Text of (original) draft EU DIGITAL SIGNATURE DIRECTIVE
Caspar Bowden
Caspar.Bowden at qualia.co.uk
Fri, 3 Apr 1998 04:14:06 +0100
European Commission Working Draft of Directive on a Framework for Electronic
Certification Services
DIRECTIVE .... . OF THE EUROPEAN PARLIAMENT AND
OF THE COUNCIL of .... .
on a common framework for electronic certification services
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION
Having regard to the Treaty establishing the European Community, and in
particular Article 57(2), 66 and 100A thereof.
Having regard to the proposal from the Commission.
Having regard to the opinion of the Economic and Social Committee.
Having regard to the opinion of the Committee of the Regions.
Acting in accordance with the procedure laid down in Article 189b of the
Treaty.
(1) Whereas the Commission presented on 16 April 1997 to Council, the European
Parliament, the Economic and Social Committee and the Committee of the Region a
Communication on an European Initiative in Electronic Commerce1 ;
(2) Whereas the Bonn Ministerial Conference, held on 6 - 8 July 1997, stressed
the necessity of a legal and technical framework for digital signatures2 ;
(3) Whereas the Commission presented on 8 October 1997 to the European
Parliament, to the Council, the Economic and Social Committee and the Committee
of the Regions a Communication on Ensuring security and trust in electronic
communication -- Towards a European framework for digital signatures and
encryption3 ;
(4) Whereas on 1 December 1997, the Council invited the Commission to submit as
soon as possible a proposal for an European Parliament and Council Directive on
digital signatures;
(5) Whereas divergent rules in the Member States may create a significant
barrier to the use of electronic communications and electronic commerce and
thus under the development of the Internal Market;
(6) Whereas the divergent activities in the Member States indicate the need of
harmonisation at Community level; whereas the rapid technological development
and the global character of the Internet require a technology open approach not
focusing only on digital signatures but on electronic signatures in general;
(7) Whereas this Directive therefore will contribute to the use and legal
recognition of electronic signatures within the European Community;
(8) Whereas in order to stimulate electronic commerce, a regulatory framework
at a European level should not favour a unique technologic solution and
therefore cover electronic signatures in general;
(9) Whereas in order to contribute to the general acceptance of electronic
signatures, electronic signatures should be legally valid;
(10) Whereas in order to facilitate the Community-wide provision of
certification services, priority should be given to market access schemes
relying on a general accreditation procedure; whereas such a general
accreditation procedure allows the provision of certification services without
requiring an explicit decision by a national authority; whereas such general
accreditation schemes may take the form of either a set of specific conditions
defined in advance in a general manner, such as a class license, or a general
legislation which may allow the provision of the certification service;
(11) Whereas in order to facilitate the Community-wide provision of
certification services the introduction of individual accreditation schemes
should only be possible on a voluntary basis.
(12) Whereas Member States shall ensure that certification service providers
comply with the essential requirements; whereas Member States may develop a
detailed framework taking into account their specific administratives
traditions;
(13) Where as certification service providers offering certification services
which do not comply with the relevant essential requirements should be liable
to any person reasonably relying on certificates; whereas harmonised liability
rules would contribute to the general acceptance and legal recognition of
electronic signatures within the European Community;
(14) Whereas the development of international electronic commerce requires the
inclusion of interoperable mechanisms which involve third countries: whereas in
order to ensure Interoperability at a global level agreements on multilateral
rules with third countries on, inter alia, mutual recognition of certification
services and certificates, access to third countries' markets are necessary;
(15) Whereas the Commission may take all necessary actions to implement
international agreements; whereas the Commission may start further multilateral
and bilateral negotiations on aspects of certification services on the basis of
specific mandates from the Council, which should make it possible to conclude
balanced agreements ensuring access for Community certification service
providers in third countries as well as mutual recognition arrangements for
certification services;
(16) Whereas certification service providers should respect data protection and
individual privacy;
(17) Whereas it is desirable to establish a committee to assist the Commission
in achieving a harmonised and proportionate application of the provisions which
meet the need of the market and the public at large;
(18) Whereas to enable the Commission to monitor effectively the control of the
market, it is necessary that Member States provide the relevant information
concerning national accreditation schemes and bodies;
(19) Whereas in accordance with the principles of subsidiarity and
proportionality referred to in Article 3b of the Treaty, the objective of
creating a harmonised legal framework for electronic signatures and related
services cannot be effectively achieved by the Member States and therefore is
better achieved at a Community level; whereas this Directive is limited to the
minimum requirements necessary to meet this objective and does not exceed that
which is necessary to achieve this aim:
HAVE ADOPTED THIS DIRECTIVE
I. Scope and definitions
Article 1 - Scope and Aim
This Directive aims at facilitating the provision of electronic signatures in
electronic communication and electronic commerce within the Internal Market as
well as providing for the legal recognition of electronic signatures. It
establishes a common framework for services related to electronic signatures
within the European Community.
Article 2 - Definition
For the purpose of this Directive:
1. "electronic signature" means a process which indicates the signatory's
electronic approval of the content of data and which meets the following
requirements:
(a) uniquely linked to the signatory;
(b) capable of identifying the signatory;
(c) created in a manner or using a means under the sole control of the
signatory; and
(d) linked to the data to which it relates in such a manner that if the data is
altered the electronic signature is invalidated.
2. "digital signature" means an electronic signature which uses an asymmetric
cryptographic technique such that a person having the signatory's public key
can determine whether:
(a) the transformation was created using the signatory's private key that
corresponds to the signatory's public key; and
(b) the transformed data record data record has been altered,
3. "signatory" means a natural or legal person who creates an electronic
signature.
4. "private key" means the key of a key pair used to create a digital
signature.
5. "public key" means the key of a key pair used to verify a digital signature.
6. "qualified certificate" means a digital attestation which attributes a
public key or a similar device to an individual person and verifies the
identity of the person, by requiring its physical appearance before an
(accredited) certification service provider, or through appropriate other
measures; and contains, at least:
(a) the name of the certification service provider issuing it;
(b) the name of its holder or an unmistakable pseudonym which shall be
identified as such;
(c) a public key which corresponds to a private key under the control of the
holder or a similar device fulfilling the same function;
(d) beginning and end of the operational period of the certificate;
(e) existing limitations on the scope of use of the certificate;
(f) existing restrictions of the certification service provider's liability;
(g) the algorithms with which the public key or a similar device can be used;
(h) the number of the qualified certificate; and
(i) the electronic signature of the certification service provider issuing it.
7. "certification service provider" means a (accredited) person who or entity
which:
(a) issues publicly available certificates attributing a public key or a
similar device to a person and verifying the identity of that person;
(b) provides other services related to electronic signatures.
8. "general accreditation scheme" means a procedure setting out rights and
obligations specific to the certification service sector and allowing persons
or entities to provide certification services, regardless whether it is
regulated in a form of either a set of specific conditions defined in advance
in a general manner, such as a "class license" or under general law and whether
such regulation requires registration. which (is voluntary and) does not
require an explicit decision by a national accreditation body before exercising
the rights stemming from the accreditation.
9. "individual accreditation scheme" mean a procedure setting out rights and
obligations specific to the certification service sector which does not entitle
persons or entities to provide certification services until they have received
an explicit decision by the national accreditation body.
10. "national accreditation body" means an institution, legally distinct and
functionally independent of a certification service provider, charged by a
Member State with the elaboration of, and supervision of compliance with,
accreditations.
II. Electronic signatures
Article 3 -- Legal effects
1. Member States shall ensure that with respect to data authenticated by means
of an electronic signature provided by an accredited certification service
provider it is presumed that:
(a) the data has not been altered since the time the electronic signature was
affixed to it;
(b) the electronic signature is the signature of the person to whom it relates;
and
(c) the electronic signature was affixed by that person with the intention of
signing the data.
2. Member States shall ensure that data on which an electronic signature is
affixed and which is based on a valid qualified certificate provided by an
accredited certification service provider complies with legal form requirements
and can be used as proof of evidence at court in the same manner as if the data
had existed in a manually signed form.
3. Member States shall ensure that the presumptions under paragraph 1, may be
refuted by:
(a) evidence indicating that the security procedure used to verify the
electronic signature is not to be technically recognised as secure; or
(b) evidence relating to facts of which the relying party was or should have
been aware which would suggest that the relying party acted in malicious faith.
(c) evidence indicating that the electronic signature was affixed under duress,
compulsion or deceive.
III. Certification service providers
Article 4 -- Principles governing accreditation
1. Member States shall make the provision of certification services subject to
a general accreditation scheme. Member States may issue an individual
accreditation scheme only if this accreditation scheme is set up on a voluntary
basis.
2. Accreditation schemes shall comply with the principles set out in this
Directive. Moreover, such conditions shall be objectively justified in relation
to the service concerned, non-discriminatory, proportionate and transparent.
3. The requirements for certification service providers which shall be attached
to such an accreditation are set out in Article 7. Member States shall, in the
formulation and application of their accreditation systems, facilitate the
provision of certification services between Member states.
4. Member States shall ensure that any fees imposed on certification service
providers as part of the accreditation procedure seek only to cover
administrative costs incurred in the issue, management, control and enforcement
of the applicable accreditation scheme. Such fees shall be published in an
appropriate and sufficiently detailed manner, so as to be readily available.
5. Member States shall ensure that information concerning the procedures
relating to the accreditation schemes are published in an appropriate manner,
so as to provide easy access to that information. Reference to the publication
of this information shall be made in the national official gazette of the
Member State concerned and in the Official Journal of the European Communities.
Article 5 -- Requirements
1. Member States shall ensure that certification service providers meet the
following requirements: Certification service provider must:
(a) possess the reliability necessary for offering certification services, in
particular be independent of financial and other interest in underlying
transactions, guarantee that it will comply with all legal requirements set up
for the operation of a certification service provider and notify to the
national regulation authority an internal security plan;
(b) employ personal which possesses the expert knowledge, experience, and
qualifications necessary for the operation as a certification service provider,
in particular competence at the managerial level, expertise in public-key or
other technology fulfilling a similar function and familiarity with proper
security procedures;
(c) use trustworthy systems for its services, in particular utilise approved
hardware and software, take measures against forgery of certificates, install a
prompt and secure revocation service and guarantee the confidentiality during
the process of generating private signature keys. Private signature keys and
similar devices shall not be stored by a certification service provider.
(d) have sufficient financial resources to operate in conformity with this
Directive, in particular to be able to bear the risk of being held liable for
mistakes by effecting an appropriate insurance (or limiting his liability);
(e) record all relevant information concerning a qualified certificate for an
appropriate period of time, in particular to be to proof evidence of
certification in the context of a lawsuit or a property claim.
2. Member States shall on the basis of paragraph 1 lay down more detailed
requirements for certification service providers and for qualified
certificates. The committee established under Article 9 shall support Member
States by proposing these requirements.
Article 6 - Liability
1. Member States shall ensure that by issuing a qualified certificate, a
certification service provider is liable to any person who reasonably relies on
the certificate for:
(a) all information in the qualified certificate being accurate as of the date
it was issued, unless the certification service provider has stated oppositely
in the certificate;
(b) complying with all requirements of this Directive in issuing the qualified
certificate;
(c) the holder identified in the qualified certificate holds the private key or
a similar signature device corresponding to the public key or similar device
listed in the certificate;
(d) the holder's public key and private key constituting a functioning key pair
or a similar device fulfilling the same function; and
(e) to the certification service provider's knowledge, the qualified
certificate not having any material facts affecting the certificate's
reliability.
2. Member States shall ensure that certification service provider are only
liable for direct economic damage shall not include any anticipated profits.
3. Member States shall ensure that notwithstanding paragraph 1, a certification
service provider is not liable if it can demonstrate that it has taken all
reasonably practicable measures to avoid errors in the qualified certificate.
4. Member States shall ensure that notwithstanding paragraph 1, a certification
service provider may, in the qualified certificate limit the use of the
certificate. The certification service provider shall not be held liable for
damages arising from a contrary use of the certificate.
5. Member States shall ensure that notwithstanding paragraph 1, a certification
service provider may, in the qualified certificate, limit the value of
transactions for which the certificate is valid. The certification service
provider shall not be held liable for damages in excess of that value limit.
6. Member States shall ensure that notwithstanding paragraph 1, a certification
service provider may, in the qualified certificate, restrict his liability to a
specific amount.
Article 7 -- International aspects
1. The Commission shall take all necessary to facilitate the introduction of
interoperable certification services with third countries.
2. For this purpose, the Commission shall make proposals to take all necessary
actions to seek the effective implementation of international agreements
applicable to certification services, and shall, in particular and where
necessary, submit proposals to the Council for appropriate mandates for the
negotiation of bilateral and multilateral agreements, also covering the rights
of Community organisations, with third countries and international
organisations. The Council shall decide by qualified majority.
3. Member States shall ensure that certificates issued by a third country
certification service provider are recognised as legally equivalent to
certificates issued by certification service providers operating under this
Directive:
(a) if the certification service provider has an accreditation of a Member
State of the European Union; or
(b) if the certificate is recognised by an accredited certification service
provider operating under this Directive, and that certification service
provider guarantees for the certificate, to the same extent as for its own
certificates; or
(c) if the certificate is recognised by a bilateral or multilateral agreement
between the European Union and third countries or international organisations.
4. Member States shall inform the Commission of any general difficulties
encountered, de jure or de facto, by Community organisations in obtaining
accreditation and in operating under accreditation in third countries, which
have been brought to their attention.
Article 8 - Data Protection
1. Member States shall ensure that certification service providers operate in a
manner fulfilling the requirements laid down in Community law for data
protection and privacy.
2. Member States shall ensure that a certification service provider may collect
personal data only directly from the data subject and only insofar as necessary
for the purposes of issuing a certificate.
3. Member States shall ensure that in the case of persons using pseudonyms, the
certification service provider shall transmit the data concerning the identity
of these persons to public authorities upon their request.
IV. Electronic Certification Committee
Article 9 -- Constitution and procedures
1. The Commission shall be assisted by a committee, the "Electronic
Certification Committee" (hereinafter referred to as "the Committee"), of an
advisory nature composed of the representatives of the Member States and
chaired by the representative of the Commission.
2. The Committee shall be consulted on the matters covered by Article 5.
3. The representative of the Commission shall submit to the Committee a draft
of the measures to be taken. The Committee shall deliver its opinion on the
draft, within a time-limit which the Chairman may lay down according to the
urgency of the matter, if necessary by taking a vote. The opinion shall be
recorded in the minutes; in addition, each Member State shall have the right to
ask to have its position recorded in the minutes. The Commission shall take the
utmost account of the opinion delivered by the Committee. It shall inform the
Committee of the manner in which its opinion has been taken into account and
decide within one month after having received the opinion of the Committee.
4. The Commission shall periodically consult the representatives of the
certification service providers, the consumers and the manufacturers. It shall
keep the Committee regularly informed of the outcome of such consultations.
V. General and final provisions
Article 10 -- Notification
1. Member States shall supply the Commission with the following information:
(a) the names and addresses of the national accreditation bodies: (b)
information on national accreditation regimes.
2. Any information supplied under paragraph 1 and changes in respect of this
information shall be notified by the Member States within one month of their
entry into force.
Article 11 -- Review procedures
The Commission shall review the operation of this Directive and report thereon
to the European Parliament and to the Council, on the first occasion not later
than [date].
This review shall inter alia assess whether the scope of the Directive should
be maintained or should be reduced taking account of technical development. The
report shall in particular include an assessment, on the basis of the
experience gained, of the need for further development of the accreditation
structures and of aspects of harmonisation, in particular of the accreditation
procedures. The report shall be accompanied, where appropriate. by
complementary legislative proposals and outline the activities of the
Committee.
Article 12 -- Implementation
1. Member states shall comply with this Directive before 1 January 2000. They
shall immediately inform the Commission thereof. When Member States adopt these
laws, these shall contain a reference to this Directive or shall be accompanied
by such a reference at the time of their official publication. The methods of
making such a reference shall be laid down by the Member States.
2. Member States shall communicate to the Commission all other provisions of
national law which they adopt in the field governed by this Directive.
Article 13 -- Entry into force
This Directive shall entry into force on the twentieth day following that of
its publication in the Official Journal of the European Communities.
Article 14 - Addressees
This Directive is addressed to the Member States.
________
1 COM(97)157 final of 16.04.97
2 European Ministerial Conference, entitled "Global Information Networks:
Realising the Potential", Bonn 6-8.7.97,
http://www.echo.lu/bonn/conference.html
3 COM(97)503 final of 08.10.97;