Implementation of Article 15 of the Draft Regulation on Electronic Identification and Trusted Services for Electronic Transactions in the Internal Market
Total Page:16
File Type:pdf, Size:1020Kb
Implementation of article 15 of the draft regulation on electronic identification and trusted services for electronic transactions in the internal market Implementation of article 15 I Contributors to this report This study has been written by the team of IDC CEMA under guidance and supervision of ENISA. In particular, the following experts have contributed to the report: Joshua Budd – ICD CEMA Jachym Homola – IDC CEMA Matthew Marden – IDC CEMA Clara Galan – ENISA Sławomir Górniak – ENISA Agreements or Acknowledgements We would like to thank all the stakeholders from EU Member States as well as non-Member States who provided their feedback for this report in the form of returned discussion guides and/or subsequent interviews. We very much appreciate the active involvement of the Forum of European Supervisory Authorities for Electronic Signatures – FESA as well as all the participating national authorities, including: Bundesbeaufragte für den Datenschutz und Informationsfreiheit/Federal Commissioner for Data Protection and Freedom of Information (Germany) Bundesnetzagentur/Federal Network Agency (Germany) Nemzeti Média- és Hírközlési Hatóság/National Media and Infocommunications Authority (Hungary) Neytendastofa/Consumer Agency (Iceland) Ryšių reguliavimo tarnyba/Communications Regulatory Authority (Lithuania) Onafhankelijke Post en Telecom Autoriteit/Independent Post and Telecommunications Authority (the Netherlands) Agencia Española de Protección de Datos/Data Protection Authority (Spain) Post- och telestyrelsen/Post and Telecom Authority (Sweden) Last but not least we would like to thank Mr. Jos Dumortier and Mr. Niels Vandezande, legal experts from the Interdisciplinary Centre for Law and ICT of the KU Leuven, Belgium, who were consulted on the feasibility of the implementation of Article 15. Published: December 2012 II Implementation of article 15 About ENISA The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Contact details For contacting ENISA or for general enquiries on the Security Services and Data Protection area in ENISA, please use the following details: E-mail: [email protected] Internet: http://www.enisa.europa.eu Follow us on Facebook Twitter LinkedIn Youtube & RSS feeds For questions related to this report, please use the following details: E-mail: [email protected] Implementation of article 15 III Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the ENISA Regulation (EC) No 460/2004 as lastly amended by Regulation (EU) No 580/2011. This publication does not necessarily represent state-of the- art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Reproduction is authorised provided the source is acknowledged. © European Network and Information Security Agency (ENISA), 2012 IV Implementation of article 15 Contents 1 Executive Summary ........................................................................................................................... 1 2 Introduction ...................................................................................................................................... 3 2.1 Background information ............................................................................................................ 3 2.2 Methodology .............................................................................................................................. 8 3 Analysis of existing notification schemes ........................................................................................ 12 3.1 Overview of existing articles on notification in EU legislation ................................................. 12 3.2 Commonalities and differences of notification articles ........................................................... 14 4 Summary of recommendations....................................................................................................... 32 5 Conclusions ..................................................................................................................................... 38 Annex I: References ................................................................................................................................. 40 EU existing and proposed legislation in the area of breaches notifications ....................................... 40 Related ENISA publication and other publicly available documents ................................................... 40 Annex II: Abbreviations ............................................................................................................................ 42 Annex III: Breach notification scheme under Article 15 .......................................................................... 43 Annex IV: Questionnaire for the competent authorities ......................................................................... 44 Table of figures Figure 1: Commonalities and differences between security articles ...................................................... 14 Figure 2: Use of existing recommendations for the implementation of Article 15 ................................. 16 Implementation of article 15 1 1 Executive Summary E-Government services have significant potential to make public services more efficient for the benefit of citizens and businesses in terms of time and money. And while these benefits are increasingly being felt nationally, e-Government services still face administrative and legal barriers on a cross-border level, although pan-European projects like STORK have shown that technical issues of interoperability of electronic identifications can be overcome. In order to remove existing barriers for cross-border e- ID based services the European Commission has proposed a draft regulation on electronic identification and trust services for electronic transactions in the internal market, which will replace the existing Electronic Signature Directive 1999/93/EC. Article 15 of the proposed regulation requires that trust service providers have to undertake extensive security measures and notify competent bodies of any breach of security and loss of integrity with significant impact on the trust service provided and on personal data maintained therein. EU Member States have already largely implemented notification regimes for loss of integrity and breach of security impacting the operation of public telecommunications networks and services (Article 13a of the revised Framework Directive) as well as breaches of personal data (Article 4 of the revised e-Privacy Directive). The EC has also proposed a comprehensive reform of general data protection rules, which will extend the notification obligation to sectors other than telecommunications. As there are synergies between the existing notification schemes and the regime proposed under Article 15, it is important, when preparing for the implementation of this article, to make use of existing schemes as a reference. Analysis of ENISA recommendations and guidelines on the implementation of Article 13a and Article 4 reveals many commonalities that can be applied to implementing Article 15. When drafting Article 15, the EC applied the Article 13a model almost in its entirety. Article 4 may also serve as a model for content-related aspects of breaches. The similarities between these articles also derive from the fact that a personal data (or e- identification) breach may occur in the context of an information security incident. That is why close cooperation of relevant supervisory authorities is needed. At the same time, supervisory authorities need to consider adequate media policies in order to distribute information about serious incidents or to counter rumours and panic. As the nature of incidents (despite the premise of technology neutrality of the regulation) and their scope notified under Article 15 evolve, it will be important to manage and update the notification scheme accordingly. The reviews should be done both nationally (involving all the relevant stakeholders, including trust service providers) and on a European level. Annual reports on breaches provided to ENISA and the European Commission and their analysis by ENISA could be the main source for reviews of the notification scheme. The inputs gathered from these