keyboard_tab EIDAS 2014/0910 EN

whereas minimum:

• whereas (16) 1

definitions:

• electronic identification
• electronic identification means
• person identification data
• electronic identification scheme
• authentication
• relying party
• public sector body
• body governed by public law
• signatory
• electronic signature
• advanced electronic signature
• qualified electronic signature
• electronic signature creation data
• certificate for electronic signature
• qualified certificate for electronic signature
• trust service
• qualified trust service
• conformity assessment body
• trust service provider
• qualified trust service provider
• product
• electronic signature creation device
• qualified electronic signature creation device
• creator of a seal
• electronic seal
• advanced electronic seal
• qualified electronic seal
• electronic seal creation data
• certificate for electronic seal
• qualified certificate for electronic seal
• electronic seal creation device
• qualified electronic seal creation device
• electronic time stamp
• qualified electronic time stamp
• electronic document
• electronic registered delivery service
• qualified electronic registered delivery service
• certificate for website authentication
• qualified certificate for website authentication
• validation data
• validation

Article 8

Assurance levels of electronic_identification schemes

1.   An electronic_identification scheme notified pursuant to Article 9(1) shall specify assurance levels low, substantial and/or high for electronic_identification means issued under that scheme.

2.   The assurance levels low, substantial and high shall meet respectively the following criteria:

(a)

assurance level low shall refer to an electronic_identification means in the context of an electronic_identification scheme, which provides a limited degree of confidence in the claimed or asserted identity of a person, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of misuse or alteration of the identity;

(b)

assurance level substantial shall refer to an electronic_identification means in the context of an electronic_identification scheme, which provides a substantial degree of confidence in the claimed or asserted identity of a person, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of misuse or alteration of the identity;

(c)

assurance level high shall refer to an electronic_identification means in the context of an electronic_identification scheme, which provides a higher degree of confidence in the claimed or asserted identity of a person than electronic_identification means with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent misuse or alteration of the identity.

3.   By 18 September 2015, taking into account relevant international standards and subject to paragraph 2, the Commission shall, by means of implementing acts, set out minimum technical specifications, standards and procedures with reference to which assurance levels low, substantial and high are specified for electronic_identification means for the purposes of paragraph 1.

Those minimum technical specifications, standards and procedures shall be set out by reference to the reliability and quality of the following elements:

(a)	the procedure to prove and verify the identity of natural or legal persons applying for the issuance of electronic_identification means;

(b)	the procedure for the issuance of the requested electronic_identification means;

(c)	the authentication mechanism, through which the natural or legal person uses the electronic_identification means to confirm its identity to a relying_party;

(d)	the entity issuing the electronic_identification means;

(e)	any other body involved in the application for the issuance of the electronic_identification means; and

(f)	the technical and security specifications of the issued electronic_identification means.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 12

Cooperation and interoperability

1.   The national electronic_identification schemes notified pursuant to Article 9(1) shall be interoperable.

2.   For the purposes of paragraph 1, an interoperability framework shall be established.

3.   The interoperability framework shall meet the following criteria:

(a)	it aims to be technology neutral and does not discriminate between any specific national technical solutions for electronic_identification within a Member State;

(b)	it follows European and international standards, where possible;

(c)	it facilitates the implementation of the principle of privacy by design; and

(d)	it ensures that personal data is processed in accordance with Directive 95/46/EC.

4.   The interoperability framework shall consist of:

(a)	a reference to minimum technical requirements related to the assurance levels under Article 8;

(b)	a mapping of national assurance levels of notified electronic_identification schemes to the assurance levels under Article 8;

(c)	a reference to minimum technical requirements for interoperability;

(d)	a reference to a minimum set of person_identification_data uniquely representing a natural or legal person, which is available from electronic_identification schemes;

(e)	rules of procedure;

(f)	arrangements for dispute resolution; and

(g)	common operational security standards.

5.   Member States shall cooperate with regard to the following:

(a)	the interoperability of the electronic_identification schemes notified pursuant to Article 9(1) and the electronic_identification schemes which Member States intend to notify; and

(b)	the security of the electronic_identification schemes.

6.   The cooperation between Member States shall consist of:

(a)	the exchange of information, experience and good practice as regards electronic_identification schemes and in particular technical requirements related to interoperability and assurance levels;

(b)	the exchange of information, experience and good practice as regards working with assurance levels of electronic_identification schemes under Article 8;

(c)	peer review of electronic_identification schemes falling under this Regulation; and

(d)	examination of relevant developments in the electronic_identification sector.

7.   By 18 March 2015, the Commission shall, by means of implementing acts, establish the necessary procedural arrangements to facilitate the cooperation between the Member States referred to in paragraphs 5 and 6 with a view to fostering a high level of trust and security appropriate to the degree of risk.

8.   By 18 September 2015, for the purpose of setting uniform conditions for the implementation of the requirement under paragraph 1, the Commission shall, subject to the criteria set out in paragraph 3 and taking into account the results of the cooperation between Member States, adopt implementing acts on the interoperability framework as set out in paragraph 4.

9.   The implementing acts referred to in paragraphs 7 and 8 of this Article shall be adopted in accordance with the examination procedure referred to in Article 48(2).

CHAPTER III

TRUST SERVICES

SECTION 1

General provisions

Article 52

Entry into force

1.   This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2.   This Regulation shall apply from 1 July 2016, except for the following:

(a)	Articles 8(3), 9(5), 12(2) to (9), 17(8), 19(4), 20(4), 21(4), 22(5), 23(3), 24(5), 27(4) and (5), 28(6), 29(2), 30(3) and (4), 31(3), 32(3), 33(2), 34(2), 37(4) and (5), 38(6), 42(2), 44(2), 45(2), and Articles 47 and 48 shall apply from 17 September 2014;

(b)	Article 7, Article 8(1) and (2), Articles 9, 10, 11 and Article 12(1) shall apply from the date of application of the implementing acts referred to in Articles 8(3) and 12(8);

(c)	Article 6 shall apply from three years as from the date of application of the implementing acts referred to in Articles 8(3) and 12(8).

3.   Where the notified electronic_identification scheme is included in the list published by the Commission pursuant to Article 9 before the date referred to in point (c) of paragraph 2 of this Article, the recognition of the electronic_identification means under that scheme pursuant to Article 6 shall take place no later than 12 months after the publication of that scheme but not before the date referred to in point (c) of paragraph 2 of this Article.

4.   Notwithstanding point (c) of paragraph 2 of this Article, a Member State may decide that electronic_identification means under electronic_identification scheme notified pursuant to Article 9(1) by another Member State are recognised in the first Member State as from the date of application of the implementing acts referred to in Articles 8(3) and 12(8). Member States concerned shall inform the Commission. The Commission shall make this information public.

---

(1)  OJ C 351, 15.11.2012, p. 73.

(2)  Position of the European Parliament of 3 April 2014 (not yet published in the Official Journal) and decision of the Council of 23 July 2014.

(3)  Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic_signatures (OJ L 13, 19.1.2000, p. 12).

(4)  OJ C 50 E, 21.2.2012, p. 1.

(5)  Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market (OJ L 376, 27.12.2006, p. 36).

(6)  Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45).

(7)  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).

(8)  Council Decision 2010/48/EC of 26 November 2009 concerning the conclusion, by the European Community, of the United Nations Convention on the Rights of Persons with Disabilities (OJ L 23, 27.1.2010, p. 35).

(9)  Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).

(10)  Commission Decision 2009/767/EC of 16 October 2009 setting out measures facilitating the use of procedures by electronic means through the ‘points of single contact’ under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market (OJ L 274, 20.10.2009, p. 36).

(11)  Commission Decision 2011/130/EU of 25 February 2011 establishing minimum requirements for the cross-border processing of documents signed electronically by competent authorities under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market (OJ L 53, 26.2.2011, p. 66).

(12)  Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).

(13)  Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).

(14)  OJ C 28, 30.1.2013, p. 6.

(15)  Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC (OJ L 94, 28.3.2014, p. 65).

---

---

---

---