REALSEC reviews the key points of the new eIDAS Regulation in AMETIC
Andrés Vázquez, REALSEC consultant, heads a presentation at the Committee on Trust and Security meeting at AMETIC.
On October 22, REALSEC participated in a presentation at the Commission of Trust and Security at AMETIC where Andrés Vázquez, consultant for REALSEC, explained to the attendees the most relevant aspects of the new eIDAS Regulation which was published recently in the Official Journal of the European Union and is a subject of great interest to the companies that make up this committee.
Among the companies represented at the meeting were Indra, Telefónica, IBM, Arsys, G&D, Bull, etc.
During the meeting, Andrés Vázquez addressed the most important points found in the Regulation (EU) No 910/2014 of the European Parliament and of the Council of July 23, 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC and which is included below:
- Electronic identification schemes (national): notification; publication of the list in the Official Journal of the European Union; interoperability; cooperation between Member States.
- Electronic identification means issued under notified electronic identification schemes: assurance levels (low, substantial and high); mutual recognition by any services provided by a public sector body online (for the purposes of cross-border authentication).
Trust service (definition): an electronic service normally provided (by a trust service provider) for remuneration which consists of:
- The creation, verification and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services, or
- The creation, verification and validation of certificates for website authentication, or the preservation of electronic signatures, seals or certificates related to those services.
Qualified trust services (provided by qualified trust services providers): international aspects (recognition in the EU of services originating from a third country under an agreement); supervision (by a national supervisory body which certifies them as qualified); audits (by a national conformity assessment body); publication on national trusted lists; EU trust mark.772
Electronic signatures: signatory (a natural person); advanced electronic signature (one of the requirements changes to “it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control”).
Qualified electronic signatures: definition (advanced electronic signatures that are created by a qualified electronic signature creation device and which are based on a qualified certificate for electronic signatures); legal effects (equivalent to handwritten signatures; recognition in all Member States); requirements for qualified certificates for electronic signatures; requirements for the validation; qualified validation service; qualified preservation service.
Qualified electronic signature creation devices: requirements; certification (by national public or private bodies); publication on a list (by the Commission); remote qualified electronic signature service.
Electronic seals: creator of a seal (a legal person); advanced electronic seal (same requirements as those for advanced electronic signature, mutatis mutandis).
Qualified electronic seals: definition (same as qualified electronic signatures, mutatis mutandis); legal effects (presumption of integrity of the linked data and correctness of its origin; recognition in all Member States); requirements for qualified certificates for electronic seals (same as the requirements for qualified certificates for electronic signatures, mutatis mutandis); validation and preservation (same as qualified electronic signatures, mutatis mutandis); qualified electronic seal creation devices (same as qualified electronic signature creation devices, mutatis mutandis).
Qualified electronic time stamps: legal effect (presumption of the accuracy of the date and the time and the integrity of the bound data); requirements.
Qualified electronic registered delivery services: legal effect of data sent and received (presumption of the integrity of the data, the sending of that data by the identified sender, its receipt by the identified addressee and the accuracy of the date and time of sending and receipt indicated ); requirements.
Requirements for qualified certificates for website authentication: same as the requirements for the qualified electronic signature certificates, mutatis mutandis.
DATES AND PROVISIONAL MEASURES
Relevant dates regarding the regulation:
- 7/23/2014: Document drafted
- 8/28/2014: Publication in the Official Journal of the European Union
- 9/17/2014: Entry into force
- 7/1/2016: Applicable (certain provisions will apply before) and the Directive 1999/93/EC shall be repealed with effect.
Before 9/18/2018: Mutual recognition, by any services provided by a public sector body online, of electronic identification means issued under electronic identification schemes included in the list published in the Official Journal of the European Union. Transitional Measures (starting from 7/1/2016):
Secure signature creation devices of which the conformity has been determined in accordance with Directive 1999/93/EC shall be considered as qualified electronic signature creation devices. Qualified certificates issued to natural persons under Directive 1999/93/EC shall be considered as qualified electronic signature certificates until they expire. A certification service provider issuing qualified certificates under Directive 1999/93/EC shall submit a conformity assessment report to the national supervisory body not later than 7/1/2017. Until the submission of such a conformity assessment report and the completion of its assessment by the supervisory body, that certification service provider shall be considered as qualified trust service provider. If a certification service provider does not submit a conformity assessment report to the supervisory body before 7/1/2017, that certification service provider shall not be considered as qualified trust services provider from 7/2/2017.