EIDAS 2014/0910 EN

With a view to ensuring the proper functioning of the internal market while aiming at an adequate level of security of electronic_identification means and trust_services this Regulation:

(a)	lays down the conditions under which Member States recognise electronic_identification means of natural and legal persons falling under a notified electronic_identification scheme of another Member State;

(b)	lays down rules for trust_services, in particular for electronic transactions; and

(c)	establishes a legal framework for electronic_signatures, electronic_seals, electronic_time_stamps, electronic_documents, electronic_registered_delivery_services and certificate services for website authentication.

Article 12

Cooperation and interoperability

1. The national electronic_identification schemes notified pursuant to Article 9(1) shall be interoperable.

2. For the purposes of paragraph 1, an interoperability framework shall be established.

3. The interoperability framework shall meet the following criteria:

(a)	it aims to be technology neutral and does not discriminate between any specific national technical solutions for electronic_identification within a Member State;

(b)	it follows European and international standards, where possible;

(c)	it facilitates the implementation of the principle of privacy by design; and

(d)	it ensures that personal data is processed in accordance with Directive 95/46/EC.

4. The interoperability framework shall consist of:

(a)	a reference to minimum technical requirements related to the assurance levels under Article 8;

(b)	a mapping of national assurance levels of notified electronic_identification schemes to the assurance levels under Article 8;

(c)	a reference to minimum technical requirements for interoperability;

(d)	a reference to a minimum set of person_identification_data uniquely representing a natural or legal person, which is available from electronic_identification schemes;

(e)	rules of procedure;

(f)	arrangements for dispute resolution; and

(g)	common operational security standards.

5. Member States shall cooperate with regard to the following:

(a)	the interoperability of the electronic_identification schemes notified pursuant to Article 9(1) and the electronic_identification schemes which Member States intend to notify; and

(b)	the security of the electronic_identification schemes.

6. The cooperation between Member States shall consist of:

(a)	the exchange of information, experience and good practice as regards electronic_identification schemes and in particular technical requirements related to interoperability and assurance levels;

(b)	the exchange of information, experience and good practice as regards working with assurance levels of electronic_identification schemes under Article 8;

(c)	peer review of electronic_identification schemes falling under this Regulation; and

(d)	examination of relevant developments in the electronic_identification sector.

7. By 18 March 2015, the Commission shall, by means of implementing acts, establish the necessary procedural arrangements to facilitate the cooperation between the Member States referred to in paragraphs 5 and 6 with a view to fostering a high level of trust and security appropriate to the degree of risk.

8. By 18 September 2015, for the purpose of setting uniform conditions for the implementation of the requirement under paragraph 1, the Commission shall, subject to the criteria set out in paragraph 3 and taking into account the results of the cooperation between Member States, adopt implementing acts on the interoperability framework as set out in paragraph 4.

9. The implementing acts referred to in paragraphs 7 and 8 of this Article shall be adopted in accordance with the examination procedure referred to in Article 48(2).

CHAPTER III

TRUST SERVICES

SECTION 1

General provisions

Article 18

Mutual assistance

1. Supervisory bodies shall cooperate with a view to exchanging good practice.

A supervisory body shall, upon receipt of a justified request from another supervisory body, provide that body with assistance so that the activities of supervisory bodies can be carried out in a consistent manner. Mutual assistance may cover, in particular, information requests and supervisory measures, such as requests to carry out inspections related to the conformity assessment reports as referred to in Articles 20 and 21.

2. A supervisory body to which a request for assistance is addressed may refuse that request on any of the following grounds:

(a)	the supervisory body is not competent to provide the requested assistance;

(b)	the requested assistance is not proportionate to supervisory activities of the supervisory body carried out in accordance with Article 17;

(c)	providing the requested assistance would be incompatible with this Regulation.

3. Where appropriate, Member States may authorise their respective supervisory bodies to carry out joint investigations in which staff from other Member States’ supervisory bodies is involved. The arrangements and procedures for such joint actions shall be agreed upon and established by the Member States concerned in accordance with their national law.

Article 49

Review

The Commission shall review the application of this Regulation and shall report to the European Parliament and to the Council no later than 1 July 2020. The Commission shall evaluate in particular whether it is appropriate to modify the scope of this Regulation or its specific provisions, including Article 6, point (f) of Article 7 and Articles 34, 43, 44 and 45, taking into account the experience gained in the application of this Regulation, as well as technological, market and legal developments.

The report referred to in the first paragraph shall be accompanied, where appropriate, by legislative proposals.

In addition, the Commission shall submit a report to the European Parliament and the Council every four years after the report referred to in the first paragraph on the progress towards achieving the objectives of this Regulation.

whereas

(20) Cooperation by Member States should facilitate the technical interoperability of the notified electronic_identification schemes with a view to fostering a high level of trust and security appropriate to the degree of risk.
The exchange of information and the sharing of best practices between Member States with a view to their mutual recognition should help such cooperation.

- = -

(28) To enhance in particular the trust of small and medium-sized enterprises (SMEs) and consumers in the internal market and to promote the use of trust_services and products, the notions of qualified trust_services and qualified trust_service provider should be introduced with a view to indicating requirements and obligations that ensure high-level security of whatever qualified trust_services and products are used or provided.

- = -

(38) Notification of security breaches and security risk assessments is essential with a view to providing adequate information to concerned parties in the event of a breach of security or loss of integrity.

- = -

(44) This Regulation aims to ensure a coherent framework with a view to providing a high level of security and legal certainty of trust_services.
In this regard, when addressing the conformity assessment of products and services, the Commission should, where appropriate, seek synergies with existing relevant European and international schemes such as the Regulation (EC) No 765/2008 of the European Parliament and of the Council (9) which sets out the requirements for accreditation of conformity assessment bodies and market surveillance of products.

- = -

(45) In order to allow an efficient initiation process, which should lead to the inclusion of qualified trust_service providers and the qualified trust_services they provide into trusted lists, preliminary interactions between prospective qualified trust_service providers and the competent supervisory body should be encouraged with a view to facilitating the due diligence leading to the provisioning of qualified trust_services.

- = -

(55) IT security certification based on international standards such as ISO 15408 and related evaluation methods and mutual recognition arrangements is an important tool for verifying the security of qualified electronic_signature creation devices and should be promoted.
However, innovative solutions and services such as mobile signing and cloud signing rely on technical and organisational solutions for qualified electronic_signature creation devices for which security standards may not yet be available or for which the first IT security certification is ongoing.
The level of security of such qualified electronic_signature creation devices could be evaluated by using alternative processes only where such security standards are not available or where the first IT security certification is ongoing.
Those processes should be comparable to the standards for IT security certification insofar as their security levels are equivalent.
Those processes could be facilitated by a peer review.

- = -

(72) When adopting delegated or implementing acts, the Commission should take due account of the standards and technical specifications drawn up by European and international standardisation organisations and bodies, in particular the European Committee for Standardisation (CEN), the European Telecommunications Standards Institute (ETSI), the International Organisation for Standardisation (ISO) and the International Telecommunication Union (ITU), with a view to ensuring a high level of security and interoperability of electronic_identification and trust_services.

- = -

keyboard_tab EIDAS 2014/0910 EN

EIDAS 2014/0910 EN