public sector body or private entity, that contains attributes
about a natural or legal person and is considered to be the primary
source of that information or recognised as authentic in national law;
(47)electronic archiving
means a service ensuring the receipt, storage, deletion and
transmission of electronic data or documents in order to guarantee their
integrity, the accuracy of their origin and legal features throughout
the conservation period;
(48)qualified electronic archiving
service means a service that meets the requirements laid down in Article 45g;
(49)EU Digital Identity Wallet
Trust Mark
means an indication in a simple, recognisable and clear manner that a
Digital Identity Wallet has been issued in accordance with this
Regulation;
(50)strong user authentication means an authentication
based on the use of two or more elements categorised as user knowledge ,
possession and inherence that are independent, in such a way that the
breach of one does not compromise the reliability of the others, and is
designed in such a way to protect the confidentiality of the authentication data;
(51)user account
means a mechanism that allows a user to access public or private
services on the terms and conditions established by the service
provider;
(52)credential means a proof of a persons abilities,
experience, right or permission;
(53)electronic ledger
means a tamper proof electronic record of data, providing authenticity
and integrity of the data it contains, accuracy of their date and time,
and of their chronological ordering;
(54)Personal data means any information as defined in
point 1 of Article 4 of Regulation (EU) 2016/679.;
(55)unique identification means a process where
person identification
data or person identification means are matched with or linked to an existing account belonging to the
same person.
Article 4 Internal market principle
1.There shall be no restriction on the provision
of trust services in the territory
of a Member State by a trust service provider established in
another Member State for reasons that fall
within the fields covered by this Regulation.
2.Products and trust services that comply with this Regulation shall be permitted to circulate
freely in the internal market.
Article 5 Pseudonyms in electronic transaction
Without
prejudice to the legal effect given to pseudonyms under national law,
the use of pseudonyms in electronic transactions shall not be
prohibited.
Chapter II ELECTRONIC IDENTIFICATION
Section I ELECTRONIC IDENTIFICATION
Article 6a European Digital Identity Wallets
1.For
the purpose of ensuring that all natural and legal persons in the Union
have secure, trusted and seamless access to cross-border public and
private services, each Member State shall
issue a European
Digital Identity Wallet within 12 months after the entry into force of this Regulation.
(b)under a mandate
from a Member State;
(c)independently
but recognised by a Member State.
(a)securely
request and obtain, store, select, combine and share, in a manner that
is transparent to and traceable by the user, the necessary legal person identification data and electronic
attestation of attributes to authenticate online and offline in order to use online public and private
services;
4.Digital Identity Wallets shall, in particular:
(a)provide a
common interface:
(i)to qualified
and non-qualified
trust service providers issuing qualified and non-qualified electronic
attestations of attributes or other qualified and non-qualified certificates for the purpose of
issuing such attestations and certificates to the European Digital Identity
Wallet;
(iii)for the
presentation to relying parties of
person identification
data, electronic attestation of attributes or other data such as credentials, in local mode not requiring internet
access for the wallet;
(b)ensure that trust service providers of
qualified attestations of attributes
cannot receive any information about the use of these attributes;
(c)meet the
requirements set out in Article 8 with regards to
assurance level high, in
particular as applied to the requirements for identity proofing and verification, and electronic identification means
management and authentication;
(d)provide a
mechanism to ensure that the relying
party is able to authenticate the user and to receive electronic attestations of
attributes;
(e)ensure that the
person identification
data referred to in Article 12(4),
point (d) uniquely and persistently represent the natural or legal person is associated with it.
(a)to ensure that
its authenticity and validity can be verified;
(b)to allow relying parties to verify that the
attestations of attributes are valid;
6.The European Digital Identity
Wallets shall be issued under a notified electronic identification scheme
of level of assurance high. The use of the European Digital Identity
Wallets shall be free of charge to natural persons.
7.The user shall be in full control of the European Digital
Identity Wallet. The issuer of the European Digital Identity Wallet
shall not collect information about the use of the wallet which are not
necessary for the provision of the wallet services, nor shall it
combine person
identification data and any other personal data stored or relating to the use of the European Digital Identity Wallet
with personal data
from any other services offered by this issuer or from third-party
services which are not necessary for the provision of the wallet
services, unless the user has expressly requested it. Personal data relating to the provision of European Digital Identity
Wallets shall be kept physically and logically separate from any other data held. If the European Digital
Identity Wallet is provided by private parties in accordance to paragraph 1 (b) and (c), the
provisions of article 45f paragraph 4
shall apply mutatis mutandis.
9.Article 24(2), points (b), (e), (g), and
(h) shall apply mutatis mutandis to
Member States issuing the European Digital
Identity Wallets.
10.The European Digital Identity Wallet
shall be made accessible for persons with disabilities in accordance
with the accessibility requirements of Annex I to Directive 2019/882.
11.Within 6 months of the entering into force
of this Regulation, the Commission
shall establish technical and operational specifications and reference
standards for the requirements referred to in paragraphs 3, 4 and 5 by means of an implementing act on the
implementation of the European Digital Identity Wallet. This implementing act shall be adopted in
accordance with the examination procedure referred to in Article 48(2).
Article 6b European Digital Identity Wallets Relying Parties
1.Where relying parties intend to rely upon European Digital
Identity Wallets issued in accordance with this Regulation, they shall communicate it to the Member State where the relying party
is established to ensure compliance with requirements set out in Union
law or national law for the provision of specific services. When
communicating their intention to rely on European Digital Identity
wallets, they shall also inform about the intended use of the European Digital Identity
Wallet.
2.Member States shall implement a common mechanism for the authentication of relying parties
4.Within 6 months of the entering into force of
this Regulation, the Commission shall
establish technical and operational specifications for the requirements referred to in paragraphs 1 and 2 by means of an implementing act on the implementation of
the European Digital
Identity Wallets as referred to in Article 6a(10).
Article 6c Certification of the European Digital Identity
Wallets
1.European Digital Identity
Wallets
that have been certified or for which a statement of conformity has
been issued under a cybersecurity scheme pursuant to Regulation (EU)
2019/881 and the references of which have been published in the Official
Journal of the European Union shall be presumed to be compliant with
the cybersecurity relevant requirements set out in Article 6a paragraphs
3, 4 and 5 in so far as the cybersecurity certificate or statement of conformity or parts
thereof cover those requirements.
2.Compliance with the requirements set out in
paragraphs 3, 4 and 5 of Article 6a related to the personal data processing operations carried out by the issuer of the European Digital
Identity Wallets shall be certified pursuant to Regulation (EU) 2016/679.
3.The conformity of European Digital Identity
Wallets with the requirements laid down in article 6a paragraphs 3, 4 and 5 shall be
certified by accredited public or private bodies designated by Member States.
4.Within 6 months of the entering into force of
this Regulation, the Commission shall,
by means of implementing acts, establish a list of standards for the certification of the European Digital Identity
Wallets referred to in paragraph 3.
5.Member States shall communicate to the Commission the names and addresses of the public or private bodies referred to
in paragraph 3. The Commission shall make that information
available to Member States.
6.The Commission shall be empowered to adopt delegated acts in accordance with Article 47 concerning the establishment of
specific criteria to be met by the designated bodies referred to in paragraph 3.
Article 6d Publication of a list of certified European
Digital Identity Wallets
1.Member States shall inform the Commission without undue delay of the European Digital Identity
Wallets that have been issued pursuant to Article 6a and certified by the bodies referred to in Article 6c paragraph 3 They shall also inform the Commission, without undue delay where the
certification is cancelled.
2.On the basis of the information received, the Commission shall establish, publish
and maintain a list of certified European Digital Identity Wallets.
3.Within 6 months of the entering into force of
this Regulation, the Commission shall
define formats and procedures applicable for the purposes of paragraph 1. by means of an implementing act on the implementation of the European Digital
Identity Wallets as referred to in Article 6a(10).
Section II ELECTRONIC IDENTIFICATION SCHEMES
Article 7 Eligibility for notification of electronic
identification schemes
Pursuant to Article 9(1) Member
States shall notify, within 12 months after the entry into force of this Regulation at least one electronic
identification scheme including at least one identification means:
(i)by the notifying
Member State;
(ii)under a
mandate from the notifying Member State;
or
(iii)independently of the notifying Member State and are recognised by that Member State;
(b)the electronic
identification means under the electronic identification scheme can be used to access at least one service which
is provided by a public sector
body and which requires electronic identification in the notifying Member State;
(c)the electronic
identification scheme and the electronic identification means issued thereunder meet the requirements of at least
one of the assurance levels set out
in the implementing act referred to in Article
8(3);
(d)the notifying Member State ensures that the person identification
data
uniquely representing the person in question is attributed, in
accordance with the technical specifications, standards and procedures
for the relevant assurance level set
out in the implementing act referred to in Article 8(3), to the natural or legal person referred to in point 1 of Article 3 at the time the electronic identification means
under that scheme is issued;
(e)the party issuing
the electronic
identification means under that scheme ensures that the electronic identification means
is attributed to the person referred to in point
(d) of this Article in accordance with the technical specifications, standards and procedures for the
relevant assurance level set out in
the implementing act referred to in Article
8(3);
(f)the notifying Member State ensures the availability of authentication online, so that any
relying party established in the
territory of another Member State is able
to confirm the person
identification data received in electronic form.
For relying parties other than public sector bodies the notifying Member State may define terms of access to that authentication. The cross-border authentication shall be provided
free of charge when it is carried out in relation to a service online provided by a public sector body.
Member States shall not impose any specific
disproportionate technical requirements on relying parties intending to carry out such authentication, where such requirements prevent or
significantly impede the interoperability of the notified electronic identification
schemes;
(g)at least six months
prior to the notification pursuant to Article
9(1), the notifying Member State
provides the other Member States for the
purposes of the obligation under Article
12(5)
a description of that scheme in accordance with the procedural
arrangements established by the implementing acts referred to in Article 12(7);
(h)the electronic
identification scheme meets the requirements set out in the implementing act referred to in Article 12(8).
Article 8 Assurance levels of electronic identification
schemes
1.An electronic identification scheme
notified pursuant to Article 9(1) shall
specify assurance levels low,
substantial and/or high for electronic identification means issued under that scheme.
2.The assurance levels low, substantial and high shall
meet respectively the following criteria:
(a)assurance level low shall
refer to an electronic
identification means in the context of an electronic identification
scheme,
which provides a limited degree of confidence in the claimed or
asserted identity of a person, and is characterised with reference to
technical specifications, standards and procedures related thereto,
including technical controls, the purpose of which is to decrease the
risk of misuse or alteration of the identity;
(b)assurance level
substantial shall refer to an electronic identification means in the context of an electronic identification
scheme,
which provides a substantial degree of confidence in the claimed or
asserted identity of a person, and is characterised with reference to
technical specifications, standards and procedures related thereto,
including technical controls, the purpose of which is to decrease
substantially the risk of misuse or alteration of the identity;
(c)assurance level high shall
refer to an electronic
identification means in the context of an electronic identification
scheme, which provides a higher degree of confidence in the claimed or asserted identity of a person
than electronic
identification means with the assurance level substantial,
and is characterised with reference to technical specifications,
standards and procedures related thereto, including technical controls,
the purpose of which is to prevent misuse or alteration of the identity.
3.By 18 September 2015, taking into account
relevant international standards and subject to paragraph 2, the
Commission
shall, by means of implementing acts, set out minimum technical
specifications, standards and procedures with reference to which assurance levels low, substantial and high are
specified for electronic identification means for the purposes of paragraph 1.
Those
minimum technical specifications, standards and procedures shall be set
out by reference to the reliability and quality of the following
elements:
(a)the procedure to
prove and verify the identity of natural or legal persons applying for the issuance of electronic identification means;
(b)the procedure
for the issuance of the requested electronic identification means;
(c)the authentication mechanism, through
which the natural or legal person uses the electronic identification means
to confirm its identity to a relying
party;
(e)any other body
involved in the application for the issuance of the electronic identification means;
and
(f)the technical
and security specifications of the issued electronic identification means.
Those implementing acts shall be adopted in
accordance with the examination procedure referred to in Article 48(2).
1.The notifying Member State shall notify to the Commission the following information and,
without undue delay, any subsequent changes thereto:
(a)a description of
the electronic
identification scheme, including its assurance levels and the issuer or issuers of electronic identification means
under the scheme;
(b)the applicable
supervisory regime and information on the liability regime with respect to the following:
(ii)the party
operating the authentication
procedure;
(c)the authority or
authorities responsible for the electronic identification scheme;
(d)information on
the entity or entities which manage the registration of the unique person identification data;
(e)a description of
how the requirements set out in the implementing acts referred to in Article 12(8) are met;
(f)a description of
the authentication referred to in
point (f) of Article 7;
(g)arrangements for
suspension or revocation of either the notified electronic identification scheme
or authentication or the
compromised parts concerned.
2.The Commission shall publish in the Official Journal of the European Union a list
of the electronic
identification schemes which were notified pursuant to paragraph 1 of this Article and the basic information thereon.
3.The Commission shall publish in the Official Journal of the European Union the
amendments to the list referred to in paragraph
2 within one month from the date of receipt of that notification.
4.A Member State may submit to the Commission a request to remove an electronic identification scheme
notified by that Member State from the
list referred to in paragraph 2. The Commission
shall publish in the Official Journal of the European Union the
corresponding amendments to the list within one month from the date of
receipt of the Member States request.
5.The Commission may, by means of implementing acts, define the circumstances,
formats and procedures of notifications under paragraph 1. Those implementing acts shall be adopted in accordance with the
examination procedure referred to in Article
48(2).
Article 10 Security breach
1.Where either the electronic identification scheme
notified pursuant to Article 9(1) or the authentication referred to in point (f) of Article 7 is breached or partly
compromised in a manner that affects the reliability of the cross-border authentication of that scheme, the notifying Member State shall, without delay, suspend
or revoke that cross-border authentication or the compromised parts concerned, and shall inform other Member States and the Commission.
2.When the breach or compromise referred to in
paragraph 1 is remedied, the notifying Member State shall re-establish the
cross-border authentication and
shall inform other Member States and the Commission without undue delay.
3.If the breach or compromise referred to in paragraph 1 is not remedied within three
months of the suspension or revocation, the notifying Member State shall notify other Member States and the Commission of the withdrawal of the electronic identification
scheme.
The Commission shall publish in the Official Journal of the European Union the
corresponding amendments to the list referred to in Article 9(2) without undue delay.
Article 10a Security breach of the European Digital Identity
Wallets
1.Where European Digital Wallets issued
pursuant to Article 6a and the validation mechanisms referred to in Article 6a(5)
points (a), (b) and (c) are breached or partly compromised in a manner that affects their reliability or
the reliability of the other European Digital Identity Wallets, the issuing Member State shall, without delay, suspend the
issuance and revoke the validity of the European Digital Identity Wallet and inform the other Member States and the Commission accordingly.
2.Where the breach or compromise referred to in
paragraph 1 is remedied, the issuing Member State shall re-establish the
issuance and the use of the European Digital Identity Wallet and inform other Member States and the Commission without undue delay.
3.If the breach or compromise referred to in paragraph 1 is not remedied within three
months of the suspension or revocation, the Member State concerned shall withdraw the European Digital Wallet concerned and
inform the other Member States and the Commission on the withdrawal
accordingly. Where it is justified by the severity of the breach, the European Digital Identity Wallet
concerned shall be withdrawn without delay.
4.The Commission shall publish in the Official Journal of the European Union the
corresponding amendments to the list referred to in Article 6d without undue delay.
5.Within 6 months of the entering into force of
this Regulation, the Commission shall
further specify the measures referred to in paragraphs 1 and 3 by means
of an implementing act on the implementation of the European Digital Identity
Wallets as referred to in Article
6a(10).
1.The notifying Member State
shall be liable for damage caused intentionally or negligently to any
natural or legal person due to a failure to comply with its obligations
under points (d) and (f) of Article 7 in a cross-border transaction.
2.The party issuing the electronic identification means
shall be liable for damage caused intentionally or negligently to any
natural or legal person due to a failure to comply with the obligation
referred to in point (e) of Article 7 in a
cross-border transaction.
3.The party operating the authentication
procedure shall be liable for damage caused intentionally or
negligently to any natural or legal person due to a failure to ensure
the correct operation of the authentication referred to in point (f) of Article 7 in a cross-border transaction.
4.Paragraphs 1, 2 and 3 shall be
applied in accordance with national rules on liability.
5.Paragraphs 1, 2 and 3 are without
prejudice to the liability under national law of parties to a transaction in which electronic identification means
falling under the electronic identification scheme notified pursuant to Article 9(1) are used.
Article 11a Unique Identification
2.Member States shall, for the purposes of this Regulation, include in the minimum
set of person
identification data referred to in Article 12.4.(d),
a unique and persistent identifier in conformity with Union law, to
identify the user upon their request in those cases where identification
of the user is required by law.
3.Within 6 months of the entering into force of
this Regulation, the Commission shall
further specify the measures referred to in paragraph 1 and 2 by means
of an implementing act on the implementation of the European Digital Identity
Wallets as referred to in Article
6a(10).
Article 12 Cooperation and interoperability
1.The national electronic identification
schemes notified pursuant to Article
9(1) shall be interoperable.
2.For the purposes of paragraph 1, an interoperability framework shall be
established.
3.The interoperability framework shall meet the
following criteria:
(a)it aims to be
technology neutral and does not discriminate between any specific national technical solutions for electronic identification
within a Member State;
(b)it follows
European and international standards, where possible;
4.The interoperability framework shall consist
of:
(a)a reference to
minimum technical requirements related to the assurance levels under Article
8;
(c)a reference to
minimum technical requirements for interoperability;
(d)a reference to
a minimum set of person
identification data necessary to uniquely and persistently represent a natural or legal person;
(f)arrangements
for dispute resolution; and
(g)common
operational security standards.
5.Member States shall cooperate with regard to the following:
(a)the
interoperability of the electronic identification schemes notified pursuant to Article 9(1) and the electronic identification
schemes which Member States intend
to notify; and
6.The cooperation between Member States shall consist of:
(a)the exchange of
information, experience and good practice as regards electronic identification
schemes and in particular technical requirements related to interoperability, unique identification and assurance levels;
(b)the exchange of
information, experience and good practice as regards working with assurance levels of electronic identification
schemes under Article 8;
(c)peer review of
electronic
identification schemes falling under this Regulation; and
(d)examination of
relevant developments in the electronic identification sector.
7.By 18 March 2015, the Commission
shall, by means of implementing acts, establish the necessary
procedural arrangements to facilitate the cooperation between the Member States referred to in paragraphs 5 and 6 with a view
to fostering a high level of trust and security appropriate to the degree of risk.
8.By 18 September 2015, for the purpose of
setting uniform conditions for the implementation of the requirement under paragraph 1, the Commission shall, subject to the criteria set out in paragraph 3 and taking into account the results of the
cooperation between Member States, adopt
implementing acts on the interoperability framework as set out in paragraph 4.
9.The implementing acts referred to in
paragraphs 7 and 8 of this Article shall be adopted in accordance with the
examination procedure referred to in Article
48(2).
Article 12a Certification of electronic identification
schemes
1.Conformity of notified electronic identification
schemes with the requirements laid down in Article 6a, Article 8 and
Article 10 may be certified by public or private
bodies designated by Member States.
2.The peer-review of electronic identification
schemes referred to in Article
12(6), point (c) shall not apply to electronic identification
schemes or part of such schemes certified in accordance with paragraph 1. Member States
may use a certificate or a Union statement of conformity issued in
accordance with a relevant European cybersecurity certification scheme
established pursuant to Regulation (EU) 2019/881 to demonstrate
compliance of such schemes with the requirements set out in Article 8(2) regarding the assurance levels of electronic identification
schemes.
3.Member States shall notify to the Commission with the names and addresses of the public or private body referred
to in paragraph 1. The Commission shall make that information
available to Member States.
Section III CROSS-BORDER RELIANCE ON ELECTRONIC
IDENTIFICATION MEANS
Article 12b Cross-border reliance on European Digital
Identity Wallets
1.Where Member States require an electronic identification using an electronic
identification means and authentication under national law or by administrative practice to access an online
service provided by a public sector
body, they shall also accept European Digital Identity Wallets issued in compliance with this Regulation.
2.Where private relying parties providing services are required by
national or Union law, to use strong user authentication for online identification, or where strong user authentication
is required by contractual obligation, including in the areas of
transport, energy, banking and financial services, social security,
health, drinking water, postal services, digital infrastructure,
education or telecommunications, private relying parties shall also accept the use of European Digital Identity
Wallets issued in accordance with Article
6a.
3.Where very large online platforms as defined
in Regulation [reference DSA Regulation] Article 25.1. require users to authenticate to access online services, they shall
also accept the use of European Digital Identity Wallets issued in accordance with Article 6a strictly upon voluntary request of the user and in
respect of the minimum attributes
necessary for the specific online service for which authentication is requested, such as proof of age.
4.The Commission
shall encourage and facilitate the development of self-regulatory codes
of conduct at Union level (codes of conduct), in order to contribute to
wide availability and usability of European Digital Identity Wallets within the scope of this Regulation. These codes
of conduct shall ensure acceptance of electronic identification means including European Digital Identity
Wallets within the scope of this Regulation in particular by service providers relying on third party
electronic
identification services for user authentication. The
Commission
will facilitate the development of such codes of conduct in close
cooperation with all relevant stakeholders and encourage service
providers to complete the development of codes of conduct within 12
months of the adoption of this Regulation and effectively implement them
within 18 months of the adoption of the Regulation.
5.The Commission shall make an assessment within 18 months after deployment of the European Digital
Identity Wallets whether on the basis of evidence showing availability and usability of the European Digital
Identity Wallet, additional private online service providers shall be mandated to accept the use of
the European Digital
identity Wallet
strictly upon voluntary request of the user. Criteria of assessment may
include extent of user base, cross-border presence of service
providers, technological development, evolution in usage patterns. The Commission
shall be empowered to adopt delegated acts based on this assessment,
regarding a revision of the requirements for recognition of the European Digital Identity wallet
under points 1 to 4 of this article.
6.For the purposes of this Article, European Digital Identity
Wallets shall not be subject to the requirements referred to in articles 7 and 9.
Article 12c Mutual recognition of other electronic
identification means
1.Where electronic identification using an electronic
identification means and authentication is required under national law or by administrative practice to
access an online service provided by a public sector body in a Member State, the electronic identification means,
issued in another Member State shall be
recognised in the first Member State for
the purposes of cross-border authentication for that online service, provided that the following conditions are
met:
(a)the electronic
identification means is issued under an electronic identification scheme
that is included in the list referred to in Article
9;
(b)the assurance level of the electronic
identification means corresponds to an assurance level equal to or higher than the assurance level required by the relevant public sector body to access
that online service in the Member State
concerned, and in any case not lower than an assurance level substantial;
(c)the relevant
public sector body in the Member State concerned uses the assurance level
substantial or high in relation to accessing that online service.
Such recognition shall take place no later than
6 months after the Commission publishes
the list referred to in point (a)
of the first subparagraph.
2.An electronic identification means
which is issued within the scope of an electronic identification scheme included in the list referred to in Article 9 and which corresponds to the assurance level low may be recognised by public sector bodies for the
purposes of cross-border authentication for the online service provided by those bodies.
Chapter III TRUST SERVICES
Section 1 General provisions
Article 13 Liability and burden of proof
1.Notwithstanding paragraph 2 of this Article, trust service providers
shall be liable for damage caused intentionally or negligently to any
natural or legal person due to a failure to comply with the obligations
under this Regulation and with the cybersecurity risk management
obligations under Article 18 of the Directive XXXX/XXXX [NIS2].
2.Where trust service providers
duly inform their customers in advance of the limitations on the use of
the services they provide and where those limitations are recognisable
to third parties, trust
service providers shall not be liable for damages arising from the use of services exceeding the
indicated limitations.
3.Paragraphs 1 and 2 shall be applied in accordance with national rules on liability.
Article 14 International aspects
1.The Commission may adopt implementing acts, in accordance with Article 48(2), setting out the conditions under which the
requirements of a third country applicable to the trust service providers established in its territory and to the trust services they provide can be considered
equivalent to the requirements applicable to qualified trust service
providers established in the Union and to the qualified trust services they provide.
2.Where the Commission has adopted an implementing act
pursuant to paragraph 1 or concluded an
international agreement on the mutual recognition of trust services in accordance with Article 218 of the Treaty, trust services provided by providers established in
the third country concerned shall be considered equivalent to qualified trust services provided by qualified trust
service providers established in the Union.
Article 15 Accessibility for persons with disabilities
The provision of Trust services and end-user products
used in the provision of those services shall be made accessible for
persons with disabilities in accordance with the accessibility
requirements of Annex I of Directive 2019/882 on the accessibility
requirements for products and services.
Member States
shall lay down the rules on penalties applicable to infringements of
this Regulation. The penalties provided for shall be effective,
proportionate and dissuasive.
Article 17 Supervisory body
1.Member States shall designate a supervisory body established in their territory or, upon mutual agreement with
another Member State, a supervisory body established in that other Member State. That body shall be
responsible for supervisory tasks in the designating Member State.
Supervisory bodies shall be given the necessary
powers and adequate resources for the exercise of their tasks.
2.Member States shall notify to the Commission the names and the addresses of their respective designated supervisory bodies.
3.The role of the supervisory body shall be the following:
(a)to supervise qualified trust
service providers established in the territory of the designating Member State to ensure, through ex ante and ex post
supervisory activities, that those qualified trust service providers and the qualified trust services that they
provide meet the requirements laid down in this Regulation;
(b)to take action
if necessary, in relation to non-qualified trust service providers established in the territory of the designating
Member State, through ex post supervisory
activities, when informed that those non-qualified trust service
providers or the trust
services they provide allegedly do not meet the requirements laid down in this Regulation.
4.For the purposes of paragraph 3 and subject to the limitations provided
therein, the tasks of the supervisory
body shall include in particular:
(a)to cooperate
with other supervisory bodies and
provide them with assistance in accordance with Article 18;
(b)to analyse the
conformity assessment reports referred to in Articles 20(1) and 21(1);
(c)to inform the
relevant national competent authorities of the Member States
concerned, designated pursuant to Directive (EU) XXXX/XXXX [NIS2], of
any significant breaches of security or loss of integrity they become
aware of in the performance of their tasks. where the significant breach
of security or loss of integrity concerns other Member States, the supervisory body shall inform the single point of contact of the Member State concerned designated pursuant to
Directive (EU) XXXX/XXXX (NIS2);
(d)to report to the Commission about its main activities
in accordance with paragraph 6 of this
Article;
(e)to carry out
audits or request a conformity assessment body to perform a conformity assessment of the qualified trust
service providers in accordance with Article 20(2);
(f)to
cooperate with supervisory authorities established under Regulation
(EU) 2016/679, in particular, by informing them without undue delay,
about the results of audits of qualified trust service providers, where personal data protection rules have been breached
and about security breaches which constitute personal data breaches;
(g)to grant
qualified status to trust
service providers and to the services they provide and to withdraw this status in accordance with
Articles 20 and 21;
(h)to inform the
body responsible for the national trusted
list referred to in Article 22(3)
about its decisions to grant or to withdraw qualified status, unless that body is also the supervisory body;
(i)to verify the
existence and correct application of provisions on termination plans in cases where the qualified trust service provider
ceases its activities, including how information is kept accessible in accordance with point (h) of Article 24(2);
(j)to require that
trust service providers
remedy any failure to fulfil the requirements laid down in this Regulation.
5.Member States may require the supervisory body to establish, maintain and update a trust infrastructure in
accordance with the conditions under national law.
6.By 31 March each year, each supervisory body shall submit to the Commission a report on its main activities
during the previous calendar year.
7.The Commission shall make the annual report referred to in paragraph 6 available to Member States.
8.Within 12 months of the entering into force of
this Regulation, the Commission shall,
by means of implementing acts, further specify the tasks of the Supervisory Authorities referred to in paragraph 4 and define the formats and
procedures for the report referred to in paragraph 6. Those implementing acts shall be adopted in accordance with the
examination procedure referred to in Article
48(2).
Article 18 Mutual assistance and cooperation
1.Supervisory bodies shall cooperate with a view
to exchanging good practice and information regarding the provision of trust services.
2.A supervisory body to which a request for
assistance is addressed may refuse that request on any of the following grounds:
(a)the supervisory body is not competent to
provide the requested assistance;
(b)the requested
assistance is not proportionate to supervisory activities of the supervisory body carried out in accordance with
Article 17;
(c)providing the
requested assistance would be incompatible with this Regulation.
3.Where appropriate, Member States may authorise their respective supervisory bodies to carry out
joint investigations in which staff from other Member States supervisory bodies is involved. The arrangements and procedures for such joint
actions shall be agreed upon and established by the Member States concerned in accordance with their national law.
4.Supervisory bodies
and national competent authorities under Directive (EU) XXXX/XXXX of
the European Parliament and of the Council [NIS2] shall cooperate and
assist each other to ensure that trust service providers comply with the requirements laid down in this Regulation
and in Directive (EU) XXXX/XXXX [NIS2]. The supervisory body
shall request the national competent authority under Directive
XXXX/XXXX [NIS2] to carry out supervisory actions to verify compliance
of the trust service
providers with the requirements under Directive XXXX/XXXX (NIS2), to require the trust service providers to remedy any
failure to comply with those requirements, to provide timely the results of any supervisory activities
linked to trust service
providers and to inform the supervisory bodies about relevant incidents notified in accordance with Directive
XXXX/XXXX [NIS2].
5.Within 12 months of the entering into force of
this Regulation, the Commission
shall, by means of implementing acts, establish the necessary
procedural arrangements to facilitate the cooperation between the
Supervisory Authorities referred to in paragraph 1.
Section 3 Qualified trust services
Article 20 Supervision of qualified trust service providers
1.Qualified trust service
providers shall be audited at their own expense at least every 24 months by a conformity assessment body. the audit
shall confirm that the qualified trust service providers and the qualified trust services provided by them
fulfil the requirements laid down in this Regulation and in Article 18 of Directive (EU) XXXX/XXXX [NIS2].
qualified trust
service providers shall submit the resulting conformity assessment report to the supervisory body within three working days of
receipt.
2.Without prejudice to paragraph 1, the supervisory body may at any time audit or
request a conformity
assessment body to perform a conformity assessment of the qualified trust service
providers, at the expense of those trust service providers, to confirm that they and the qualified trust services provided by them
fulfil the requirements laid down in this Regulation. Where personal data protection rules appear to have been
breached, the supervisory body
shall inform the supervisory authorities under Regulation (EU) 2016/679 of the results of its audits.
3.Where the qualified trust service provider
fails to fulfil any of the requirements set out by this Regulation, the supervisory body shall require it to provide a
remedy within a set time limit, if applicable.
where that provider does not provide a remedy
and, where applicable within the time limit set by the supervisory body, the supervisory body,
taking into account in particular, the extent, duration and
consequences of that failure, may withdraw the qualified status of that
provider or of the service concerned which it provides and, request it,
where applicable within a set time limit, to comply with the
requirements of Directive XXXX/XXXX[NIS2]. The supervisory body shall inform the body referred to in Article 22(3) for the purposes of updating the trusted lists referred to in Article 22(1).
The supervisory body shall inform the qualified trust
service provider of the withdrawal of its qualified status or of the qualified status of the service
concerned.
4.Within 12 months of the entering into force of
this regulation, the Commission shall,
by means of implementing acts, establish reference number for the following standards:
(a)the
accreditation of the conformity assessment bodies and for the conformity assessment report referred to
in paragraph 1;
(b)the auditing
requirements for the conformity assessment bodies to carry out their conformity assessment of the qualified trust
service providers as referred to in paragraph 1, carried out by the conformity assessment bodies;
(c)the conformity
assessment schemes for carrying out the conformity assessment of the qualified trust service
providers by the conformity assessment bodies and for the provision of the conformity assessment
report referred to in paragraph 1.
Those implementing acts shall be adopted in
accordance with the examination procedure referred to in Article 48(2).
Article 21 Initiation of a qualified trust service
1.Where trust service providers, without qualified
status, intend to start providing qualified trust services, they shall submit to the supervisory body a notification of their
intention together with a conformity assessment report issued by a conformity assessment body.
2.The supervisory body shall verify whether the trust service provider and
the trust services provided by it
comply with the requirements laid down in this Regulation, and in particular, with the requirements for qualified trust
service providers and for the qualified trust services they provide.
In order to verify the compliance of the trust service provider with
the requirements laid down in Article 18 of Dir XXXX [NIS2], the supervisory body
shall request the competent authorities referred to in Dir XXXX [NIS2]
to carry out supervisory actions in that regard and to provide
information about the outcome within three days from their completion.
Where the supervisory body concludes that the trust service provider and
the trust services provided by it
comply with the requirements referred to in the first subparagraph, the supervisory body shall grant qualified status to
the trust service provider
and the trust services it provides
and inform the body referred to in Article
22(3) for the purposes of updating the trusted lists referred to in Article 22(1), not later than three months after notification in accordance with paragraph 1 of this Article.
Where the verification is not concluded within
three months of notification, the supervisory body shall inform the trust service provider specifying the
reasons for the delay and the period within which the verification is to be concluded.
3.Qualified trust service
providers may begin to provide the qualified trust service after the qualified status has been indicated in the trusted lists referred to in Article 22(1).
4.Within 12 months of the entering into force of
this Regulation, the Commission
shall, by means of implementing acts, define the formats and procedures
of the notification and verification for the purposes of paragraphs 1 and 2 of this Article. Those implementing acts shall be adopted in accordance with the
examination procedure referred to in Article
48(2).
1.Each Member State shall establish, maintain and publish
trusted lists, including information
related to the qualified trust service providers for which it is responsible, together with
information related to the qualified trust services provided by them.
2.Member States shall establish, maintain and publish, in a secured manner, the
electronically signed or sealed trusted
lists referred to in paragraph 1 in a
form suitable for automated processing.
3.Member States shall notify to the Commission, without undue delay, information on the body responsible for
establishing, maintaining and publishing national trusted lists, and details of where such lists are published, the certificates used
to sign or seal the trusted lists and
any changes thereto.
4.The Commission shall make available to the public, through a secure channel, the
information referred to in paragraph 3 in
electronically signed or sealed form suitable for automated processing.
5.By 18 September 2015 the Commission shall, by means of implementing
acts, specify the information referred to in paragraph 1 and define the technical specifications and formats for trusted lists
applicable for the purposes of paragraphs 1 to 4. Those implementing
acts shall be adopted in accordance with the examination procedure
referred to in Article 48(2).
Article 23 EU trust mark for qualified trust services
1.After the qualified status referred to in the
second subparagraph of Article 21(2) has
been indicated in the trusted list
referred to in Article 22(1), qualified trust
service providers may use the EU trust mark to indicate in a simple, recognisable and clear manner the
qualified trust services
they provide.
2.When using the EU trust mark for the qualified trust services
referred to in paragraph 1, qualified trust
service providers shall ensure that a link to the relevant trusted list is made available on their website.
2a.Paragraph 1. and 2. shall also apply to trust service providers
established in third countries and to the services they provide,
provided that they have been recognised in the Union in accordance with Article 14.
3.By 1 July 2015 the Commission
shall, by means of implementing acts, provide for specifications with
regard to the form, and in particular the presentation, composition,
size and design of the EU trust mark for qualified trust services. Those implementing acts shall be adopted in accordance
with the examination procedure referred to in Article 48(2).
Article 24 Requirements for qualified trust service providers
1.When issuing a qualified certificate or a qualified electronic attestation of attributes for a trust service, a qualified trust service provider
shall verify the identity and, if applicable, any specific attributes of the natural or legal person to whom the qualified certificate or the
qualified electronic attestation of attribute is issued.
The information referred to in the first
subparagraph shall be verified by the qualified trust service provider, either directly or by relying on a third party,
in any of the following ways:
(a)by means of a
notified electronic
identification means which meets the requirements set out in Article 8 with regard to the assurance levels substantial or high;
(c)by
using other identification methods which ensure the identification of
the natural person with a high level of confidence, the conformity of
which shall be confirmed by a conformity assessment body;
(d)through
the physical presence of the natural person or of an authorised
representative of the legal person by appropriate procedures and in
accordance with national laws if other means are not available.
1a.Within 12 months after the entry into force
of this Regulation, the Commission
shall by means of implementing acts, set out minimum technical
specifications, standards and procedures with respect to the
verification of identity and attributes
in accordance with paragraph 1, point
c. Those implementing acts shall be adopted in accordance with the examination procedure referred to
in Article 48(2).
(a)inform the supervisory body of any change in
the provision of its qualified trust services and an intention to cease those activities;
(b)employ
staff and, if applicable, subcontractors who possess the necessary
expertise, reliability, experience, and qualifications and who have
received appropriate training regarding security and personal data
protection rules and shall apply administrative and management
procedures which correspond to European or international standards;
(c)with regard to
the risk of liability for damages in accordance with Article 13, maintain sufficient financial resources and/or obtain appropriate
liability insurance, in accordance with national law;
(d)before
entering into a contractual relationship, inform, in a clear,
comprehensive and easily accessible manner, in a publicly accessible
space and individually any person seeking to use a qualified trust service of the precise
terms and conditions regarding the use of that service, including any limitations on its use;
(e)use trustworthy
systems and products that are protected
against modification and ensure the technical security and reliability of the processes supported by them;
(f)use trustworthy
systems to store data provided to it, in a verifiable form so that:
(i)they are
publicly available for retrieval only where the consent of the person to whom the data relates has been
obtained,
(ii)only
authorised persons can make entries and changes to the stored data,
(iii)the data
can be checked for authenticity;
(fa)have
appropriate policies and take corresponding measures to manage legal,
business, operational and other direct or indirect risks to the
provision of the qualified
trust service.
Notwithstanding the provisions of Article 18 of Directive EU XXXX/XXX
[NIS2], those measures shall include at least the following:
(i)measures
related to registration and on-boarding procedures to a service;
(ii)measures
related to procedural or administrative checks;
(iii)measures related to the management and implementation of services.
(fb)notify the supervisory body
and, where applicable, other relevant bodies of any linked breaches or
disruptions in the implementation of the measures referred to in
paragraph (fa), points (i), (ii) and, (iii) that has a significant
impact on the trust service
provided or on the personal data
maintained therein.
(g)take
appropriate measures against forgery, theft or misappropriation of data
or, without right, deleting, altering or rendering data inaccessible;
(h)record and keep
accessible for as long as necessary after the activities of the qualified trust service provider
have ceased, all relevant information concerning data issued and received by the qualified trust service
provider,
for the purpose of providing evidence in legal proceedings and for the
purpose of ensuring continuity of the service. Such recording may be
done electronically;
(i)have an
up-to-date termination plan to ensure continuity of service in accordance with provisions verified by the supervisory body under point (i) of Article 17(4);
(k)in case of qualified trust
service providers issuing qualified certificates, establish and keep updated a certificate database.
3.If a qualified trust service provider
issuing qualified certificates decides to revoke a certificate, it
shall register such revocation in its certificate database and publish
the revocation status of the certificate in a timely manner, and in any
event within 24 hours after the receipt of the request. The revocation
shall become effective immediately upon its publication.
4.With regard to paragraph 3, qualified trust service
providers issuing qualified certificates shall provide to any relying party
information on the validity or revocation status of qualified
certificates issued by them. This information shall be made available at
least on a per certificate basis at any time and beyond the validity
period of the certificate in an automated manner that is reliable, free
of charge and efficient.
4a.Paragraph 3 and 4 shall apply accordingly to the revocation of electronic attestations of
attributes.
5.Within 12 months of the entering into force of
this Regulation, the Commission shall,
by means of implementing acts, establish reference numbers of standards for the requirements referred to in
paragraph 2. compliance with the
requirements laid down in this Article
shall be presumed, where trustworthy systems and products meet those standards. Those implementing acts shall be adopted in
accordance with the examination procedure referred to in Article 48(2).
6.The Commission shall be empowered to adopt delegated acts regarding the additional
measures referred to in paragraph 2(fa).
Section 4 Electronic signatures
Article 25 Legal effects of electronic signatures
1.An electronic signature
shall not be denied legal effect and admissibility as evidence in legal
proceedings solely on the grounds that it is in an electronic form or
that it does not meet the requirements for qualified electronic signatures.
2.A qualified electronic signature
shall have the equivalent legal effect of a handwritten signature.
3.A qualified electronic signature
based on a qualified certificate issued in one Member State shall be recognised as a qualified electronic signature in
all other Member States.
Article 26 Requirements for advanced electronic signatures
An advanced electronic signature shall
meet the following requirements:
(a)it is uniquely
linked to the signatory;
(b)it is capable of
identifying the signatory;
(c)it is created
using electronic
signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
(d)it is linked to
the data signed therewith in such a way that any subsequent change in the data is detectable.
Article 27 Electronic signatures in public services
1.If a Member State requires an advanced electronic signature to
use an online service offered by, or on behalf of, a public sector body, that Member State shall recognise advanced electronic signatures, advanced electronic
signatures based on a qualified certificate for electronic
signatures, and qualified electronic signatures in at least the formats or using methods defined in
the implementing acts referred to in paragraph
5.
2.If a Member State requires an advanced electronic signature based
on a qualified certificate to use an online service offered by, or on behalf of, a public sector body, that Member State shall recognise advanced electronic signatures
based on a qualified certificate and qualified electronic signatures in at least the formats or using methods defined in
the implementing acts referred to in paragraph
5.
3.Member States shall not request for cross-border use in an online service offered
by a public sector body an electronic signature at a
higher security level than the qualified electronic signature.
4.The Commission may, by means of implementing acts, establish reference numbers of
standards for advanced
electronic signatures. Compliance with the requirements for advanced electronic signatures
referred to in paragraphs 1 and 2 of this Article and in Article 26 shall be presumed when an advanced electronic signature meets
those standards. Those implementing acts shall be adopted in accordance with the examination procedure
referred to in Article 48(2).
5.By 18 September 2015, and taking into account
existing practices, standards and Union legal acts, the Commission shall, by means of implementing acts, define reference formats of advanced electronic
signatures
or reference methods where alternative formats are used. Those
implementing acts shall be adopted in accordance with the examination
procedure referred to in Article 48(2).
Article 28 Qualified certificates for electronic signatures
1.Qualified certificates for electronic signatures shall meet the
requirements laid down in Annex I.
2.Qualified certificates for electronic signatures shall not be subject
to any mandatory requirement exceeding the requirements laid down in Annex I.
3.Qualified certificates for electronic signatures may include
non-mandatory additional specific attributes. Those attributes shall not affect the interoperability and recognition of qualified electronic
signatures.
4.If a qualified certificate for electronic
signatures
has been revoked after initial activation, it shall lose its validity
from the moment of its revocation, and its status shall not in any
circumstances be reverted.
5.Subject to the following conditions, Member States may lay down national rules
on temporary suspension of a qualified certificate
for electronic signature:
(a)if a qualified certificate for electronic signature has been temporarily suspended that
certificate shall lose its validity for the period of suspension;
(b)the
period of suspension shall be clearly indicated in the certificate
database and the suspension status shall be visible, during the period
of suspension, from the service providing information on the status of
the certificate.
6.Within 12 months after the entry into force of
this Regulation, the Commission shall,
by means of implementing acts, establish reference numbers of standards for qualified certificates
for electronic signature. Compliance with the requirements laid down in Annex I shall be presumed where a qualified certificate
for electronic signature meets those standards. Those implementing acts shall be adopted in accordance
with the examination procedure referred to in Article 48(2).
Article 29 Requirements for qualified electronic signature
creation devices
1a.Generating, managing and duplicating electronic
signature creation data on behalf of the signatory may only be done by a qualified trust service provider
providing a qualified trust
service for the management of a remote electronic qualified signature creation
device.
2.The Commission may, by means of implementing acts, establish reference numbers of
standards for qualified electronic signature creation devices. Compliance with the requirements
laid down in Annex II shall be presumed where a
qualified electronic signature creation device meets those standards. Those
implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
Article 29a Requirements for a qualified service for the
management of remote electronic signature creation devices
1.The management of remote qualified electronic
signature creation devices as a qualified service may only be carried out by a qualified trust service provider
that:
(a)Generates or
manages electronic
signature creation data on behalf of the signatory;
(b)notwithstanding point (1)(d) of Annex II, duplicates the electronic signature creation
data only for back-up purposes provided the following requirements are met:
the security of
the duplicated datasets must be at the same level as for the original datasets;
the number of
duplicated datasets shall not exceed the minimum needed to ensure continuity of the service.
(c)complies with
any requirements identified in the certification report of the specific remote qualified signature creation
device issued pursuant to Article 30.
2.Within 12 months of the entering into force
of this Regulation, the Commission
shall, by means of implementing acts, establish technical
specifications and reference numbers of standards for the purposes of paragraph 1.
Article 30 Certification of qualified electronic signature
creation devices
1.Conformity of qualified electronic
signature creation devices with the requirements laid down in Annex II shall be certified by appropriate public or private bodies designated by Member States.
2.Member States shall notify to the Commission the names and addresses of the public or private body referred to in
paragraph 1. The Commission shall make that information
available to Member States.
3.The certification referred to in paragraph 1 shall be based on one of the
following:
(a)a
security evaluation process carried out in accordance with one of the
standards for the security assessment of information technology products included in the list established in accordance with the second
subparagraph; or
(b)a process other
than the process referred to in point
(a), provided that it uses comparable security levels and provided that the public or private body
referred to in paragraph 1 notifies that
process to the Commission. That process
may be used only in the absence of standards referred to in point (a) or when a security evaluation process referred to in point (a) is ongoing.
The Commission shall, by means of implementing acts, establish a list of standards
for the security assessment of information technology products referred to in point (a). Those implementing acts shall be adopted in accordance with the
examination procedure referred to in Article
48(2).
3a.The certification referred to in paragraph 1
shall be valid for 5 years, conditional upon a regular 2 year
vulnerabilities assessment. Where vulnerabilities are identified and not
remedied, the certification shall be withdrawn.
4.The Commission shall be empowered to adopt delegated acts in accordance with Article 47 concerning the establishment of
specific criteria to be met by the designated bodies referred to in paragraph 1 of this Article.
Article 31 Publication of a list of certified qualified
electronic signature creation devices
1.Member States shall notify to the Commission without undue delay and no later than one month after the
certification is concluded, information on qualified electronic
signature creation devices that have been certified by the bodies referred to in Article 30(1). They shall also notify to the Commission, without undue delay and no later
than one month after the certification is cancelled, information on electronic signature creation
devices that are no longer certified.
2.On the basis of the information received, the Commission shall establish, publish
and maintain a list of certified qualified electronic
signature creation devices.
3.Within 12 months of the entering into force of
this Regulation, the Commission shall,
by means of implementing acts, define formats and procedures applicable for the purpose of paragraph 1. Those implementing acts shall be adopted in
accordance with the examination procedure referred to in Article 48(2).
Article 32 Requirements for the validation of qualified
electronic signatures
1.The process for the validation of a qualified electronic signature
shall confirm the validity of a qualified electronic signature provided that:
(a)the certificate
that supports the signature was, at the time of signing, a qualified certificate
for electronic signature complying with Annex
I;
(b)the qualified
certificate was issued by a qualified trust service provider and was valid at the time of signing;
(c)the signature
validation data corresponds to
the data provided to the relying
party;
(d)the unique set
of data representing the signatory in
the certificate is correctly provided to the relying party;
(e)the use of any
pseudonym is clearly indicated to the relying party if a pseudonym was used at the time of signing;
(g)the integrity
of the signed data has not been compromised;
(h)the
requirements provided for in Article 26 were met
at the time of signing.
Compliance with the requirements laid down in
the first sub-paragraph shall be presumed where the validation of qualified electronic signatures meet the standards referred to in paragraph 3.
2.The system used for validating the qualified electronic
signature shall provide to the relying party the correct result of the validation process and shall allow the relying party to detect any security
relevant issues.
3.Within 12 months of the entering into force of
this Regulation, the Commission shall,
by means of implementing acts, establish reference numbers of standards for the validation of qualified electronic signatures.
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
Article 33 Qualified validation service for qualified
electronic signatures
(a)provides validation in compliance with Article 32(1); and
(b)allows relying parties to receive the result
of the validation process in an
automated manner, which is reliable, efficient and bears the advanced electronic signature or advanced electronic seal
of the provider of the qualified validation service.
2.The Commission may, by means of implementing acts, establish reference numbers of
standards for qualified validation
service referred to in paragraph 1.
Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation service for a qualified electronic signature
meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure
referred to in Article 48(2).
Article 34 Qualified preservation service for qualified
electronic signatures
1.A qualified preservation service for qualified electronic
signatures may only be provided by a qualified trust service provider
that uses procedures and technologies capable of extending the trustworthiness of the qualified electronic signature
beyond the technological validity period.
2.Compliance with the requirements laid down in
the paragraph 1 shall be presumed where the
arrangements for the qualified preservation service for qualified electronic signatures
meet the standards referred to in paragraph
3.
3.Within 12 months of the entering into force of
this Regulation, the Commission shall,
by means of implementing acts, establish reference numbers of standards for the qualified preservation
service for qualified
electronic signatures. Those implementing acts shall be adopted in accordance with the examination
procedure referred to In Article 48(2).
Section 5 Electronic seals
Article 35 Legal effects of electronic seals
1.An electronic seal
shall not be denied legal effect and admissibility as evidence in legal
proceedings solely on the grounds that it is in an electronic form or
that it does not meet the requirements for qualified electronic seals.
2.A qualified electronic seal shall enjoy
the presumption of integrity of the data and of correctness of the origin of that data to which the qualified electronic
seal is linked.
3.A qualified electronic seal based on a
qualified certificate issued in one Member
State shall be recognised as a qualified electronic seal in all other Member States.
Article 36 Requirements for advanced electronic seals
An advanced electronic seal shall meet the
following requirements:
(a)it is uniquely
linked to the creator of the seal;
(b)it is capable of
identifying the creator of the seal;
(c)it is created
using electronic seal
creation data that the creator of the seal can, with a high level of confidence under its control, use
for electronic seal creation; and
(d)it is linked to
the data to which it relates in such a way that any subsequent change in the data is detectable.
Article 37 Electronic seals in public services
1.If a Member State requires an advanced electronic seal in order to use
an online service offered by, or on behalf of, a public sector body, that Member State shall recognise advanced electronic seals, advanced electronic seals
based on a qualified certificate for electronic seals and qualified electronic seals at least in the formats or using methods defined in the
implementing acts referred to in paragraph
5.
2.If a Member State requires an advanced electronic seal based on a
qualified certificate in order to use an online service offered by, or on behalf of, a public sector body, that Member State shall recognise advanced electronic seals based on a
qualified certificate and qualified electronic seal at least in the formats or using methods defined in the
implementing acts referred to in paragraph
5.
2a.Compliance with the requirements for advanced electronic seals
referred to in Article 36 and in paragraph 5 of this Article shall be
presumed where an advanced
electronic seal meets the standards referred to in paragraph 4.
3.Member States shall not request for the cross-border use in an online service
offered by a public sector body
an electronic seal at a higher
security level than the qualified electronic seal.
4.Within 12 months of the entering into force of
this Regulation, the Commission shall,
by means of implementing acts, establish reference numbers of standards for advanced electronic seals. Those
implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
5.By 18 September 2015, and taking into account
existing practices, standards and legal acts of the Union, the Commission shall, by means of implementing acts, define reference formats of advanced electronic seals
or reference methods where alternative formats are used. Those
implementing acts shall be adopted in accordance with the examination
procedure referred to in Article 48(2).
Article 38 Qualified certificates for electronic seals
1.Qualified certificates for electronic seals shall meet the requirements laid
down in Annex III. Compliance with the
requirements laid down in Annex III shall be
presumed where a qualified certificate for electronic seal meets the standards referred to in paragraph 6.
2.Qualified certificates for electronic seals shall not be subject to any
mandatory requirements exceeding the requirements laid down in Annex III.
3.Qualified certificates for electronic seals may include non-mandatory
additional specific attributes. Those
attributes shall not affect the
interoperability and recognition of qualified electronic seals.
4.If a qualified certificate for an electronic seal
has been revoked after initial activation, it shall lose its validity
from the moment of its revocation, and its status shall not in any
circumstances be reverted.
5.Subject to the following conditions, Member States may lay down national rules
on temporary suspension of qualified certificates for electronic seals:
(a)if a qualified
certificate for electronic seal has been temporarily suspended, that certificate shall lose its
validity for the period of suspension;
(b)the
period of suspension shall be clearly indicated in the certificate
database and the suspension status shall be visible, during the period
of suspension, from the service providing information on the status of
the certificate.
6.Within 12 months of the entering into force of
this Regulation, the Commission shall,
by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic seals. Those
implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
Article 39 Qualified electronic seal creation devices
1.Article 29 shall apply mutatis mutandis to requirements for qualified electronic seal
creation devices.
2.Article 30 shall apply mutatis mutandis to the certification of qualified electronic seal
creation devices.
3.Article 31 shall apply mutatis mutandis to the publication of a list of certified qualified
electronic seal creation devices.
Article 39a Requirements for a qualified service for the
management of remote electronic seal creation devices
Article 29a shall apply mutatis mutandis to a qualified service for the management
of remote electronic
seal creation devices.
Article 40 Validation and preservation of qualified
electronic seals
Articles 32, 33 and 34 shall apply mutatis mutandis to the validation and preservation of qualified electronic seals.
Section 6 Electronic time stamps
Article 41 Legal effect of electronic time stamps
1.An electronic time stamp
shall not be denied legal effect and admissibility as evidence in legal
proceedings solely on the grounds that it is in an electronic form or
that it does not meet the requirements of the qualified electronic time stamp.
2.A qualified electronic time stamp
shall enjoy the presumption of the accuracy of the date and the time it
indicates and the integrity of the data to which the date and time are
bound.
Article 42 Requirements for qualified electronic time stamps
1.A qualified electronic time stamp
shall meet the following requirements:
(a)it
binds the date and time to data in such a manner as to reasonably
preclude the possibility of the data being changed undetectably;
(b)it is based on
an accurate time source linked to Coordinated Universal Time; and
1a.Compliance with the requirements laid down
in paragraph 1 shall be presumed where the
binding of date and time to data and the accurate time source meet the standards referred to in paragraph 2.
2.Within 12 months of the entering into force of
this Regulation, the Commission
shall, by means of implementing acts, establish reference numbers of
standards for the binding of date and time to data and for accurate time
sources. Those implementing acts shall be adopted in accordance with
the examination procedure referred to in Article 48(2).
Section 7 Electronic registered delivery services
Article 43 Legal effect of an electronic registered delivery
service
1.Data sent and received using an electronic
registered delivery service
shall not be denied legal effect and admissibility as evidence in legal
proceedings solely on the grounds that it is in an electronic form or
that it does not meet the requirements of the qualified electronic
registered delivery service.
2.Data sent and received using a qualified electronic registered delivery service
shall enjoy the presumption of the integrity of the data, the sending
of that data by the identified sender, its receipt by the identified
addressee and the accuracy of the date and time of sending and receipt
indicated by the qualified electronic registered delivery service.
Article 44 Requirements for qualified electronic registered
delivery services
(a)they are
provided by one or more qualified trust service provider(s);
(b)they ensure
with a high level of confidence the identification of the sender;
(c)they ensure the
identification of the addressee before the delivery of the data;
(d)the sending and
receiving of data is secured by an advanced electronic signature or an advanced electronic seal of a qualified trust
service provider in such a manner as to preclude the possibility of the data being changed
undetectably;
(e)any
change of the data needed for the purpose of sending or receiving the
data is clearly indicated to the sender and addressee of the data;
(f)the date and
time of sending, receiving and any change of data are indicated by a qualified electronic time stamp.
In the event of the data being transferred
between two or more qualified trust service providers, the requirements in points (a) to (f) shall
apply to all the qualified trust service providers.
1a.Compliance with the requirements laid down
in paragraph 1 shall be presumed where the
process for sending and receiving data meets the standards referred to in paragraph 2.
2.Within 12 months of the entering into force of
this Regulation, the Commission
shall, by means of implementing acts, establish reference numbers of
standards for processes for sending and receiving data. Those
implementing acts shall be adopted in accordance with the examination
procedure referred to in Article 48(2).
Section 8 Website authentication
Article 45 Requirements for qualified certificates for
website authentication
1.Qualified certificates for website
authentication shall meet the requirements laid down in Annex IV. Qualified certificates for website
authentication shall be deemed compliant with the requirements laid down in Annex IV where they meet the standards referred to in paragraph 3.
2.Qualified certificates for website
authentication referred to in paragraph
1
shall be recognised by web-browsers. For those purposes web-browsers
shall ensure that the identity data provided using any of the methods is
displayed in a user friendly manner. Web-browsers shall ensure support
and interoperability with qualified certificates for website
authentication referred to in paragraph
1,
with the exception of enterprises, considered to be microenterprises
and small enterprises in accordance with Commission Recommendation
2003/361/EC in the first 5 years of operating as providers of
web-browsing services.
3.Within 12 months of the entering into force of
this Regulation, the Commission shall,
by means of implementing acts, provide the specifications and reference numbers of standards for qualified
certificates
for website authentication referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the
examination procedure referred to in Article
48(2).
Section 9 ELECTRONIC ATTESTATION OF ATTRIBUTES
Article 45a Legal effects of electronic attestation of
attributes
1.An electronic attestation of
attributes
shall not be denied legal effect and admissibility as evidence in legal
proceedings solely on the grounds that it is in electronic form.
2.A qualified electronic
attestation of attributes shall have the same legal effect as lawfully issued attestations in paper
form.
Article 45b Electronic attestation of attributes in public
services
Article 45c Requirements for qualified attestation of
attributes
1.Qualified electronic
attestation of attributes shall meet the requirements laid down in Annex V. A qualified electronic
attestation of attributes shall be deemed to be compliant with the requirements laid down in Annex V, where it meets the standards referred to in
paragraph 4.
2.Qualified electronic
attestations of attributes shall not be subject to any mandatory requirement in addition to the
requirements laid down in Annex V.
3.Where a qualified electronic
attestation of attributes
has been revoked after initial issuance, it shall lose its validity
from the moment of its revocation, and its status shall not in any
circumstances be reverted.
4.Within 6 months of the entering into force of
this Regulation, the Commission shall
establish reference numbers of standards for qualified electronic
attestations of attributes by means of an implementing act on the implementation of the European Digital
Identity Wallets as referred to in Article 6a(10).
Article 45d Verification of attributes against authentic
sources
1.Member States shall ensure that, at least for the attributes listed in Annex VI, wherever these attributes rely on authentic sources within the public sector,
measures are taken to allow qualified providers of electronic attestations of
attributes to verify by electronic means at the request of the user, the authenticity of the attribute directly against the relevant
authentic source at national
level or via designated intermediaries recognised at national level in accordance with national or Union
law.
2.Within 6 months of the entering into force of
this Regulation, taking into account relevant international standards, the Commission shall set out the minimum technical
specifications, standards and procedures with reference to the catalogue of attributes and schemes for the attestation of attributes and verification procedures
for qualified electronic attestations of attributes by means of an implementing act on
the implementation of the European Digital Identity Wallets as referred to in Article 6a(10).
Article 45e Issuing of electronic attestation of attributes
to the European Digital Identity Wallets
Article 45f Additional rules for the provision of electronic
attestation of attributes services
1.Providers of qualified and non-qualified electronic attestation of attributes services shall not combine personal data relating to the
provision of those services with personal data from any other services offered by them.
2.Personal data relating to the provision of electronic
attestation of attributes services shall be kept logically separate from other data held.
3.Personal data relating to the provision of qualified electronic attestation of attributes services shall be kept physically
and logically separate from any other data held.
4.Providers of qualified electronic
attestation of attributes services shall provide such services under a separate legal entity.
Section 10 QUALIFIED ELECTRONIC ARCHIVING SERVICES
Article 45g Qualified electronic archiving services
A qualified electronic archiving
service for electronic
documents may only be provided by a qualified trust service provider
that uses procedures and technologies capable of extending the trustworthiness of the electronic document beyond the technological
validity period.
Within 12 months after the entry into force of
this Regulation, the Commission shall,
by means of implementing acts, establish reference numbers of standards for electronic archiving services. Those
implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
Section 11 ELECTRONIC LEDGERS
Article 45h Legal effects of electronic ledgers
1.An electronic ledger
shall not be denied legal effect and admissibility as evidence in legal
proceedings solely on the grounds that it is in an electronic form or
that it does not meet the requirements for qualified electronic ledgers.
2.A qualified electronic ledger
shall enjoy the presumption of the uniqueness and authenticity of the
data it contains, of the accuracy of their date and time, and of their
sequential chronological ordering within the ledger.
Article 45i Requirements for qualified electronic ledgers
1.Qualified electronic ledgers shall meet the following
requirements:
(a)they are
created by one or more qualified trust service provider or providers;
(b)they ensure
the uniqueness, authenticity and correct sequencing of data entries recorded in the ledger;
(c)they
ensure the correct sequential chronological ordering of data in the
ledger and the accuracy of the date and time of the data entry;
(d)they record
data in such a way that any subsequent change to the data is immediately detectable.
2.Compliance with the requirements laid down in
paragraph 1 shall be presumed where an electronic ledger meets the
standards referred to in paragraph 3.
3.The Commission
may, by means of implementing acts, establish reference numbers of
standards for the processes of execution and registration of a set of
data into, and the creation, of a qualified electronic ledger. Those implementing acts shall be adopted in accordance with the
examination procedure referred to in Article
48(2).
Chapter IV ELECTRONIC DOCUMENTS
Article 46 Legal effects of electronic documents
An electronic document
shall not be denied legal effect and admissibility as evidence in legal
proceedings solely on the grounds that it is in electronic form.
Chapter V DELEGATIONS OF POWER AND IMPLEMENTING PROVISIONS
Article 47 Exercise of the delegation
1.The power to adopt delegated acts is conferred
on the Commission subject to the
conditions laid down in this Article.
2.The power to adopt delegated acts referred to
in Article 30(4) shall be conferred on the Commission for an indeterminate
period of time from 17 September 2014.
3.The delegation of power referred to in Article 30(4)
may be revoked at any time by the European Parliament or by the
Council. A decision to revoke shall put an end to the delegation of the
power specified in that decision. It shall take effect the day following
the publication of the decision in the Official Journal of the European
Union or at a later date specified therein. It shall not affect the
validity of any delegated acts already in force.
4.As soon as it adopts a delegated act, the Commission shall notify it
simultaneously to the European Parliament and to the Council.
5.A delegated act adopted pursuant to Article 30(4)
shall enter into force only if no objection has been expressed either
by the European Parliament or the Council within a period of two months
of notification of that act to the European Parliament and the Council
or if, before the expiry of that period, the European Parliament and the
Council have both informed the
Commission
that they will not object. That period shall be extended by two months
at the initiative of the European Parliament or of the Council.
Article 48 Committee procedure
1.The Commission shall be assisted by a committee. That committee shall be a
committee within the meaning of Regulation (EU) No 182/2011.
2.Where reference is made to this paragraph,
Article 5 of Regulation (EU) No 182/2011 shall apply.
Article 48a Reporting requirements
1.Member States shall ensure the collection of statistics in relation to the
functioning of the European Digital Identity Wallets and the qualified trust services.
2.The statistics collected in accordance with
paragraph 1, shall include the following:
(a)the number of
natural and legal persons having a valid European Digital Identity
Wallet;
(b)the type and
number of services accepting the use of the European Digital Wallet;
(c)incidents and
down time of the infrastructure at national level preventing the use of Digital Identity Wallet Apps.
3.The statistics referred to in paragraph 2 shall be made available to the
public in an open and commonly used, machine-readable format.
4.By March each year, Member States shall submit to the Commission a report on the statistics
collected in accordance with paragraph 2.
Chapter VI FINAL PROVISIONS
1.The Commission
shall review the application of this Regulation and shall report to the
European Parliament and to the Council within 24 months after its
entering into force. The Commission
shall evaluate in particular whether it is appropriate to modify the
scope of this Regulation or its specific provisions taking into account
the experience gained in the application of this Regulation, as well as
technological, market and legal developments. Where necessary, that
report shall be accompanied by a proposal for amendment of this
Regulation.
2.The evaluation report shall include an
assessment of the availability and usability of the identification means including European Digital Identity
Wallets in scope of this Regulation and assess whether all online private service providers relying on
third party electronic
identification services for users authentication, shall be mandated to accept the use of notified electronic identification means
and European
3.In addition, the Commission
shall submit a report to the European Parliament and the Council every
four years after the report referred to in the first paragraph on the
progress towards achieving the objectives of this Regulation.
1.Directive 1999/93/EC is repealed with effect
from 1 July 2016.
2.References to the repealed Directive shall be
construed as references to this Regulation.
Article 51 Transitional measures
1.Secure
signature creation devices of which the conformity has been determined
in accordance with Article 3(4) of Directive 1999/93/EC shall continue
to be considered as qualified electronic signature creation devices under this Regulation until [date
OJ please insert period of four years following the entry into force of this Regulation].
2.Qualified
certificates issued to natural persons under Directive 1999/93/EC shall
continue to be considered as qualified certificates for electronic signatures under this Regulation
until [date PO please insert a period of four years following the entry into force of this Regulation].
Article 52 Entry into force
1.This
Regulation shall enter into force on the twentieth day following that
of its publication in the Official Journal of the European Union.
2.This Regulation shall apply from 1 July 2016,
except for the following:
(a)Articles
8(3), 9(5), 12(2) to (9), 17(8), 19(4), 20(4), 21(4), 22(5), 23(3),
24(5), 27(4) and (5), 28(6), 29(2), 30(3) and (4), 31(3), 32(3), 33(2),
34(2), 37(4) and (5), 38(6), 42(2), 44(2), 45(2), and Articles 47 and 48 shall apply
from 17 September 2014;
(b)Article 7, Article 8(1) and (2), Articles 9, 10, 11 and Article 12(1) shall apply from the date of application of
the implementing acts referred to in Articles 8(3) and 12(8);
(c)Article 6 shall
apply from three years as from the date of application of the implementing acts referred to in Articles 8(3) and 12(8).
3.Where the notified electronic identification scheme
is included in the list published by the
Commission pursuant to Article 9 before the
date referred to in point (c) of
paragraph 2 of this Article, the recognition of the electronic identification means
under that scheme pursuant to Article 6 shall take place no later than
12 months after the publication of that scheme but not before the date
referred to in point (c) of paragraph 2
of this Article.
4.Notwithstanding point (c) of paragraph 2 of this Article, a Member State may decide that electronic identification means
under electronic
identification scheme notified pursuant to Article 9(1) by another Member State are recognised in the first Member State as from the date of application of the implementing acts referred to
in Articles 8(3) and 12(8). Member States concerned shall inform the Commission. The
Commission shall make this information public.
This Regulation shall be binding in its entirety
and directly applicable in all Member
States.
For the Parliament For the Council
The President The President
Annex I REQUIREMENTS FOR QUALIFIED CERTIFICATES FOR ELECTRONIC
SIGNATURES
Qualified certificates for electronic signatures shall contain:
(a)an indication, at
least in a form suitable for automated processing, that the certificate has been issued as a qualified certificate for electronic signature;
(b)a set of data
unambiguously representing the qualified trust service provider issuing the qualified certificates including at
least, the Member State in which that
provider is established and:
for a legal person:
the name and, where applicable, registration number as stated in the official records,
for a natural person:
the persons name;
(c)at least the name
of the signatory, or a pseudonym; if a
pseudonym is used, it shall be clearly indicated;
(e)details of the
beginning and end of the certificates period of validity;
(f)the certificate
identity code, which must be unique for the qualified trust service
provider;
(h)the location where
the certificate supporting the advanced electronic signature or advanced electronic seal referred to in
point (g) is available free of charge;
(i)the
information, or the location of the services that can be used to
enquire, about the validity status of the qualified certificate;
(j)where the electronic
signature creation data related to the electronic signature validation data is located in a qualified electronic
signature creation device, an appropriate indication of this, at least in a form suitable for
automated processing.
Annex II REQUIREMENTS FOR QUALIFIED ELECTRONIC SIGNATURE
CREATION DEVICES
1.Qualified electronic
signature creation devices shall ensure, by appropriate technical and procedural means, that at least:
(a)the
confidentiality of the electronic signature creation data used for electronic signature creation is reasonably
assured;
(b)the electronic
signature creation data used for electronic signature creation can practically occur only once;
(c)the electronic
signature creation data used for electronic signature creation cannot, with reasonable assurance, be derived and the
electronic signature is
reliably protected against forgery using currently available technology;
(d)the electronic
signature creation data used for electronic signature creation can be reliably protected by the legitimate signatory against use by others.
2.Qualified electronic
signature creation devices shall not alter the data to be signed or prevent such data from being
presented to the signatory prior to
signing.
Annex III REQUIREMENTS FOR QUALIFIED CERTIFICATES FOR
ELECTRONIC SEALS
Qualified certificates for electronic seals shall contain:
(a)an indication, at
least in a form suitable for automated processing, that the certificate has been issued as a qualified
certificate for electronic seal;
(b)a set of data
unambiguously representing the qualified trust service provider issuing the qualified certificates including at
least the Member State in which that
provider is established and:
for a legal person:
the name and, where applicable, registration number as stated in the official records,
for a natural
person: the persons name;
(c)at least the name
of the creator of the seal and, where applicable, registration number as stated in the official records;
(e)details of the
beginning and end of the certificates period of validity;
(f)the certificate
identity code, which must be unique for the qualified trust service
provider;
(h)the location
where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in
point (g) is available free of charge;
(i)the
information, or the location of the services that can be used to
enquire, about the validity status of the qualified certificate;
(j)where the electronic seal creation
data related to the electronic
seal validation data is
located in a qualified electronic seal creation device, an appropriate indication of this, at
least in a form suitable for automated processing.
Annex IV REQUIREMENTS FOR QUALIFIED CERTIFICATES FOR WEBSITE
AUTHENTICATION
(a)an indication, at
least in a form suitable for automated processing, that the certificate has been issued as a qualified certificate for website authentication;
(b)a set of data
unambiguously representing the qualified trust service provider issuing the qualified certificates including at
least the Member State in which that
provider is established and:
for a legal person:
the name and, where applicable, registration number as stated in the official records,
for a natural person:
the persons name;
(c)for
natural persons: at least the name of the person to whom the
certificate has been issued, or a pseudonym. If a pseudonym is used, it
shall be clearly indicated; for legal persons: at least the name of the
legal person to whom the certificate is issued and, where applicable,
registration number as stated in the official records;
(d)elements
of the address, including at least city and State, of the natural or
legal person to whom the certificate is issued and, where applicable, as
stated in the official records;
(e)the domain name(s)
operated by the natural or legal person to whom the certificate is issued;
(f)details of the
beginning and end of the certificates period of validity;
(g)the certificate
identity code, which must be unique for the qualified trust service
provider;
(i)the location where
the certificate supporting the advanced electronic signature or advanced electronic seal referred to in
point (h) is available free of charge;
(j)the
information, or the location of the certificate validity status
services that can be used to enquire, about the validity status of the
qualified certificate.
Annex V REQUIREMENTS FOR QUALIFIED ELECTRONIC ATTESTATION OF
ATTRIBUTES
(a)an indication, at
least in a form suitable for automated processing, that the attestation has been issued as a qualified electronic attestation of attributes;
(b)a set of data
unambiguously representing the qualified trust service provider issuing the qualified electronic
attestation of attributes including at least, the Member State in which that provider is established and:
for a legal person:
the name and, where applicable, registration number as stated in the official records,
for a natural person:
the persons name;
(c)a set of data
unambiguously representing the entity to which the attested attributes is referring to; if a pseudonym is used, it shall be clearly indicated;
(d)the attested attribute or attributes, including, where applicable, the
information necessary to identify the scope of those attributes;
(e)details of the
beginning and end of the attestations period of validity;
(f)the attestation
identity code, which must be unique for the qualified trust service provider
and if applicable the indication of the scheme of attestations that the attestation of attributes is part of;
(h)the location where
the certificate supporting the advanced electronic signature or advanced electronic seal referred to in
point (f) is available free of charge;
(i)the information or
location of the services that can be used to enquire about the validity status of the qualified attestation.
Annex VI MINIMUM LIST OF ATTRIBUTES
Further to Article 45d, Member
States shall ensure that measures are taken to allow qualified providers of electronic attestations of
attributes to verify by electronic means at the request of the user, the authenticity of the following
attributes against the relevant authentic source
at national level or via designated intermediaries recognised at
national level, in accordance with national or Union law and in cases
where these attributes rely on authentic sources within the
public sector:
7.Educational qualifications, titles and
licenses;
8.Professional qualifications, titles and
licenses;
9.Public permits and licenses;
10.Financial and company data.