EIDAS 2014/0910 EN

An electronic_identification scheme shall be eligible for notification pursuant to Article 9(1) provided that all of the following conditions are met:

(a)

the electronic_identification means under the electronic_identification scheme are issued:

(i)	by the notifying Member State;

(ii)	under a mandate from the notifying Member State; or

(iii)

independently of the notifying Member State and are recognised by that Member State;

(b)	the electronic_identification means under the electronic_identification scheme can be used to access at least one service which is provided by a public_sector_body and which requires electronic_identification in the notifying Member State;

(c)	the electronic_identification scheme and the electronic_identification means issued thereunder meet the requirements of at least one of the assurance levels set out in the implementing act referred to in Article 8(3);

(d)

the notifying Member State ensures that the person_identification_data uniquely representing the person in question is attributed, in accordance with the technical specifications, standards and procedures for the relevant assurance level set out in the implementing act referred to in Article 8(3), to the natural or legal person referred to in point 1 of Article 3 at the time the electronic_identification means under that scheme is issued;

(e)

the party issuing the electronic_identification means under that scheme ensures that the electronic_identification means is attributed to the person referred to in point (d) of this Article in accordance with the technical specifications, standards and procedures for the relevant assurance level set out in the implementing act referred to in Article 8(3);

(f)

the notifying Member State ensures the availability of authentication online, so that any relying_party established in the territory of another Member State is able to confirm the person_identification_data received in electronic form.

For relying parties other than public sector bodies the notifying Member State may define terms of access to that authentication. The cross-border authentication shall be provided free of charge when it is carried out in relation to a service online provided by a public_sector_body.

Member States shall not impose any specific disproportionate technical requirements on relying parties intending to carry out such authentication, where such requirements prevent or significantly impede the interoperability of the notified electronic_identification schemes;

(g)

at least six months prior to the notification pursuant to Article 9(1), the notifying Member State provides the other Member States for the purposes of the obligation under Article 12(5) a description of that scheme in accordance with the procedural arrangements established by the implementing acts referred to in Article 12(7);

(h)	the electronic_identification scheme meets the requirements set out in the implementing act referred to in Article 12(8).

Article 20

Supervision of qualified trust_service providers

1. Qualified trust_service providers shall be audited at their own expense at least every 24 months by a conformity_assessment_body. The purpose of the audit shall be to confirm that the qualified trust_service providers and the qualified trust_services provided by them fulfil the requirements laid down in this Regulation. The qualified trust_service providers shall submit the resulting conformity assessment report to the supervisory body within the period of three working days after receiving it.

2. Without prejudice to paragraph 1, the supervisory body may at any time audit or request a conformity_assessment_body to perform a conformity assessment of the qualified trust_service providers, at the expense of those trust_service providers, to confirm that they and the qualified trust_services provided by them fulfil the requirements laid down in this Regulation. Where personal data protection rules appear to have been breached, the supervisory body shall inform the data protection authorities of the results of its audits.

3. Where the supervisory body requires the qualified trust_service provider to remedy any failure to fulfil requirements under this Regulation and where that provider does not act accordingly, and if applicable within a time limit set by the supervisory body, the supervisory body, taking into account, in particular, the extent, duration and consequences of that failure, may withdraw the qualified status of that provider or of the affected service it provides and inform the body referred to in Article 22(3) for the purposes of updating the trusted lists referred to in Article 22(1). The supervisory body shall inform the qualified trust_service provider of the withdrawal of its qualified status or of the qualified status of the service concerned.

4. The Commission may, by means of implementing acts, establish reference number of the following standards:

(a)	accreditation of the conformity assessment bodies and for the conformity assessment report referred to in paragraph 1;

(b)	auditing rules under which conformity assessment bodies will carry out their conformity assessment of the qualified trust_service providers as referred to in paragraph 1.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 27

Electronic signatures in public services

1. If a Member State requires an advanced electronic_signature to use an online service offered by, or on behalf of, a public_sector_body, that Member State shall recognise advanced electronic_signatures, advanced electronic_signatures based on a qualified certificate for electronic_signatures, and qualified electronic_signatures in at least the formats or using methods defined in the implementing acts referred to in paragraph 5.

2. If a Member State requires an advanced electronic_signature based on a qualified certificate to use an online service offered by, or on behalf of, a public_sector_body, that Member State shall recognise advanced electronic_signatures based on a qualified certificate and qualified electronic_signatures in at least the formats or using methods defined in the implementing acts referred to in paragraph 5.

3. Member States shall not request for cross-border use in an online service offered by a public_sector_body an electronic_signature at a higher security level than the qualified electronic_signature.

4. The Commission may, by means of implementing acts, establish reference numbers of standards for advanced electronic_signatures. Compliance with the requirements for advanced electronic_signatures referred to in paragraphs 1 and 2 of this Article and in Article 26 shall be presumed when an advanced electronic_signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

5. By 18 September 2015, and taking into account existing practices, standards and Union legal acts, the Commission shall, by means of implementing acts, define reference formats of advanced electronic_signatures or reference methods where alternative formats are used. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 37

Electronic seals in public services

1. If a Member State requires an advanced electronic_seal in order to use an online service offered by, or on behalf of, a public_sector_body, that Member State shall recognise advanced electronic_seals, advanced electronic_seals based on a qualified certificate for electronic_seals and qualified electronic_seals at least in the formats or using methods defined in the implementing acts referred to in paragraph 5.

2. If a Member State requires an advanced electronic_seal based on a qualified certificate in order to use an online service offered by, or on behalf of, a public_sector_body, that Member State shall recognise advanced electronic_seals based on a qualified certificate and qualified electronic_seal at least in the formats or using methods defined in the implementing acts referred to in paragraph 5.

3. Member States shall not request for the cross-border use in an online service offered by a public_sector_body an electronic_seal at a higher security level than the qualified electronic_seal.

4. The Commission may, by means of implementing acts, establish reference numbers of standards for advanced electronic_seals. Compliance with the requirements for advanced electronic_seals referred to in paragraphs 1 and 2 of this Article and Article 36 shall be presumed when an advanced electronic_seal meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

5. By 18 September 2015, and taking into account existing practices, standards and legal acts of the Union, the Commission shall, by means of implementing acts, define reference formats of advanced electronic_seals or reference methods where alternative formats are used. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

whereas

(8) Directive 2006/123/EC of the European Parliament and of the Council (5) requires Member States to establish ‘points of single contact’ (PSCs) to ensure that all procedures and formalities relating to access to a service activity and to the exercise thereof can be easily completed, at a distance and by electronic means, through the appropriate PSC with the appropriate authorities.
Many online services accessible through PSCs require electronic_identification, authentication and signature.

- = -

(10) Directive 2011/24/EU of the European Parliament and of the Council (6) set up a network of national authorities responsible for e-health.
To enhance the safety and the continuity of cross-border healthcare, the network is required to produce guidelines on cross-border access to electronic health data and services, including by supporting ‘common identification and authentication measures to facilitate transferability of data in cross-border healthcare’.
Mutual recognition of electronic_identification and authentication is key to making cross-border healthcare for European citizens a reality.
When people travel for treatment, their medical data need to be accessible in the country of treatment.
That requires a solid, safe and trusted electronic_identification framework.

- = -

(43) In order to ensure the compliance of qualified trust_service providers and the services they provide with the requirements set out in this Regulation, a conformity assessment should be carried out by a conformity_assessment_body and the resulting conformity assessment reports should be submitted by the qualified trust_service providers to the supervisory body.
Whenever the supervisory body requires a qualified trust_service provider to submit an ad hoc conformity assessment report, the supervisory body should respect, in particular, the principles of good administration, including the obligation to give reasons for its decisions, as well as the principle of proportionality.
Therefore, the supervisory body should duly justify its decision to require an ad hoc conformity assessment.

- = -

(58) When a transaction requires a qualified electronic_seal from a legal person, a qualified electronic_signature from the authorised representative of the legal person should be equally acceptable.

- = -

keyboard_tab EIDAS 2014/0910 EN

EIDAS 2014/0910 EN