|Title:||Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (e-Signatures Directive)|
|Topic:||Regulation with regard to the use of electronic signatures and electronic certification services, including conditions for their equivalence to handwritten signatures, liability and technical/organisational requirements to providers of qualified certificates.|
|Direct / indirect relevance||Indirect. The text contains liability provisions for certification service providers (CSPs), along with a series of annexes describing inter alia RM/RA requirements for CSPs involved in issuing qualified certificates and requirements imposed on secure signature creation devices.|
|Scope:||Directly applicable to all EU Member States|
|Legal force:||EU Directive, requires transposition into national law|
|Affected sectors:||Any sector relying on electronic signatures or electronic certification service providers.|
|Relevant provision(s):||Article 5 – Legal effects of electronic signatures
1. Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device:
(a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data; and
(b) are admissible as evidence in legal proceedings.
2. Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is:
- in electronic form, or
- not based upon a qualified certificate, or
- not based upon a qualified certificate issued by an accredited certification-service-provider, or
- not created by a secure signature-creation device.
Article 6 – Liability
1. As a minimum, Member States shall ensure that by issuing a certificate as a qualified certificate to the public or by guaranteeing such a certificate to the public a certification-service-provider is liable for damage caused to any entity or legal or natural person who reasonably relies on that certificate:
(a) as regards the accuracy at the time of issuance of all information contained in the qualified certificate and as regards the fact that the certificate contains all the details prescribed for a qualified certificate;
(b) for assurance that at the time of the issuance of the certificate, the signatory identified in the qualified certificate held the signature-creation data corresponding to the signature-verification data given or identified in the certificate;
(c) for assurance that the signature-creation data and the signature-verification data can be used in a complementary manner in cases where the certification-service-provider generates them both;
unless the certification-service-provider proves that he has not acted negligently.
2. As a minimum Member States shall ensure that a certification-service-provider who has issued a certificate as a qualified certificate to the public is liable for damage caused to any entity or legal or natural person who reasonably relies on the certificate for failure to register revocation of the certificate unless the certification-service-provider proves that he has not acted negligently.
3. Member States shall ensure that a certification-service-provider may indicate in a qualified certificate limitations on the use of that certificate. provided that the limitations are recognisable to third parties. The certification-service-provider shall not be liable for damage arising from use of a qualified certificate which exceeds the limitations placed on it.
4. Member States shall ensure that a certification-service-provider may indicate in the qualified certificate a limit on the value of transactions for which the certificate can be used, provided that the limit is recognisable to third parties.
The certification-service-provider shall not be liable for damage resulting from this maximum limit being exceeded.
5. The provisions of paragraphs 1 to 4 shall be without prejudice to Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts(8).
Requirements for certification-service-providers issuing qualified certificates
(a) demonstrate the reliability necessary for providing certification services;
(b) ensure the operation of a prompt and secure directory and a secure and immediate revocation service;
(c) ensure that the date and time when a certificate is issued or revoked can be determined precisely;
(d) verify, by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued;
(e) employ personnel who possess the expert knowledge, experience, and qualifications necessary for the services provided, in particular competence at managerial level, expertise in electronic signature technology and familiarity with proper security procedures; they must also apply administrative and management procedures which are adequate and correspond to recognised standards;
(f) use trustworthy systems and products which are protected against modification and ensure the technical and cryptographic security of the process supported by them;
(g) take measures against forgery of certificates, and, in cases where the certification-service-provider generates signature-creation data, guarantee confidentiality during the process of generating such data;
(h) maintain sufficient financial resources to operate in conformity with the requirements laid down in the Directive, in particular to bear the risk of liability for damages, for example, by obtaining appropriate insurance;
(i) record all relevant information concerning a qualified certificate for an appropriate period of time, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings. Such recording may be done electronically;
(j) not store or copy signature-creation data of the person to whom the certification-service-provider provided key management services;
(k) before entering into a contractual relationship with a person seeking a certificate to support his electronic signature inform that person by a durable means of communication of the precise terms and conditions regarding the use of the certificate, including any limitations on its use, the existence of a voluntary accreditation scheme and procedures for complaints and dispute settlement. Such information, which may be transmitted electronically, must be in writing and in redily understandable language. Relevant parts of this information must also be made available on request to third-parties relying on the certificate;
(l) use trustworthy systems to store certificates in a verifiable form so that:
- only authorised persons can make entries and changes,
- information can be checked for authenticity,
- certificates are publicly available for retrieval in only those cases for which the certificate-holder's consent has been obtained, and
- any technical changes compromising these security requirements are apparent to the operator.
Requirements for secure signature-creation devices
1. Secure signature-creation devices must, by appropriate technical and procedural means, ensure at the least that:
(a) the signature-creation-data used for signature generation can practically occur only once, and that their secrecy is reasonably assured;
(b) the signature-creation-data used for signature generation cannot, with reasonable assurance, be derived and the signature is protected against forgery using currently available technology;
(c) the signature-creation-data used for signature generation can be reliably protected by the legitimate signatory against the use of others.
2. Secure signature-creation devices must not alter the data to be signed or prevent such data from being presented to the signatory prior to the signature process.
|Relevance to RM/RA:||The cited provisions of the Directive are relevant to RM/RA, because:
• Firstly, the Directive installs a tiered system of electronic signatures, ranging from basic over advanced to qualified. The legal value of a signature depends on its qualification. Any entity wishing to rely on electronic signatures therefore needs to assess the legal status of its signature, based on its qualities (and to a much lesser extent the jurisdiction in which it will be presented), to determine if it can be expected to hold up in a court of law.
• Secondly, the Directive installs liability rules for certification service providers who issue qualified certificates. Among other obligations, they are generally liable if damage results from a third party’s reliance on inaccurate information stored in the certificate, or from untimely certificate revocation practices. Thus, issues of qualified certificates need to install appropriate procedures to manage these risks.
• Thirdly, the Annexes to the Directive specify a number of requirements, including with regard to the issuers of qualified certificates (Annex II) and to secure signature creation devices (SSCDs). Any aspiring certification service provider wishing to deliver qualified certificates therefore needs to ensure that the appropriate procedures are put in place to meet the requirements presented in Annex II; and providers of qualified signature solutions must ensure that the signature creation devices they rely upon are actually SSCDs.