The new EU Regulation on eID and Trust Services – part III: Trust Services
The previous two IDnext newsletters presented a general overview of the new EU Regulation on Electronic Identification and Trust Services and discussed the regime on electronic identification. This edition discusses the regime on Trust Services.
Trust Services are the electronic signature, the electronic seal, the electronic registered delivery services, the electronic time stamp, the electronic certificate and website authentication certificates. Trust Services are provided by a Trust Service Provider (TSP).
Qualified and non-qualified TSPs and Trust Services
The Regulation distinguishes between qualified and non-qualified TSPs and Trust Services. Qualified TSPs and Trust Services need to comply with additional requirements, but, in return, qualified Trust Services offer additional legal certainty. Whereas the Directive does not regulate the non-qualified Certificate Service Provider, the new Regulation imposes obligations on non-qualified TSPs as well.
Both qualified and non-qualified TSPs are required to have sufficient security measures in place. The Regulation stipulates a risk-based approach: the security measures need to ‘ensure that the level of security is commensurate to the degree of risk’, while also ‘having regard to the latest technological developments’.
Security incidents and notification of incidents
The security measures must specifically aim to prevent and minimize the impact of security incidents. The TSP must inform ‘stakeholders’ of the adverse effect of an incident. Additionally, the Regulation introduces a general notification obligation. Both qualified and non-qualified TSPs must notify the supervisory body of an incident. An incident is defined as ‘any breach of security or loss of integrity that has significant impact on the trust service provided or the personal data maintained therein’. The notification needs to be done as soon as possible but at least within 24 hours after the TSP became aware of the incident. Additionally, it can be required that the TSP needs to notify any natural or legal persons that can be adversely affected by the incident, the supervisory body of other EU member states, the European Agency for Network and Information Security (ENISA), or even the general public.
The electronic signature and the electronic seal
The legal regime on the electronic signature seems to remain more or less the same as under the 1999 Directive. However, there is a crucial difference. Under the Directive, an electronic signature is (in part) defined as ‘a method of authentication’, thereby mixing up authenticating a person and having that person place a signature. Furthermore, the Directive promoted the idea that ‘electronic signatures are now legally valid’, as if that has a clear legal value. From a legal point of view, a signature is only required in very specific situations. There is no general legal effect of a signature. This means that in day-to-day transactions, from a legal point of view, the role of the signature is smaller than might be expected on the basis of the Directive.
The Regulation clarifies the role of the electronic signature. Pursuant to the Regulation, an electronic signature is no longer ‘a method of authentication’ but ‘used by the signatory to sign’. This clearly separates the electronic signature from the authentication phase. Similar to the Directive, the Regulation states that a qualified electronic signature has the equivalent effect of a handwritten signature. Furthermore, the Regulation introduces the electronic seal. The electronic seal is similar to the electronic signature, with the crucial difference that the purpose of an electronic seal is to ‘ensure the origin and integrity’ of the data to which it is attached. Applying a qualified electronic seal has the advantage that it invokes the legal presumption of the integrity of the data and the correctness of the origin of that data.
Electronic time stamp
The electronic time stamp binds certain electronic data to a particular moment in time and establishes evidence that the data existed at that time. The qualified electronic time stamp must be electronically signed or sealed. The advantage of the qualified electronic time stamp is that it invokes the legal presumption that the date and time it indicates are correct and that the integrity of the data is ensured.
Electronic registered delivery service
The electronic registered delivery service is a service providing evidence of the transmission of data, including evidence of sending and receiving the data, whilst it also protects the integrity of the data. A qualified electronic registered delivery service needs to be electronically signed or sealed and needs to provide for an electronic time stamp. The advantage of a qualified electronic registered delivery service is that it invokes the legal assumption that the integrity of the data is ensured and that it provides evidence of receipt by the addressee and the date and time of sending.Marten Voulon
* Marten Voulon is a legal researcher at Leiden University’s Center for Law in the Information Society (eLaw@Leiden), a member of the Complaints & Disputes Committee of eRecognition (eHerkenning) and senior legal counsel at NN Group.