Premier ministre Agence nationale de la sécurité des systèmes d’information eIDAS Regulation Frequently asked questions Based on French Version 1.2 of 25 March 2021 VERSION HISTORY DATE VERSION DOCUMENT CHANGES EDITOR 02/06/2016 1.0 Version for publication. ANSSI Update. Amendments: - Details relating to the notification procedure of electronic identification schemes; 16/01/2019 1.1 ANSSI - Clarifications on the levels of electronic signatures ; - Details relating to the issuance of qualified certificates ; - Precisions relating to the articulation between the eIDAS Regulation and the General Security Baseline; - Addition of the point of contact within ANSSI. Update. 25/03/2021 1.2 ANSSI Amendments: precisions relating to the remote identity proofing of users. Comments on this document should be sent to: Agence nationale de la sécurité des systèmes d’information SGDSN/ANSSI 51 boulevard de La Tour-Maubourg 75700 Paris 07 SP [email protected] [email protected] CONTENTS I. GENERAL QUESTIONS ON THE EIDAS REGULATION........................................................... I.1. What is the eIDAS Regulation?............................................................................................... I.2. What are the subjects covered by the eIDAS Regulation?...................................................... I.3. When the eIDAS Regulation has been published? When it entered into force and when it became applicable?.............................................................................................................. I.4. Who is concerned by the eIDAS Regulation?.......................................................................... I.5. Does the eIDAS Regulation only apply to cross-border exchanges?...................................... I.6. What are the delegated acts and implementing decisions of the eIDAS Regulation?............. I.7. What are the legal impacts and characteristics of the eIDAS Regulation?.............................. I.8. What is ANSSI’s role in the eIDAS Regulation?...................................................................... II. QUESTIONS RELATING TO ELECTRONIC IDENTIFICATION.................................................. II.1. What is the goal of the “electronic identification” part of the eIDAS Regulation?..................... II.2. What are the principles of the “electronic identification” part of the eIDAS Regulation?.......... II.3. What are the implementing decisions published under the chapter “electronic identification” of the Regulation?....................................................................................................... II.4. What are the applicable conditions to the notification of an electronic identification scheme by a Member State?............................................................................................................. II.5. What are the obligations of a Member State notifying an electronic identification scheme?............................................................................................................................................ II.6. What is the Cooperation Network?.......................................................................................... II.7. What is the peer reviewing process?....................................................................................... II.8. Where to find the list of the notified electronic identification schemes?................................... II.9. Do public sector bodies have to rely on electronic identification means under the eIDAS Regulation?............................................................................................................................ II.10. Which obligations apply to a public sector body if it requires the implementation of an “eIDAS” electronic identification mean to access its teleservices?.................................................... II.11. What are the conditions to obtain an electronic identification mean?.................................... II.12. Is a face-to-face necessary to obtain an electronic identification mean?............................... II.13. How is the “electronic identification” part of the eIDAS Regulation implemented at the national level?.................................................................................................................................. III. QUESTIONS RELATING TO TRUST SERVICES...................................................................... III.1. What is the goal of the “trust services” part of the eIDAS Regulation?.................................. III.2. What are the principles of the “trust services” part of the eIDAS Regulation?....................... III.3. What are the implementing decisions published under the chapter “trust services” of the Regulation?............................................................................................................................... III.4. What are the legal effects under the eIDAS Regulation?....................................................... III.5. What are the requirements applicable to trust service providers?......................................... III.6. What are the obligations from the « trust services » part of the eIDAS Regulation for qualified trust service providers?..................................................................................................... III.7. What are the qualified trust services provided by the Regulation?........................................ III.8. How trust service providers are supervised?......................................................................... III.9. What are the particular supervision conditions of qualified trust service providers?.............. III.10. What is a trusted list?............................................................................................................ III.11. What is the UE trust mark?.................................................................................................... III.12. What is “Mandate 460”?........................................................................................................ III.13. Do public sector bodies have to rely on qualified trust services?........................................... III.14. How is the “trust services” part of the eIDAS Regulation implemented at the national level? 16 IV. QUESTIONS RELATING TO ELECTRONIC SIGNATURE AND SEAL.................................... IV.1. What are the different levels of electronic signature?............................................................ IV.2. What is a qualified electronic signature creation device?...................................................... IV.3. Who can require a qualified certificate?................................................................................. IV.4. What are the changes introduced by the eIDAS Regulation in regards to electronic signature?........................................................................................................................................ IV.5. Is a face-to-face necessary for the issuance of a qualified electronic signature certificate?....................................................................................................................................... IV.6. For the remote advanced electronic signature creation service, by which means can a person indicate its consent?............................................................................................................ IV.7. How is remote qualified electronic signature supervised?..................................................... IV.8. What are the obligations of public sector bodies, for the use of electronic signature?........... IV.9. What is the impact of the eIDAS Regulation on the Directive 1999/93/EC on a Community framework for electronic signatures?............................................................................ IV.10. What are the transition modalities between Directive 1999/93/CE and the eIDAS Regulation?..................................................................................................................................... V. QUESTIONS RELATING TO NATIONAL IMPACTS OF THE “TRUST SERVICES” PART 22 V.1. What about laws, decrees, decisions taken under Directive 1999/93/CE after the publication of eIDAS Regulation?.................................................................................................... V.2. Is the General Security Baseline still effective after the application date of the eIDAS Regulation?..................................................................................................................................... V.3. Are the products certified conform (chip card, HSM) to Decree 2001-272 qualified under the eIDAS Regulation?.......................................................................................................... V.4. What is the impact of the eIDAS Regulation on Decree 2011-434 relating to electronic time stamp?..................................................................................................................................... V.5. Do qualified services under Decision of 26th July 2004 or under the General Security Baseline remain qualified services under the eIDAS Regulation?................................................... VI. POINTS OF CONTACT OF ANSSI............................................................................................ I. General questions on the eIDAS Regulation I.1. What is the eIDAS Regulation?