EIDAS 2014/0910 EN

1. This Regulation applies to electronic_identification schemes that have been notified by a Member State, and to trust_service providers that are established in the Union.

2. This Regulation does not apply to the provision of trust_services that are used exclusively within closed systems resulting from national law or from agreements between a defined set of participants.

3. This Regulation does not affect national or Union law related to the conclusion and validity of contracts or other legal or procedural obligations relating to form.

Article 3

Definitions

For the purposes of this Regulation, the following definitions apply:

(1)	‘ electronic_identification’ means the process of using person_identification_data in electronic form uniquely representing either a natural or legal person, or a natural person representing a legal person;

(2)	‘ electronic_identification means’ means a material and/or immaterial unit containing person_identification_data and which is used for authentication for an online service;

(3)	‘ person_identification_data’ means a set of data enabling the identity of a natural or legal person, or a natural person representing a legal person to be established;

(4)	‘ electronic_identification scheme’ means a system for electronic_identification under which electronic_identification means are issued to natural or legal persons, or natural persons representing legal persons;

(5)	‘ authentication’ means an electronic process that enables the electronic_identification of a natural or legal person, or the origin and integrity of data in electronic form to be confirmed;

(6)	‘ relying_party’ means a natural or legal person that relies upon an electronic_identification or a trust_service;

(7)

‘ public_sector_body’ means a state, regional or local authority, a body_governed_by_public_law or an association formed by one or several such authorities or one or several such bodies governed by public law, or a private entity mandated by at least one of those authorities, bodies or associations to provide public services, when acting under such a mandate;

(8)	‘ body_governed_by_public_law’ means a body defined in point (4) of Article 2(1) of Directive 2014/24/EU of the European Parliament and of the Council (15);

(9)	‘ signatory’ means a natural person who creates an electronic_signature;

(10)	‘ electronic_signature’ means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign;

(11)	‘advanced electronic_signature’ means an electronic_signature which meets the requirements set out in Article 26;

(12)	‘qualified electronic_signature’ means an advanced electronic_signature that is created by a qualified electronic_signature creation device, and which is based on a qualified certificate for electronic_signatures;

(13)	‘ electronic_signature creation data’ means unique data which is used by the signatory to create an electronic_signature;

(14)	‘certificate for electronic_signature’ means an electronic attestation which links electronic_signature validation_data to a natural person and confirms at least the name or the pseudonym of that person;

(15)	‘qualified certificate for electronic_signature’ means a certificate for electronic_signatures, that is issued by a qualified trust_service provider and meets the requirements laid down in Annex I;

(16)

‘ trust_service’ means an electronic service normally provided for remuneration which consists of:

(a)	the creation, verification, and validation of electronic_signatures, electronic_seals or electronic_time_stamps, electronic_registered_delivery_services and certificates related to those services, or

(b)	the creation, verification and validation of certificates for website authentication; or

(c)	the preservation of electronic_signatures, seals or certificates related to those services;

(17)	‘qualified trust_service’ means a trust_service that meets the applicable requirements laid down in this Regulation;

(18)	‘ conformity_assessment_body’ means a body defined in point 13 of Article 2 of Regulation (EC) No 765/2008, which is accredited in accordance with that Regulation as competent to carry out conformity assessment of a qualified trust_service provider and the qualified trust_services it provides;

(19)	‘ trust_service provider’ means a natural or a legal person who provides one or more trust_services either as a qualified or as a non-qualified trust_service provider;

(20)	‘qualified trust_service provider’ means a trust_service provider who provides one or more qualified trust_services and is granted the qualified status by the supervisory body;

(21)	‘ product’ means hardware or software, or relevant components of hardware or software, which are intended to be used for the provision of trust_services;

(22)	‘ electronic_signature creation device’ means configured software or hardware used to create an electronic_signature;

(23)	‘qualified electronic_signature creation device’ means an electronic_signature creation device that meets the requirements laid down in Annex II;

(24)	‘ creator_of_a_seal’ means a legal person who creates an electronic_seal;

(25)	‘ electronic_seal’ means data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity;

(26)	‘advanced electronic_seal’ means an electronic_seal, which meets the requirements set out in Article 36;

(27)	‘qualified electronic_seal’ means an advanced electronic_seal, which is created by a qualified electronic_seal creation device, and that is based on a qualified certificate for electronic_seal;

(28)	‘ electronic_seal creation data’ means unique data, which is used by the creator of the electronic_seal to create an electronic_seal;

(29)	‘certificate for electronic_seal’ means an electronic attestation that links electronic_seal validation_data to a legal person and confirms the name of that person;

(30)	‘qualified certificate for electronic_seal’ means a certificate for an electronic_seal, that is issued by a qualified trust_service provider and meets the requirements laid down in Annex III;

(31)	‘ electronic_seal creation device’ means configured software or hardware used to create an electronic_seal;

(32)	‘qualified electronic_seal creation device’ means an electronic_seal creation device that meets mutatis mutandis the requirements laid down in Annex II;

(33)	‘ electronic_time_stamp’ means data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time;

(34)	‘qualified electronic_time_stamp’ means an electronic_time_stamp which meets the requirements laid down in Article 42;

(35)	‘ electronic_document’ means any content stored in electronic form, in particular text or sound, visual or audiovisual recording;

(36)

‘ electronic_registered_delivery_service’ means a service that makes it possible to transmit data between third parties by electronic means and provides evidence relating to the handling of the transmitted data, including proof of sending and receiving the data, and that protects transmitted data against the risk of loss, theft, damage or any unauthorised alterations;

(37)	‘qualified electronic_registered_delivery_service’ means an electronic_registered_delivery_service which meets the requirements laid down in Article 44;

(38)	‘certificate for website authentication’ means an attestation that makes it possible to authenticate a website and links the website to the natural or legal person to whom the certificate is issued;

(39)	‘qualified certificate for website authentication’ means a certificate for website authentication, which is issued by a qualified trust_service provider and meets the requirements laid down in Annex IV;

(40)	‘ validation_data’ means data that is used to validate an electronic_signature or an electronic_seal;

(41)	‘ validation’ means the process of verifying and confirming that an electronic_signature or a seal is valid.

Article 12

Cooperation and interoperability

1. The national electronic_identification schemes notified pursuant to Article 9(1) shall be interoperable.

2. For the purposes of paragraph 1, an interoperability framework shall be established.

3. The interoperability framework shall meet the following criteria:

(a)	it aims to be technology neutral and does not discriminate between any specific national technical solutions for electronic_identification within a Member State;

(b)	it follows European and international standards, where possible;

(c)	it facilitates the implementation of the principle of privacy by design; and

(d)	it ensures that personal data is processed in accordance with Directive 95/46/EC.

4. The interoperability framework shall consist of:

(a)	a reference to minimum technical requirements related to the assurance levels under Article 8;

(b)	a mapping of national assurance levels of notified electronic_identification schemes to the assurance levels under Article 8;

(c)	a reference to minimum technical requirements for interoperability;

(d)	a reference to a minimum set of person_identification_data uniquely representing a natural or legal person, which is available from electronic_identification schemes;

(e)	rules of procedure;

(f)	arrangements for dispute resolution; and

(g)	common operational security standards.

5. Member States shall cooperate with regard to the following:

(a)	the interoperability of the electronic_identification schemes notified pursuant to Article 9(1) and the electronic_identification schemes which Member States intend to notify; and

(b)	the security of the electronic_identification schemes.

6. The cooperation between Member States shall consist of:

(a)	the exchange of information, experience and good practice as regards electronic_identification schemes and in particular technical requirements related to interoperability and assurance levels;

(b)	the exchange of information, experience and good practice as regards working with assurance levels of electronic_identification schemes under Article 8;

(c)	peer review of electronic_identification schemes falling under this Regulation; and

(d)	examination of relevant developments in the electronic_identification sector.

7. By 18 March 2015, the Commission shall, by means of implementing acts, establish the necessary procedural arrangements to facilitate the cooperation between the Member States referred to in paragraphs 5 and 6 with a view to fostering a high level of trust and security appropriate to the degree of risk.

8. By 18 September 2015, for the purpose of setting uniform conditions for the implementation of the requirement under paragraph 1, the Commission shall, subject to the criteria set out in paragraph 3 and taking into account the results of the cooperation between Member States, adopt implementing acts on the interoperability framework as set out in paragraph 4.

9. The implementing acts referred to in paragraphs 7 and 8 of this Article shall be adopted in accordance with the examination procedure referred to in Article 48(2).

CHAPTER III

TRUST SERVICES

SECTION 1

General provisions

Article 14

International aspects

1. Trust services provided by trust_service providers established in a third country shall be recognised as legally equivalent to qualified trust_services provided by qualified trust_service providers established in the Union where the trust_services originating from the third country are recognised under an agreement concluded between the Union and the third country in question or an international organisation in accordance with Article 218 TFEU.

2. Agreements referred to in paragraph 1 shall ensure, in particular, that:

(a)

the requirements applicable to qualified trust_service providers established in the Union and the qualified trust_services they provide are met by the trust_service providers in the third country or international organisations with which the agreement is concluded, and by the trust_services they provide;

(b)	the qualified trust_services provided by qualified trust_service providers established in the Union are recognised as legally equivalent to trust_services provided by trust_service providers in the third country or international organisation with which the agreement is concluded.

Article 44

Requirements for qualified electronic_registered_delivery_services

1. Qualified electronic_registered_delivery_services shall meet the following requirements:

(a)	they are provided by one or more qualified trust_service provider(s);

(b)	they ensure with a high level of confidence the identification of the sender;

(c)	they ensure the identification of the addressee before the delivery of the data;

(d)	the sending and receiving of data is secured by an advanced electronic_signature or an advanced electronic_seal of a qualified trust_service provider in such a manner as to preclude the possibility of the data being changed undetectably;

(e)	any change of the data needed for the purpose of sending or receiving the data is clearly indicated to the sender and addressee of the data;

(f)	the date and time of sending, receiving and any change of data are indicated by a qualified electronic_time_stamp.

In the event of the data being transferred between two or more qualified trust_service providers, the requirements in points (a) to (f) shall apply to all the qualified trust_service providers.

2. The Commission may, by means of implementing acts, establish reference numbers of standards for processes for sending and receiving data. Compliance with the requirements laid down in paragraph 1 shall be presumed where the process for sending and receiving data meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

SECTION 8

Website authentication

whereas

(2) This Regulation seeks to enhance trust in electronic transactions in the internal market by providing a common foundation for secure electronic interaction between citizens, businesses and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union.

- = -

(20) Cooperation by Member States should facilitate the technical interoperability of the notified electronic_identification schemes with a view to fostering a high level of trust and security appropriate to the degree of risk.
The exchange of information and the sharing of best practices between Member States with a view to their mutual recognition should help such cooperation.

- = -

(21) This Regulation should also establish a general legal framework for the use of trust_services.
However, it should not create a general obligation to use them or to install an access point for all existing trust_services.
In particular, it should not cover the provision of services used exclusively within closed systems between a defined set of participants, which have no effect on third parties.
For example, systems set up in businesses or public administrations to manage internal procedures making use of trust_services should not be subject to the requirements of this Regulation.
Only trust_services provided to the public having effects on third parties should meet the requirements laid down in the Regulation.
Neither should this Regulation cover aspects related to the conclusion and validity of contracts or other legal obligations where there are requirements as regards form laid down by national or Union law.
In addition, it should not affect national form requirements pertaining to public registers, in particular commercial and land registers.

- = -

(35) All trust_service providers should be subject to the requirements of this Regulation, in particular those on security and liability to ensure due diligence, transparency and accountability of their operations and services.
However, taking into account the type of services provided by trust_service providers, it is appropriate to distinguish as far as those requirements are concerned between qualified and non-qualified trust_service providers.

- = -

(40) To enable the Commission and the Member States to assess the effectiveness of the enhanced supervision mechanism introduced by this Regulation, supervisory bodies should be requested to report on their activities.
This would be instrumental in facilitating the exchange of good practice between supervisory bodies and would ensure the verification of the consistent and efficient implementation of the essential supervision requirements in all Member States.

- = -

(42) To facilitate the supervision of qualified trust_service providers, for example, when a provider is providing its services in the territory of another Member State and is not subject to supervision there, or when the computers of a provider are located in the territory of a Member State other than the one where it is established, a mutual assistance system between supervisory bodies in the Member States should be established.

- = -

(45) In order to allow an efficient initiation process, which should lead to the inclusion of qualified trust_service providers and the qualified trust_services they provide into trusted lists, preliminary interactions between prospective qualified trust_service providers and the competent supervisory body should be encouraged with a view to facilitating the due diligence leading to the provisioning of qualified trust_services.

- = -

(66) It is essential to provide for a legal framework to facilitate cross-border recognition between existing national legal systems related to electronic_registered_delivery_services.
That framework could also open new market opportunities for Union trust_service providers to offer new pan-European electronic_registered_delivery_services.

- = -

(67) Website authentication services provide a means by which a visitor to a website can be assured that there is a genuine and legitimate entity standing behind the website.
Those services contribute to the building of trust and confidence in conducting business online, as users will have confidence in a website that has been authenticated.
The provision and the use of website authentication services are entirely voluntary.
However, in order for website authentication to become a means to boosting trust, providing a better experience for the user and furthering growth in the internal market, this Regulation should lay down minimal security and liability obligations for the providers and their services.
To that end, the results of existing industry-led initiatives, for example the Certification Authorities/Browsers Forum — CA/B Forum, have been taken into account.
In addition, this Regulation should not impede the use of other means or methods to authenticate a website not falling under this Regulation nor should it prevent third country providers of website authentication services from providing their services to customers in the Union.
However, a third country provider should only have its website authentication services recognised as qualified in accordance with this Regulation, if an international agreement between the Union and the country of establishment of the provider has been concluded.

- = -

keyboard_tab EIDAS 2014/0910 EN

EIDAS 2014/0910 EN