Eidas Regulation

Total Page:16

File Type:pdf, Size:1020Kb

Eidas Regulation Premier ministre Agence nationale de la sécurité des systèmes d’information eIDAS Regulation Frequently asked questions Based on French Version 1.2 of 25 March 2021 VERSION HISTORY DATE VERSION DOCUMENT CHANGES EDITOR 02/06/2016 1.0 Version for publication. ANSSI Update. Amendments: - Details relating to the notification procedure of electronic identification schemes; 16/01/2019 1.1 ANSSI - Clarifications on the levels of electronic signatures ; - Details relating to the issuance of qualified certificates ; - Precisions relating to the articulation between the eIDAS Regulation and the General Security Baseline; - Addition of the point of contact within ANSSI. Update. 25/03/2021 1.2 ANSSI Amendments: precisions relating to the remote identity proofing of users. Comments on this document should be sent to: Agence nationale de la sécurité des systèmes d’information SGDSN/ANSSI 51 boulevard de La Tour-Maubourg 75700 Paris 07 SP [email protected] [email protected] CONTENTS I. GENERAL QUESTIONS ON THE EIDAS REGULATION........................................................... I.1. What is the eIDAS Regulation?............................................................................................... I.2. What are the subjects covered by the eIDAS Regulation?...................................................... I.3. When the eIDAS Regulation has been published? When it entered into force and when it became applicable?.............................................................................................................. I.4. Who is concerned by the eIDAS Regulation?.......................................................................... I.5. Does the eIDAS Regulation only apply to cross-border exchanges?...................................... I.6. What are the delegated acts and implementing decisions of the eIDAS Regulation?............. I.7. What are the legal impacts and characteristics of the eIDAS Regulation?.............................. I.8. What is ANSSI’s role in the eIDAS Regulation?...................................................................... II. QUESTIONS RELATING TO ELECTRONIC IDENTIFICATION.................................................. II.1. What is the goal of the “electronic identification” part of the eIDAS Regulation?..................... II.2. What are the principles of the “electronic identification” part of the eIDAS Regulation?.......... II.3. What are the implementing decisions published under the chapter “electronic identification” of the Regulation?....................................................................................................... II.4. What are the applicable conditions to the notification of an electronic identification scheme by a Member State?............................................................................................................. II.5. What are the obligations of a Member State notifying an electronic identification scheme?............................................................................................................................................ II.6. What is the Cooperation Network?.......................................................................................... II.7. What is the peer reviewing process?....................................................................................... II.8. Where to find the list of the notified electronic identification schemes?................................... II.9. Do public sector bodies have to rely on electronic identification means under the eIDAS Regulation?............................................................................................................................ II.10. Which obligations apply to a public sector body if it requires the implementation of an “eIDAS” electronic identification mean to access its teleservices?.................................................... II.11. What are the conditions to obtain an electronic identification mean?.................................... II.12. Is a face-to-face necessary to obtain an electronic identification mean?............................... II.13. How is the “electronic identification” part of the eIDAS Regulation implemented at the national level?.................................................................................................................................. III. QUESTIONS RELATING TO TRUST SERVICES...................................................................... III.1. What is the goal of the “trust services” part of the eIDAS Regulation?.................................. III.2. What are the principles of the “trust services” part of the eIDAS Regulation?....................... III.3. What are the implementing decisions published under the chapter “trust services” of the Regulation?............................................................................................................................... III.4. What are the legal effects under the eIDAS Regulation?....................................................... III.5. What are the requirements applicable to trust service providers?......................................... III.6. What are the obligations from the « trust services » part of the eIDAS Regulation for qualified trust service providers?..................................................................................................... III.7. What are the qualified trust services provided by the Regulation?........................................ III.8. How trust service providers are supervised?......................................................................... III.9. What are the particular supervision conditions of qualified trust service providers?.............. III.10. What is a trusted list?............................................................................................................ III.11. What is the UE trust mark?.................................................................................................... III.12. What is “Mandate 460”?........................................................................................................ III.13. Do public sector bodies have to rely on qualified trust services?........................................... III.14. How is the “trust services” part of the eIDAS Regulation implemented at the national level? 16 IV. QUESTIONS RELATING TO ELECTRONIC SIGNATURE AND SEAL.................................... IV.1. What are the different levels of electronic signature?............................................................ IV.2. What is a qualified electronic signature creation device?...................................................... IV.3. Who can require a qualified certificate?................................................................................. IV.4. What are the changes introduced by the eIDAS Regulation in regards to electronic signature?........................................................................................................................................ IV.5. Is a face-to-face necessary for the issuance of a qualified electronic signature certificate?....................................................................................................................................... IV.6. For the remote advanced electronic signature creation service, by which means can a person indicate its consent?............................................................................................................ IV.7. How is remote qualified electronic signature supervised?..................................................... IV.8. What are the obligations of public sector bodies, for the use of electronic signature?........... IV.9. What is the impact of the eIDAS Regulation on the Directive 1999/93/EC on a Community framework for electronic signatures?............................................................................ IV.10. What are the transition modalities between Directive 1999/93/CE and the eIDAS Regulation?..................................................................................................................................... V. QUESTIONS RELATING TO NATIONAL IMPACTS OF THE “TRUST SERVICES” PART 22 V.1. What about laws, decrees, decisions taken under Directive 1999/93/CE after the publication of eIDAS Regulation?.................................................................................................... V.2. Is the General Security Baseline still effective after the application date of the eIDAS Regulation?..................................................................................................................................... V.3. Are the products certified conform (chip card, HSM) to Decree 2001-272 qualified under the eIDAS Regulation?.......................................................................................................... V.4. What is the impact of the eIDAS Regulation on Decree 2011-434 relating to electronic time stamp?..................................................................................................................................... V.5. Do qualified services under Decision of 26th July 2004 or under the General Security Baseline remain qualified services under the eIDAS Regulation?................................................... VI. POINTS OF CONTACT OF ANSSI............................................................................................ I. General questions on the eIDAS Regulation I.1. What is the eIDAS Regulation?
Recommended publications
  • Office of State Controller, and the North Carolina Department of The
    Office of State Controller, and the North Carolina Department of the Secretary of State, and North Carolina Department of Cultural Resources, Division of Archives and Records Digital Signature Policy Guidelines Version 1.1 March 2014 Contains corrected links to documents Table of Contents 1 Introduction ........................................................................................................................... 3 1.1 Purpose of Guideline ........................................................................................................ 3 1.2 Scope ............................................................................................................................... 3 2 Electronic Signature Background ........................................................................................ 3 2.1 Legislation ........................................................................................................................ 3 2.2 Definitions ......................................................................................................................... 4 2.3 Definition of an Electronic Signature* ................................................................................ 5 2.4 Electronic Signature versus Digital Signature ................................................................... 6 3 Expectations for Electronic Signatures ............................................................................... 7 3.1 Intended Goals ................................................................................................................
    [Show full text]
  • Enhance Qualified Electronic Signatures with What You See Is What You Sign QES and WYSIWYS Service - Powered by Cryptomathic and Swisscom
    Solution Brief Enhance Qualified Electronic Signatures with What You See Is What You Sign QES and WYSIWYS Service - Powered by Cryptomathic and Swisscom Qualified remote signing and Solution benefits WYSIWYS - hosted eID services The best way to deliver Qualified Electronic Signature ü Offer Advanced or Qualified (QES) services across different channels is to use Electronic Signatures compliant with remote signing technology. It integrates smoothly the Swiss signature law, ZertES, and the with any web application and does not require any EU eIDAS regulation on trust services. software install, plug in or additional components and can be used anywhere, at any time, from any device ü Improve the users’ signing with browsing capacity. Qualified remote signing experience for all channels incl. web provides the highest legal value and international portals, desktop applications, mobile & acceptance, while What You See Is What You Sign tablet platforms (WYSIWYS) technology delivers a seamless user experience with strong non-repudiation. Combining ü Demonstrate unrivalled non- QES with WYSIWYS is a strong enabler for businesses repudiation with WYSIWYS to provide ultimate security, trust and convenience funcionality with online transactions. This is exactly what the Cryptomathic – Swisscom solution offers, namely the ü Eliminate smartcards, card readers possibility to offer Advanced or Qualified Electronic and local software install Signatures using a zero-footprint remote signing hosted service, featuring WYSIWYS functionality. ü Solve data
    [Show full text]
  • Global Guide to Electronic Signature
    Global Guide to Electronic Signature Law: Country by country summaries of law and enforceability Table of contents Introduction 3 Germany 9 Republic of Korea 15 Definition of terms 4 Greece 9 Romania 9 Recommended practices for Hong Kong 10 Russian Federation 16 electronic agreements 4 Hungary 9 Singapore 16 India 10 Slovakia 9 Country summaries of Indonesia 11 Slovenia 9 electronic signature law Ireland 9 South Africa 17 Argentina 5 Israel 11 Spain 9 Australia 5 Italy 9 Sweden 9 Austria 9 Japan 12 Switzerland 17 Belgium 9 Latvia 9 Taiwan 18 Bermuda 6 Lithuania 9 Thailand 18 Brazil 6 Luxembourg 9 Turkey 19 Bulgaria 9 Malaysia 12 United Kingdom 9 Canada 7 Malta 9 United States 19 Chile 7 Mexico 13 Uruguay 20 China 8 Netherlands 9 Colombia 8 New Zealand 13 Croatia 9 Norway 14 Czech Republic 9 Peru 14 Denmark 9 Philippines 15 Estonia 9 Poland 9 European Union 9 Portugal 9 Finland 9 Republic of Cyprus 9 France 9 © Adobe Systems Incorporated 2016. This information is intended to help businesses understand the legal framework of electronic signatures. 2 However, Adobe cannot provide legal advice. This guide is not intended as legal advice and should not serve as a substitute for professional legal advice. You should consult an attorney regarding your specific legal questions. Introduction Electronic and digital signatures represent a tremendous opportunity for organizations to get documents signed and close deals faster. When rolling out e-signatures globally, you need to be aware of the variety of electronic signature laws across the globe. This guide gives you a great place to start.
    [Show full text]
  • Trustedx Eidas Platform Remote Signing for Individuals
    TrustedX eIDAS Platform Remote signing for individuals eIDAS-compliant digital signatures from any device TrustedX eIDAS is an on-premises solution for the deployment of a legally-compliant cloud-based signing service, easily accessible through a Web API. Signing keys are centrally protected within an HSM, and document signatures are approved remotely by users from their device, without the need for a hardware or software token. BENEFITS Provide advanced and qualified signatures as defined by eIDAS TrustedX eIDAS performs signing operations on a Qualified Signature Creation Device (QSCD). When managed by a Qualified Trust Service Provider (QTSP) issuing qualified digital signing certificates, the service can provide advanced and qualified signatures compliant with the eIDAS regulation. Globally accepted signing standards TrustedX eIDAS is based on the ETSI and CEN standards, which guarantee a very high level of trust and broad interoperability with the industry products that require digital signatures, regardless of whether your organization operates in Europe or not. Remove the key management burden from your users The TrustedX eIDAS service was built with user experience in mind. The onboarding and signing process is transparent, does not require specific knowledge, and can be done from any device. The signing service operates in your premises with keys securely stored in an HSM, and users authorize each signature request from their computer or device. Ensure adequate authentication for each type of digital signature User authentication can be done with your existing service, ensuring that access is managed via an Identity Provider (IdP) that you control. When a signature is required, TrustedX can raise the authentication assurance level by sending an additional challenge such as an SMS/email OTP, or via TrustedX Mobile ID app notifications.
    [Show full text]
  • A Guide on Eidas 910/2014 Namirial DTM Solution for Legally Compliant E-Signatures
    A guide on eIDAS 910/2014 Namirial DTM solution for legally compliant e-signatures NAMIRIAL GmbH Legal Office: Seilerstätte 16, 1010 Wien, Austria Main Office: Haider Straße 23, 4025 Ansfelden | Phone: +43-7229-88060 | www.xyzmo.com Fiscalnumber 09 258/9720 | VAT-ID: ATU70125036 Table of Contents 1 What is eIDAS? ............................................................................................................. 3 2 Electronic identification .................................................................................................. 3 3 Electronic signatures and seals ..................................................................................... 4 3.1 Advanced Electronic Signature ............................................................................... 4 3.2 Qualified Electronic Signature................................................................................. 5 4 Time stamping ............................................................................................................... 6 5 Electronic registered delivery service ............................................................................ 7 6 Qualified preservation service ....................................................................................... 7 7 Technologies to implement e-signatures ....................................................................... 7 7.1 PAdES Standard ..................................................................................................... 8 7.1.1 Basic Profile (based on ISO 32000-1)
    [Show full text]
  • Qualified and Advanced Electronic Signatures)
    R Terms and Conditions of Use Swisscom certification service (Qualified and advanced Electronic Signatures) Terms and Conditions of Use for the use of the Swisscom qualified certificate is permitted in connection with the use certification service with qualified and advanced certificates of the trust service in accordance with these Terms and Con- for qualified and advanced electronic signatures (Swisscom ditions of Use ("limitation of use"). certificate class "Saphir and Diamant") 2.2 Identity verification process and retention of the infor- mation Swisscom or the registration authority appointed by 1 Scope of these Terms and Conditions of Use Swisscom checks your identity in the identity verification pro- These Terms and Conditions of Use shall apply in the rela- cess. For qualified electronic signatures, this is done by tionship between you and Swisscom (Schweiz) AG, Alte means of your passport or an identity card allowing travel to Tiefenaustrasse 6, Worblaufen, Switzerland, company ID Switzerland. Depending in each case on the actual organisa- CHE-101.654.423 (hereinafter "Swisscom") for your use of tion of the identity verification process, you may be re- the Swisscom certification service with qualified and ad- quested in the verification process for advanced electronic vanced certificates for qualified and advanced electronic sig- signatures to also submit other documents than those re- natures. quired for qualified electronic signatures. 2 Swisscom’s Services Based on your identify verification process for qualified elec- tronic signatures, you may also create advanced electronic 2.1 Certification service in general signatures in accordance with these Terms and Conditions of For your certification services with qualified certificates, Use where the subscriber application used by you offers dif- Swisscom is an accredited certification services provider in ferent types of signatures.
    [Show full text]
  • E-Szignó Certificate Authority Eidas Conform Qualified Long-Term
    e-Szignó Certificate Authority eIDAS conform Qualified Long-Term Preservation Service Preservation Disclosure Statement ver. 2.19 Date of effect: 2020-12-28 AK-MIN-EN 2.19 OID 1.3.6.1.4.1.21528.2.1.1.198.2.19 Version 2.19 First version date of effect 2016-07-01 Security classification PUBLIC Approved by Gergely Vanczák Date of approval 2020-12-11 Date of effect 2020-12-28 Microsec Micro Software Engineering & Consulting Private Company Limited by Shares Hungary, H-1033 Budapest, Ángel Sanz Briz str. 13. 2 AK-MIN-EN 2.19 Version Effect date Description 2.0 2016-07-01 New, eIDAS conform preservation policy. 2.1 2016-09-05 Changes according to the NMHH comments. 2.2 2016-10-30 Changes according to the auditor comments. 2.3 2017-04-30 Changes according to the NMHH comments. 2.4 2017-09-30 Yearly revision. 2.6 2018-03-24 Global revision. Smaller improvements. 2.7 2018-09-15 Yearly revision. 2.8 2018-12-14 Changes based on the suggestions of the auditor. 2.11 2019-09-25 Yearly revision. 2.13 2020-03-05 Effect. HSM requirements. Smaller improvements of wording. 2.14 2020-05-26 Smaller improvements. 2.17 2020-10-28 Rewriting according to the requirements of ETSI TS 119 511. | Improvements according to the auditor’s and the supervisory body’s findings. | Smaller improvements. 2.19 2020-12-28 Smaller improvements. c 2020, Microsec ltd. All rights reserved. 3 TABLE OF CONTENTS AK-MIN-EN 2.19 Table of Contents 1 Introduction 5 1.1 DocumentNameandIdentification .
    [Show full text]
  • Eidas and E-SIGNATURE a LEGAL PERSPECTIVE: ELECTRONIC SIGNATURES in the EUROPEAN UNION
    eIDAS AND E-SIGNATURE A LEGAL PERSPECTIVE: ELECTRONIC SIGNATURES IN THE EUROPEAN UNION WHITE PAPER TABLE OF CONTENTS Part 1: Introduction 3 Key Highlights of the eIDAS Regulation 4 Legal Effect of Different Types of Signatures 6 Regulation of Trust Services 7 Legal Best Practices 8 Part 2: Compliance With the Regulation 9 Advanced Electronic Signatures 9 Qualified Electronic Signatures 10 Format Standards 12 Additional Evidence 12 Conclusion 13 E-Signature Solution Checklist 14 About the Authors This paper is a collaboration between Lorna Brazell of Osborne Clarke LLP and OneSpan. In part one, Osborne Clarke provides a legal opinion on the legal validity of electronic signature in the European Union. Part two has been prepared by OneSpan, and summarizes best practices recommendations for legal compliance when implementing e-signatures. eIDAS & E-SIGNATURE: A LEGAL PERSPECTIVE FOLLOW US 2 PART 1 Introduction The 2014 Regulation on Electronic Identification and Trust Services for Electronic Transaction in the Internal Market1 (“eIDAS”) went into effect throughout the European Union (“EU”) on 1 July 2016, replacing the 1999 Directive on electronic signatures2 (“the Directive”). Although the Directive had not been the subject of any disputes in its 16-year history, neither had it been a success. Its objective, to enable the widespread use of electronic signatures to conduct business across borders within the EU, was not met. There Are Three Key Reasons for This: I. Most EU Member States’ laws do not specify any form of signature for commercial contracts other than guarantees or contracts assigning real property. II. Many people mistakenly believed that the Directive mandated the use of advanced electronic signatures supported by a qualified certificate3 in order for an electronic signature to be legally effective.
    [Show full text]
  • GUIDELINES on INITIATION K& Yh >/&/ Dzh^D ^ Zs
    THE EU CYBER SECURITY AGENCY GUIDELINES ON INITIATION OF QUALIFIED TRUST SERVICES Technical guidelines on trust services DECEMBER 2017 Guidelines on Initiation of Qualified Trust Services December 2017 About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and EU citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Contact For queries in relation to this paper, please use [email protected]. For media enquires about this paper, please use [email protected]. Acknowledgements We would like to thank all those who contributed to this study and reviewed it, specifically the experts and the members of national supervisory bodies, conformity assessment bodies and various trust service providers. Legal notice Notice must be taken that this publication represents the views and interpretations of ENISA, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time.
    [Show full text]
  • Eidas Regulation Questions & Answers
    eIDAS Regulation Questions & Answers on rules applicable to Trust Services as of 1 July 2016 The eIDAS Regulation (Regulation (EU) N°910/2014) on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) adopted by the co-legislators on 23 July 2014 is a milestone as it provides a predictable regulatory environment for electronic identification and trust services, including electronic signatures, seals, time stamps, registered delivery and website authentication. As of 1 July 2016, the provisions applicable to trust services apply directly in the 28 Member States. This means that trust services under eIDAS are no longer regulated by national laws. As a result, the qualified trust services are recognised independently of the Member State where the Qualified Trust Service Provider is established or where the specific qualified trust service is offered. What’s new? What changes with regard to the former eSignature Directive? What must be done at national level? How does it impact market operators? How does it benefit the users (citizens, businesses and public administrations)? What has the Commission done to facilitate the switchover? These questions and many others have been asked along the road since the adoption. We have compiled this Q&A document to help those of you who need to fully understand the new legal framework in order to implement it or reap the benefits of electronic transactions, as well as those of you who are curious about the Regulation’s various implications. I. What is new? How will the legal effect of electronic signature change under eIDAS (compared to the regime under the eSignature Directive) as from 1 July 2016? Since 1 July 2016, when the trust services’ provisions under the eIDAS Regulation entered into application, an electronic signature can only be used by a natural person to “sign”, i.e.
    [Show full text]
  • Managed QES Service with Internationally Recognized Legal and Privacy Assurances Selected Signing Service - Powered by Cryptomathic and Swisscom Trust Services
    Solution Brief Managed QES Service with Internationally Recognized Legal and Privacy Assurances Selected Signing Service - Powered by Cryptomathic and Swisscom Trust Services Qualified remote signing and Solution benefits WYSIWYS service The best way to deliver Qualified Electronic Signature ü Offer Advanced or Qualified Electronic (QES) services across different channels is to use Signatures compliant with the Swiss remote signing technology. It integrates smoothly signature law, ZertES, and the EU eIDAS with any web application and does not require any regulation on trust services. software install, plug in or additional components and ü Extend the use of Qualified Electronic can be used anywhere, at any time, from any device Signatures outside EU and Switzerland with browsing capacity. Qualified remote signing by using a Third Party CA. The private provides the highest legal value and international signature keys are kept securely in acceptance, while What You See Is What You Sign Switzerland and signing is done in Swiss (WYSIWYS) technology delivers a seamless user Data Centers on behalf of Third Party experience with strong non-repudiation. Combining Certificates. QES with WYSIWYS is a strong enabler for businesses ü to provide ultimate security, trust and convenience Improve the users’ signing experience with online transactions. This is exactly what the joint for all channels including web portals, Selected Signing Service offers, namely the possibility desktop applications, mobile & tablet to offer Advanced or Qualified Electronic Signatures platforms. using a zero-footprint remote signing hosted service, ü Demonstrate unrivalled non- featuring WYSIWYS functionality. repudiation with WYSIWYS funcionality. ü Solve data privacy problems as the Non-repudiation and convenience document remains in the domain of the Non-repudiation is critical for maintaining security application provider.
    [Show full text]
  • Esign Law Explained
    Electronic Signature Article ESIGN Electronic Commerce and Electronic Signature Law Clarified Copyright © Topaz Systems Inc. All rights reserved. For Topaz Systems, Inc. trademarks and patents, visit www.topazsystems.com/legal. ESIGN Law Clarified Table of Contents Overview ................................................................................................................................... 3 Abstract .................................................................................................................................... 3 Requirements for Legal Contract Enforcement .................................................................... 3 Digital Signature Technologies .............................................................................................. 4 PKI Digital Signatures ........................................................................................................................ 4 Handwritten Electronic Digitized Signatures ....................................................................................... 5 Email, Fax, and Other Simplistic Approaches ..................................................................................... 5 Digital Signature Technology in Open and Closed System Environments ........................ 6 Closed System and PKI ..................................................................................................................... 6 Closed System and Digitized Electronic Signatures ..........................................................................
    [Show full text]