REPORT on the proposal for a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market

31.10.2013 - (COM(2012)0238 – C7‑0133/2012 – 2012/0146(COD)) - ***I

Committee on Industry, Research and Energy
Rapporteur: Marita Ulvskog
Rapporteur for the opinion (*):
Marielle Gallo, Committe on Internal Market and Consumer Protection
(*) Associated committee – Rule 50 of the Rules of Procedure


Procedure : 2012/0146(COD)
Document stages in plenary
Document selected :  
A7-0365/2013

DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION

on the proposal for a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market

(COM(2012)0238 – C7‑0133/2012 – 2012/0146(COD))

(Ordinary legislative procedure: first reading)

The European Parliament,

–   having regard to the Commission proposal to Parliament and the Council (COM(2012)0238),

–   having regard to Article 294(2) and Article 114 of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C7‑0133/2012),

–   having regard to Article 294(3) of the Treaty on the Functioning of the European Union,

–   having regard to the opinion of the European Economic and Social Committee of 18 September 2012,[1]

–   having regard to Rule 55 of its Rules of Procedure,

–   having regard to the report of the Committee on Industry, Research and Energy and the opinions of the Committee on the Internal Market and Consumer Protection, the Committee on Legal Affairs and the Committee on Civil Liberties, Justice and Home Affairs (A7-0365/2013),

1.  Adopts its position at first reading hereinafter set out;

2.  Calls on the Commission to refer the matter to Parliament again if it intends to amend its proposal substantially or replace it with another text;

3.  Instructs its President to forward its position to the Council, the Commission and the national parliaments.

Amendment  1

Proposal for a regulation

Recital 1

Text proposed by the Commission

Amendment

(1) Building trust in the online environment is key to economic development. Lack of trust makes consumers, businesses and administrations hesitate to carry out transactions electronically and to adopt new services.

(1) Building trust in the online environment is key to economic and social development. Lack of trust, in particular because of a perceived lack of legal certainty, makes consumers, businesses and administrations hesitate to carry out transactions electronically and to adopt new services.

Amendment  2

Proposal for a regulation

Recital 1 a (new)

Text proposed by the Commission

Amendment

 

(1a) Ensuring that all citizens have access to the technology and skills that enable them to benefit equally from digital offerings and electronic services is vital in order to ensure equal opportunities and inclusion of all parts of society.

Amendment  3

Proposal for a regulation

Recital 2

Text proposed by the Commission

Amendment

(2) This Regulation seeks to enhance trust in electronic transactions in the internal market by enabling secure and seamless electronic interactions to take place between businesses, citizens and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union.

(2) This Regulation seeks to enhance trust in electronic transactions in the internal market by providing a common foundation for legally secure electronic interaction between businesses, citizens and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union.

Justification

Again it is about legal certainty.

Amendment  4

Proposal for a regulation

Recital 3

Text proposed by the Commission

Amendment

(3) Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, essentially covered electronic signatures without delivering a comprehensive cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions. This Regulation enhances and expands the acquis of the Directive.

(3) Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, essentially covered electronic signatures without delivering a comprehensive cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions. This Regulation addresses these lacunae.

Justification

Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, essentially covered electronic signatures without delivering a comprehensive cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions. This Regulation addresses these lacunae.

Amendment  5

Proposal for a regulation

Recital 11

Text proposed by the Commission

Amendment

(11) One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States to access at least public services. This Regulation does not aim at intervening on electronic identity management systems and related infrastructures established in the Member States. The aim of this Regulation is to ensure that for the access to cross-border online services offered by the Member States, secure electronic identification and authentication is possible.

(11) One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States to access at least public services. This Regulation does not aim at intervening on electronic identity management systems and related infrastructures established in the Member States. Rather, it aims to introduce different security levels to guarantee a minimum common set of security requirements. The aim of this Regulation is to ensure that for the access to cross-border online services offered by the Member States, secure electronic identification and authentication is possible, with full respect for technology neutrality.

Justification

Unlike trust services, which are covered by a common set of security requirements, the Commission has no such provisions for electronic identification. The rapporteur takes the view that the introduction of different security levels (and consequently of a minimum level of security) is a prerequisite for the principle of mutual recognition and will help increase security in the digital world.

Amendment  6

Proposal for a regulation

Recital 12

Text proposed by the Commission

Amendment

(12) Member States should remain free to use or introduce means, for electronic identification purposes, for accessing online services. They should also be able to decide whether to involve the private sector in the provision of these means. Member States should not be obliged to notify their electronic identification schemes. The choice to either notify all, some or none of the electronic identification schemes used at national level to access at least public online services or specific services is up to the Member States.

(12) Member States should remain free to use or introduce means, for electronic authentication or identification purposes, for accessing online services. They should also be able to decide whether to involve the private sector in the provision of these means. Member States should not be obliged to notify their electronic identification schemes. The choice to either notify all, some or none of the electronic identification schemes used at national level to access at least public online services or specific services is up to the Member States.

Amendment  7

Proposal for a regulation

Recital 13

Text proposed by the Commission

Amendment

(13) Some conditions need to be set in the Regulation with regard to which electronic identification means have to be accepted and how the schemes should be notified. These should help Member States to build the necessary trust in each other's electronic identification schemes and to mutually recognise and accept electronic identification means falling under their notified schemes. The principle of mutual recognition and acceptance should apply if the notifying Member State meets the conditions of notification and the notification was published in the Official Journal of the European Union. However, the access to these online services and their final delivery to the applicant should be closely linked to the right to receive such services under the conditions set by national legislation.

(13) Some conditions need to be set in the Regulation with regard to which electronic identification means have to be accepted and how the schemes should be notified. These should help Member States to build the necessary trust in each other's electronic identification schemes and to mutually recognise and accept electronic identification means falling under their notified schemes. The principle of mutual recognition and acceptance should apply if the notifying Member State meets the conditions of notification and the notification, including a description of the notified electronic identification scheme and the information on the different security levels, was published in the Official Journal of the European Union. However, the access to these online services and their final delivery to the applicant should be closely linked to the right to receive such services under the conditions set by national legislation.

Justification

Unlike trust services, which are covered by a common set of security requirements, the Commission has no such provisions for electronic identification. The rapporteur takes the view that the introduction of different security levels (and consequently of a minimum level of security) is a prerequisite for the principle of mutual recognition and will help increase security in the digital world.

Amendment  8

Proposal for a regulation

Recital 14

Text proposed by the Commission

Amendment

(14) Member States should be able to decide to involve the private sector in the issuance of electronic identification means and to allow the private sector the use of electronic identification means under a notified scheme for identification purposes when needed for online services or electronic transactions. The possibility to use such electronic identification means would enable the private sector to rely on electronic identification and authentication already largely used in many Member States at least for public services and to make it easier for businesses and citizens to access their online services across borders. In order to facilitate the use of such electronic identification means across borders by the private sector, the authentication possibility provided by the Member States should be available to relying parties without discriminating between public or private sector.

(14) Member States should be able to involve the private sector in issuing electronic authentication or identification means. Private sector parties should also be allowed to use electronic authentication and identification means under a notified scheme for authentication or identification purposes when needed for online services or electronic transactions. The possibility to use such means would enable the private sector to rely on electronic identification and/or authentication already largely used in many Member States at least for public services and to make it easier for businesses and citizens to access their online services across borders. In order to facilitate the use of such electronic authentication or identification means across borders by the private sector, the authentication possibility provided by the Member States should be available to relying parties without discriminating between public and private sector.

Justification

The original formulation by the Commission makes it unclear who is a relying party (a private actor), and the distinction between the use of a relying party (certificate provider) and an issuer of a physical piece of equipment for interpreting the identifying data.

Amendment  9

Proposal for a regulation

Recital 15

Text proposed by the Commission

Amendment

(15) The cross border use of electronic identification means under a notified scheme requires Member States to cooperate in providing technical interoperability. This rules out any specific national technical rules requiring non-national parties for instance to obtain specific hardware or software to verify and validate the notified electronic identification. Technical requirements on users, on the other hand, stemming from the inherent specifications of whatever token is used (e.g. smartcards) are inevitable.

(15) The cross border use of electronic identification means under a notified scheme requires Member States to cooperate in providing technical interoperability in accordance with the principle of technological neutrality. This rules out any specific national technical rules requiring non-national parties for instance to obtain specific hardware or software to verify and validate the notified electronic identification. Technical requirements on users, on the other hand, stemming from the inherent specifications of whatever token is used (e.g. smartcards) are inevitable. Nevertheless the process of building interoperability should respect the various approaches taken by Member States while developing their national electronic identification systems and should not require changes to the fundamental design of such systems.

Amendment  10

Proposal for a regulation

Recital 16

Text proposed by the Commission

Amendment

(16) Cooperation of Member States should serve the technical interoperability of the notified electronic identification schemes with a view to foster a high level of trust and security appropriate to the degree of risk. The exchange of information and the sharing of best practices between Member States with a view to their mutual recognition should help such cooperation.

(16) Cooperation of Member States should serve the technical interoperability of the notified electronic identification schemes with a view to foster a high level of trust and security appropriate to the degree of risk. The exchange of information and the sharing of best practices between Member States with a view to their mutual recognition should help such cooperation. Since certain e-services have greater cross-border potential, establishing interoperability for such e-services should be prioritized. E-services of cross border relevance are such services which are available not only to residents of a Member State, and where interoperable authentication means could be expected to boost cross border interactions.

Amendment  11

Proposal for a regulation

Recital 16 a (new)

Text proposed by the Commission

Amendment

 

(16a) The cross border use of electronic authentication means should not lead to disclosure of personal data that are not necessary for the service to be provided. In this regard, Member States should be encouraged to make better use of non -direct identification where the processing of personal data is limited to the disclosure of only personal data required for a specific purpose.

Amendment  12

Proposal for a regulation

Recital 17

Text proposed by the Commission

Amendment

(17) This Regulation should also establish a general legal framework for the use of electronic trust services. However, it should not create a general obligation to use them. In particular, it should not cover the provision of services based on voluntary agreements under private law. Neither should it cover aspects related to the conclusion and validity of contracts or other legal obligations where there are requirements as regards form prescribed by national or Union law.

(17) This Regulation should also establish a general legal framework for the use of electronic trust services. However, it should not create a general obligation to use them. In particular, it should not cover the provision of services based on voluntary agreements under private law. It should also be without prejudice to provisions on the form, formation or effect of contracts or to the form, creation or validity of other private-law obligations irrespective of whether they are founded on national or Union law, for example in accordance to the rules on consent and material and formal validity of contracts laid down in Regulation (EC) No 593/2008 of the European Parliament and the Council21a. Furthermore this Regulation should be without prejudice to the rules and restrictions in national or Union law on the use of documents, and should not apply to register procedures, particularly those relating to land registers and trade registers.

 

______________

 

21a Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations (Rome I) (OJ L 177, 4.7.2008, p. 6).

Amendment  13

Proposal for a regulation

Recital 20

Text proposed by the Commission

Amendment

(20) Because of the pace of technological change, this Regulation should adopt an approach which is open to innovations.

(20) Because of the pace of technological change, this Regulation should adopt an approach which aims at stimulating innovations.

Amendment  14

Proposal for a regulation

Recital 21

Text proposed by the Commission

Amendment

(21) This Regulation should be technology-neutral. The legal effects it grants should be achievable by any technical means provided that the requirements of this Regulation are met.

(21) This Regulation should be technology-neutral with regard to both electronic identification systems and trust services. The legal effects it grants should be achievable by any technical means provided that the requirements of this Regulation are met.

Amendment  15

Proposal for a regulation

Recital 22

Text proposed by the Commission

Amendment

(22) To enhance people's trust in the internal market and to promote the use of trust services and products, the notions of qualified trust services and qualified trust service provider should be introduced with a view to indicating requirements and obligations to ensure high-level security of whatever qualified trust services and products are used or provided.

(22) To enhance the trust of small and medium-sized enterprises (SMEs) and consumers in the internal market and to promote the use of trust services and products, the notions of qualified trust services and qualified trust service provider should be introduced with a view to indicating requirements and obligations to ensure high-level security of whatever qualified trust services and products are used or provided. Both qualified and advanced electronic signatures should be legally equivalent to handwritten signatures. Nothing in this Regulation should limit the ability of any natural or legal person to demonstrate with evidence the non-reliability of any form of electronic signature. However, in the case of qualified electronic signatures, the burden of proof when questioning the identity of the signatory should rest with the contesting party.

Justification

It should be made clear that even a non-qualified signature can have the same effect as a handwritten one. The only difference is the burden of proof.

Amendment  16

Proposal for a regulation

Recital 23

Text proposed by the Commission

Amendment

(23) In line with the obligations under the UN Convention on the Rights of Persons with Disabilities that has entered into force in the EU, persons with disabilities should be able to use trust services and end user products used in the provision of those services on equal bases with other consumers.

(23) In line with the obligations under the UN Convention on the Rights of Persons with Disabilities that has entered into force in the EU, and with respect for and in full compliance with Union law on the accessibility of the websites of public sector bodies, persons with disabilities should be able to use trust services and electronic identification services and end user products used in the provision of those services on equal bases with other consumers.

Amendment  17

Proposal for a regulation

Recital 23 a (new)

Text proposed by the Commission

Amendment

 

(23a) Under Article 9 of the Treaty on the Functioning of the European Union, in defining and implementing its policies and activities, the Union is obliged to take into account requirements linked to the promotion of a high level of employment, the guarantee of adequate social protection, the fight against social exclusion, and a high level of education, training and protection of human health.

Amendment  18

Proposal for a regulation

Recital 23 b (new)

Text proposed by the Commission

Amendment

 

(23b) The concepts of accessibility and design for all should be mainstreamed when legislative measures on electronic identification are being pursued at Union level.

Amendment  19

Proposal for a regulation

Recital 24

Text proposed by the Commission

Amendment

(24) A trust service provider is a controller of personal data and therefore has to comply with the obligations set out in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data22. In particular the collection of data should be minimised as much as possible taking into account the purpose of the service provided.

(24) A trust service provider is a controller of personal data and therefore has to comply with the obligations set out in national provisions on data protection and in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data22. In particular the collection and the retention of data should be minimised as much as possible taking into account the purpose of the service provided and the trust service providers should provide users with information on the collection, communication and retention of their personal data and enable them to check their personal data and exercise their data protection rights.

Amendment  20

Proposal for a regulation

Recital 24 a (new)

Text proposed by the Commission

Amendment

 

(24a) A high level of data protection through appropriate and harmonised safeguards is all the more important for the use of electronic identification schemes and trust services, as both will require the processing of personal data. Such processing will be relied upon, amongst other things, for identifying and authenticating persons in the most reliable manner; moreover the lack of appropriate safeguards could lead to significant data protection risks such as identity theft, forgery or misuse of the electronic medium.

Amendment  21

Proposal for a regulation

Recital 24 b (new)

Text proposed by the Commission

Amendment

 

(24b) A trust service provider operates in a particularly sensitive environment where many other parties rely on the integrity of their services. In particular, it is presumed by its customers that it is always trustworthy. Therefore it is important to avoid conflicts of interest. In the interest of good governance within the context of electronic signatures and electronic identification, trust service providers should not in general be operated or owned by entities providing services that require their trust services. Oversight should be provided by a competent supervisory body.

Justification

Separating the functionality of a trust service provider from that of a provider of services requiring trust means that there is less chance of a single interest over-taking or exercising undue influence on the trust service provider. This is an important principle in establishing adequate trust chains on the market for electronic signatures.

Amendment  22

Proposal for a regulation

Recital 24 c (new)

Text proposed by the Commission

Amendment

 

(24c) Electronic identification schemes should comply with Directive 95/46/EC, which governs the processing of personal data carried out in the Member States pursuant to this Regulation and under the supervision of the Member States' competent authorities, in particular the independent public authorities designated by the Member States.

Amendment  23

Proposal for a regulation

Recital 24 d (new)

Text proposed by the Commission

Amendment

 

(24d) This Regulation respects the fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, in particular Article 8 thereof.

Amendment  24

Proposal for a regulation

Recital 25

Text proposed by the Commission

Amendment

(25) Supervisory bodies should cooperate and exchange information with data protection authorities to ensure proper implementation of data protection legislation by service providers. The exchange of information should in particular cover security incidents and personal data breaches.

(25) Trust service providers and national bodies responsible for accreditation or supervision should comply with the requirements laid down in Directive 95/46/EC.

 

Member States should also ensure that trust service providers and national bodies responsible for accreditation or supervision cooperate and exchange information with data protection authorities to ensure proper implementation of data protection legislation by service providers. The exchange of information should in particular cover security incidents and personal data breaches, where provided by the applicable law.

Amendment  25

Proposal for a regulation

Recital 26

Text proposed by the Commission

Amendment

(26) It should be incumbent on all trust service providers to apply good security practice appropriate to the risks related to their activities so as to boost users' trust in the single market.

(26) It should be incumbent on all trust service providers to apply good security practice appropriate to the risks related to their activities so as to build users' trust in the services concerned.

Amendment  26

Proposal for a regulation

Recital 29

Text proposed by the Commission

Amendment

(29) Notification of security breaches and security risk assessments is essential with a view to providing adequate information to concerned parties in the event of a breach of security or loss of integrity.

(29) A breach of security may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm for the individuals concerned, including identity fraud. Therefore notification of security breaches without undue delay in accordance with Directive 95/46/EC and security risk assessments is essential with a view to providing adequate information to concerned parties in the event of a breach of security or loss of integrity especially to give them the opportunity to mitigate potential adverse effects.

Amendment  27

Proposal for a regulation

Recital 33

Text proposed by the Commission

Amendment

(33) To ensure sustainability and durability of qualified trust services and to boost users confidence in the continuity of qualified trust services, supervisory bodies should ensure that the data of qualified trust service providers are preserved and kept accessible for an appropriate period of time even if a qualified trust service provider ceases to exist.

(33) To ensure sustainability and durability of qualified trust services and to boost users' confidence in the continuity of qualified trust services, supervisory bodies should ensure that the data collected by the qualified trust service providers are preserved and kept accessible for an appropriate period of time even if a qualified trust service provider ceases to exist.

Amendment  28

Proposal for a regulation

Recital 34

Text proposed by the Commission

Amendment

(34) To facilitate the supervision of qualified trust services providers, for example when a provider is providing its services in the territory of another Member State and is not subject to supervision there, or when the computers of a provider are located in the territory of another Member State than the one where it is established, a mutual assistance system between supervisory bodies in the Member States should be set up.

(34) To facilitate the supervision of qualified trust services providers and ensure that it is effective, as stipulated in this Regulation, for example when a provider is providing its services in the territory of another Member State and is not subject to supervision there, or when the computers of a provider are located in the territory of another Member State than the one where it is established, a mutual assistance system between supervisory bodies in the Member States should be set up. The system should also aim to simplify and reduce the administrative burden on trust service providers by having a one-stop-shop supervisory body.

Amendment  29

Proposal for a regulation

Recital 39 a (new)

Text proposed by the Commission

Amendment

 

(39a) In order to boost users’ confidence online and to make it easier to identify the qualified trust services providers which meet the requirements of this Regulation, an 'EU' qualified trustmark should be created.

Justification

Parliament called for the creation of a trustmark in its resolution of 11 December 2012 on completing the Digital Single Market. Its aim in doing so was to boost users’ confidence online by creating an easily recognisable European label. Bearing in mind the aim of making trust services more secure online, qualified trust service providers who meet the requirements, especially those laid down in Article 19, should be able to benefit from this label and enjoy added value in e-commerce.

Amendment  30

Proposal for a regulation

Recital 40 a (new)

Text proposed by the Commission

Amendment

 

(40a) The creation of remote electronic signatures, where the electronic signature creation environment is managed by a trust services provider on behalf of the signatory, is set to increase in the light of its multiple economic benefits. However, in order to ensure that such electronic signatures receive the same legal recognition as electronic signatures created in an entirely user‑managed environment, remote signature services providers should apply specific management and administrative security procedures, and use reliable systems and products, including secure electronic communication channels, in order to guarantee that the electronic signature creation environment is reliable and is used under the sole control of the signatory. Where a qualified electronic signature has been created using a remote electronic signature creation device, the requirements applicable to qualified trust services providers set out in this Regulation should apply.

Justification

Although the server signature service is exposed to greater risks than other services, it is of benefit to users and is set to expand. The rapporteur therefore takes the view that express reference should be made to this service in order to ensure that the supervisory audits focus on the weaknesses inherent to this type of signature.

Amendment  31

Proposal for a regulation

Recital 42

Text proposed by the Commission

Amendment

(42) When a transaction requires a qualified electronic seal from a legal person, a qualified electronic signature from the authorised representative of the legal person should be equally acceptable.

(42) When national or Union law requires a qualified electronic seal from a legal person, a qualified electronic signature from the authorised representative of the legal person should be equally acceptable.

Amendment  32

Proposal for a regulation

Recital 43

Text proposed by the Commission

Amendment

(43) Electronic seals should serve as evidence that an electronic document was issued by a legal person, ensuring certainty of the document’s origin and integrity.

(43) Valid electronic seals should serve as prima facie evidence of the authenticity and integrity of an electronic document associated with them. This should be without prejudice to national provisions on powers of attorney, representation and legal capacity.

Amendment  33

Proposal for a regulation

Recital 45

Text proposed by the Commission

Amendment

(45) In order to enhance the cross-border use of electronic documents this Regulation should provide for the legal effect of electronic documents which should be considered as equal to paper documents dependent on the risk assessment and provided the authenticity and integrity of the documents are ensured. It also important for further development of cross-border electronic transactions in the internal market that original electronic documents or certified copies issued by relevant competent bodies in a Member State under their national law are accepted as such also in other Member States. This Regulation should not affect Member States’ right to determine what constitutes an original or a copy at a national level but ensures that these can be used as such also across borders.

deleted

Amendment  34

Proposal for a regulation

Recital 46 a (new)

Text proposed by the Commission

Amendment

 

(46a) Member States should ensure that the possibilities and limitations of use of electronic identification are clearly communicated to the citizens.

Amendment  35

Proposal for a regulation

Recital 49

Text proposed by the Commission

Amendment

(49) In order to complement certain detailed technical aspects of this Regulation in a flexible and rapid manner, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of interoperability of electronic identification; security measures required of trust service providers; recognised independent bodies responsible for auditing the service providers; trusted lists; requirements related to the security levels of electronic signatures; requirements of qualified certificates for electronic signatures their validation and their preservation; the bodies responsible for the certification of qualified electronic signature creation devices; and the requirements related to the security levels of electronic seals and to qualified certificates for electronic seals; the interoperability between delivery services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level.

(49) In order to complement certain detailed technical aspects of this Regulation in a flexible and rapid manner, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of interoperability of electronic identification; trusted lists; requirements of qualified certificates for electronic signatures their validation and their preservation; the bodies responsible for the certification of qualified electronic signature creation devices; and to qualified certificates for electronic seals; the interoperability between delivery services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level.

Amendment  36

Proposal for a regulation

Recital 51

Text proposed by the Commission

Amendment

(51) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission, in particular for specifying reference numbers of standards which use would give a presumption of compliance with certain requirements laid down in this Regulation or defined in delegated acts. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers.

(51) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission, in particular for specifying reference numbers of standards which use would give a presumption of compliance with certain requirements laid down in this Regulation or defined in delegated acts. Those powers should be exercised, after a transparent stakeholder consultation, in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers.

Amendment  37

Proposal for a regulation

Recital 51 a (new)

Text proposed by the Commission

Amendment

 

(51a) The standardisation work carried out by international and European organisations enjoys international recognition. This work is undertaken in cooperation with the industries and stakeholders concerned, and is funded by the Union and national authorities, among others. With a view to ensuring a high level of security in electronic identification and in electronic trust services, particularly in the Commission’s drafting of delegated and implementing acts, due account should be paid to standards drawn up by organisations such as the European Committee for Standardisation (CEN), the European Telecommunications Standards Institute (ETSI), the European Committee for Electrotechnical Standardisation (CENELEC) or the International Organisation for Standardisation (ISO).

Amendment  38

Proposal for a regulation

Article 1

Text proposed by the Commission

Amendment

1. This Regulation lays down rules for electronic identification and electronic trust services for electronic transactions with a view to ensuring the proper functioning of the internal market.

1. This Regulation lays down rules for cross-border electronic identification and trust services for electronic transactions with a view to ensuring the proper functioning of the internal market.

2. This Regulation lays down the conditions under which Member States shall recognise and accept electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another Member State.

2. This Regulation lays down the conditions under which Member States shall recognise and accept electronic identification means for natural and legal persons falling under a notified electronic identification scheme of another Member State.

3. This Regulation establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services and website authentication.

3. This Regulation establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services and website authentication.

4. This Regulation ensures that trust services and products which comply with this Regulation are permitted to circulate freely in the internal market.

4. This Regulation ensures that qualified and non-qualified trust services and products which comply with this Regulation are permitted to circulate freely in the internal market.

Amendment  39

Proposal for a regulation

Article 2

Text proposed by the Commission

Amendment

1. This Regulation applies to electronic identification provided by, on behalf or under the responsibility of Member States and to trust service providers established in the Union.

1. This Regulation applies to notified electronic identification schemes mandated, recognised or issued by or on behalf of Member Sates, and to trust service providers established in the Union.

2. This Regulation does not apply to the provision of electronic trust services based on voluntary agreements under private law.

2. This Regulation applies to both qualified and non-qualified trust service providers established in the Union. This Regulation does not apply to the trust services which are provided to a closed group of parties and which are used exclusively within that group.

3. This Regulation does not apply to aspects related to the conclusion and validity of contracts or other legal obligations where there are requirements as regards form prescribed by national or Union law.

3. This Regulation does not apply to aspects related to the conclusion and validity of contracts or other legal obligations where there are requirements as regards form prescribed by national or Union law.

Amendment  40

Proposal for a regulation

Article 3 – point 1

Text proposed by the Commission

Amendment

(1) electronic identification means the process of using person identification data in electronic form unambiguously representing a natural or legal person;

(1) ‘electronic identification’ means the process of using identification data in electronic form representing a natural or legal person either:

 

(a) to fully identify a person, or

 

(b) to confirm only those identification data necessary to grant access to a specific service.

Amendment  41

Proposal for a regulation

Article 3 – point 2

Text proposed by the Commission

Amendment

(2) ‘electronic identification means’ means a material or immaterial unit containing data as referred to in point 1 of this Article, and which is used to access services online as referred to in Article 5;

(2) ‘electronic identification means’ means a material or immaterial unit containing data as referred to in point 1 of this Article, and which is used to access electronic services as referred to in Article 5;

Amendment  42

Proposal for a regulation

Article 3 – point 4

Text proposed by the Commission

Amendment

(4) ‘authentication’ means an electronic process that allows the validation of the electronic identification of a natural or legal person; or of the origin and integrity of an electronic data;

(4) ‘authentication’ means an electronic process that allows the validation of the electronic identification of a natural or legal person; or of the origin and integrity of electronic data;

Amendment  43

Proposal for a regulation

Article 3 – point 4 a (new)

Text proposed by the Commission

Amendment

 

(4a) 'relying party' means a natural or legal person to whom the holder of an electronic authentication means verifies attributes;

Justification

The draft already referred to relying parties in Article (1) (d) without a proper definition.

Amendment  44

Proposal for a regulation

Article 3 – point 7 – point b

Text proposed by the Commission

Amendment

(b) it is capable of identifying the signatory;

(b) it is capable of guaranteeing the legal validity of the identity of the signatory;

Justification

The use of the term ‘identifying’ could prove confusing given that the regulation concerns electronic identification. This particular point is a definition of an advanced electronic signature, which relates to the ‘trust services’ part of the proposal (Chapter III).

Amendment  45

Proposal for a regulation

Article 3 – point 7 – point c

Text proposed by the Commission

Amendment

(c) it is created using electronic signature creation data that the signatory can, with high level of confidence, use under his sole control; and

(c) it is created using an electronic signature creation device that the signatory can use under his sole control; and

Justification

Wording changed to bring the text into line with the terminology used in Articles 22 and 23. The expression ‘high level of confidence’ is legally meaningless.

Amendment  46

Proposal for a regulation

Article 3 – point 7 – point d

Text proposed by the Commission

Amendment

(d) it is linked to the data to which it relates in such a way that any subsequent change in the data is detectable;

(d) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable;

Amendment  47

Proposal for a regulation

Article 3 – point 8

Text proposed by the Commission

Amendment

(8) ‘qualified electronic signature’ means an advanced electronic signature which is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures;

(8) ‘qualified electronic signature’ means an advanced electronic signature which is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures issued by a qualified trust provider;

Amendment  48

Proposal for a regulation

Article 3 – point 10

Text proposed by the Commission

Amendment

(10) certificate means an electronic attestation which links electronic signature or seal validation data of a natural or a legal person respectively to the certificate and confirms those data of that person;

(10) 'certificate' means an electronic attestation which links electronic signature or seal validation data with the identification data of an entity or a natural or a legal person respectively and confirms those data of that person;

Amendment  49

Proposal for a regulation

Article 3 – point 11

Text proposed by the Commission

Amendment

(11) ‘qualified certificate for electronic signature’ means an attestation which is used to support electronic signatures, is issued by a qualified trust service provider and meet the requirements laid down in Annex I;

(11) ‘qualified certificate for electronic signature’ means a certificate which is used to support electronic signatures, is issued by a qualified trust service provider and meet the requirements laid down in Annex I;

Amendment  50

Proposal for a regulation

Article 3 – point 12

Text proposed by the Commission

Amendment

(12) trust service means any electronic service consisting in the creation, verification, validation, handling and preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication, and electronic certificates, including certificates for electronic signature and for electronic seals;

(12) 'trust service' means an electronic service consisting in the creation, verification, validation or preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication, and electronic certificates, including certificates for electronic signature and for electronic seals;

Amendment  51

Proposal for a regulation

Article 3 – point 13

Text proposed by the Commission

Amendment

(13) ‘qualified trust service’ means a trust service that meets the applicable requirements provided for in this Regulation;

(13) ‘qualified trust service’ means a trust service that meets the applicable requirements laid down in this Regulation;

Amendment  52

Proposal for a regulation

Article 3 – point 14

Text proposed by the Commission

Amendment

(14) trust service provider means a natural or a legal person who provides one or more trust services;

(14) 'trust service provider' means a natural or a legal person who provides one or more trust services as defined in this Regulation;

Justification

Removes ambiguity about trust services in, for instances, the financial sector.

Amendment  53

Proposal for a regulation

Article 3 – point 19

Text proposed by the Commission

Amendment

(19) ‘creator of a seal’ means a legal person who creates an electronic seal;

(19) ‘creator of a seal’ means a natural or legal person who creates an electronic seal;

Amendment  54

Proposal for a regulation

Article 3 – point 20

Text proposed by the Commission

Amendment

(20) ‘electronic seal’ means data in electronic form which are attached to or logically associated with other electronic data to ensure the origin and the integrity of the associated data;

(20) ‘electronic seal’ means data in electronic form which are attached to or logically associated with other electronic data to ensure the authenticity and the integrity of the associated data;

Amendment  55

Proposal for a regulation

Article 3 – point 21 – point c

Text proposed by the Commission

Amendment

(c) it is created using electronic seal creation data that the creator of the seal can, with a high level of confidence under its control, use for electronic seal creation; and

(c) it is created using an electronic seal creation device that the creator of the seal can, with a high level of confidence under its control, use for electronic seal creation; and

Justification

Wording changed to bring the text into line with the terminology used in Articles 22 and 23.

Amendment  56

Proposal for a regulation

Article 3 – point 21 – point d

Text proposed by the Commission

Amendment

(d) it is linked to the data to which it relates in such a way that any subsequent change in the data is detectable;

(d) it is linked to the data the origin and integrity of which it certifies in such a way that any subsequent change in the data is detectable;

Amendment  57

Proposal for a regulation

Article 3 – point 22

Text proposed by the Commission

Amendment

22) ‘qualified electronic seal’ means an advanced electronic seal which is created by a qualified electronic seal creation device, and which is based on a qualified certificate for electronic seal;

22) ‘qualified electronic seal’ means an advanced electronic seal which is created by a qualified electronic seal creation device, and which is based on a qualified certificate for electronic seal issued by a qualified trust service provider;

Amendment  58

Proposal for a regulation

Article 3 – point 27

Text proposed by the Commission

Amendment

(27) ‘electronic document’ means a document in any electronic format;

(27) ‘electronic document’ means a separate set of structured data in any electronic format;

Amendment  59

Proposal for a regulation

Article 3 – point 31 a (new)

Text proposed by the Commission

Amendment

 

(31a) 'breach of security' means a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, data transmitted, stored or otherwise processed.

Amendment  60

Proposal for a regulation

Article 4

Text proposed by the Commission

Amendment

1. There shall be no restriction on the provision of trust services in the territory of a Member State by a trust service provider established in another Member States for reasons which fall within the fields covered by this Regulation.

1. There shall be no restriction on the provision of trust services in the territory of a Member State by a trust service provider established in another Member States for reasons which fall within the fields covered by this Regulation. Member States shall ensure that trust services originating from another Member States are admissible as evidence in legal proceedings.

2. Products which comply with this Regulation shall be permitted to circulate freely in the internal market.

2. Products which comply with this Regulation shall circulate freely and securely in the internal market.

Amendment  61

Proposal for a regulation

Article 5

Text proposed by the Commission

Amendment

Mutual recognition and acceptance

Mutual recognition

When an electronic identification using an electronic identification means and authentication is required under national legislation or administrative practice to access a service online, any electronic identification means issued in another Member State falling under a scheme included in the list published by the Commission pursuant to the procedure referred to in Article 7 shall be recognised and accepted for the purposes of accessing this service.

When an electronic identification using an electronic identification means and authentication is required under Union or national legislation or administrative practice to access a service online in one Member State or provided online by Union institutions, bodies, offices and agencies, that electronic identification means issued in another Member State or by Union institutions, bodies, offices and agencies under a scheme included in the list published by the Commission pursuant to Article 7, and with a security level equal to or higher than the security level required to access the service, shall be recognised in the Member State or by Union institutions, bodies, offices and agencies for the purposes of accessing that service online, not later than six months after the list, including that scheme, is published.

Amendment  62

Proposal for a regulation

Article 6 – paragraph 1

Text proposed by the Commission

Amendment

1. Electronic identification schemes shall be eligible for notification pursuant to Article 7 if all the following conditions are met:

1. Electronic identification schemes shall be eligible for notification pursuant to Article 7 if all the following conditions are met:

(a) the electronic identification means are issued by, on behalf of or under the responsibility of the notifying Member State;

(a) the electronic authentication means are either issued by the Member State, or issued by another entity as mandated by the Member State or issued independently but recognised by the notifying Member State;

(b) the electronic identification means can be used to access at least public services requiring electronic identification in the notifying Member State;

(b) the electronic identification means under that scheme can be used to access at least one service provided by a public sector body requiring electronic identification in the notifying Member State;

 

(ba) the electronic identification scheme meets the requirements of the interoperability model under Article 8,

(c) the notifying Member State ensures that the person identification data are attributed unambiguously to the natural or legal person referred to in Article 3 point 1;

(c) the notifying Member State ensures that the person identification data are attributed to the natural or legal person as referred to in Article 3 point 1;

(d) the notifying Member State ensures the availability of an authentication possibility online, at any time and free of charge so that any relying party can validate the person identification data received in electronic form. Member States shall not impose any specific technical requirements on relying parties established outside of their territory intending to carry out such authentication. When either the notified identification scheme or authentication possibility is breached or partly compromised, Member States shall suspend or revoke without delay the notified identification scheme or authentication possibility or the compromised parts concerned and inform the other Member States and the Commission pursuant to Article 7;

(d) the notifying Member State ensures the availability of an authentication possibility online, at any time and, in the case of access to a service online provided by a public sector body, free of charge so that any relying party established outside the territory of that Member State can validate the person identification data received in electronic form. Member States shall not impose disproportionate technical requirements on relying parties established outside of their territory intending to carry out such authentication. When either the notified identification scheme or authentication possibility is breached or partly compromised, Member States shall suspend or revoke without delay the notified identification scheme or authentication possibility or the compromised parts concerned and inform the other Member States and the Commission pursuant to Article 7;

(e) the notifying Member State takes liability for:

(e) the notifying Member State takes liability for:

- (i) the unambiguous attribution of the person identification data referred to in point (c), and

- (i) the attribution of the person identification data referred to in point (c), and

- (ii) the authentication possibility specified in point (d).

- (ii) the authentication possibility specified in point (d).

Amendment  63

Proposal for a regulation

Article 7 – paragraphs 1 and 2

Text proposed by the Commission

Amendment

1. Member States which notify an electronic identification scheme shall forward to the Commission the following information and without undue delay, any subsequent changes thereof:

1. Member States which notify an electronic identification scheme shall forward to the Commission the following information and without undue delay, any subsequent changes thereof:

(a) a description of the notified electronic identification scheme;

(a) a description of the notified electronic identification scheme and its security assurance level;

(b) the authorities responsible for the notified electronic identification scheme;

(b) the authorities responsible for the notified electronic identification scheme;

(c) information on by whom the registration of the unambiguous person identifiers is managed;

(c) information on which entity or entities manage the registration of the appropriate attributes identifiers;

 

(ca) a description of how the requirements of the interoperability framework referred to in Article 8 are met;

(d) a description of the authentication possibility;

(d) a description of the authentication possibility and any technical requirements imposed on relying parties;

(e) arrangements for suspension or revocation of either the notified identification scheme or authentication possibility or the compromised parts concerned.

(e) arrangements for suspension or revocation of either the notified authentication scheme or the compromised parts concerned.

2. Six months after the entry into force of the Regulation, the Commission shall publish in the Official Journal of the European Union the list of the electronic identification schemes which were notified pursuant to paragraph 1 and the basic information thereon.

2. Six months after the entry into force of the Regulation, the Commission shall publish in the Official Journal of the European Union as well as on a publicly available website the list of the electronic identification schemes which were notified pursuant to paragraph 1 and the basic information thereon.

Amendment  64

Proposal for a regulation

Article 7 a (new)

Text proposed by the Commission

Amendment

 

Article 7a

 

Security breach

 

1. When either the electronic identification scheme notified pursuant to Article 7(1) or the authentication possibility referred to in point (d) of Article 6(1) is breached or partly compromised in a way that would affect the reliability of that scheme for cross-border transactions, the notifying Member State shall without undue delay suspend or revoke the cross-border function of that electronic identification scheme or that authentication possibility or the compromised parts concerned and inform other Member States and the Commission thereof.

 

2. When the breach or compromise referred to in paragraph 1 has been remedied, the notifying Member State shall re-establish the authentication and shall inform other Member States and the Commission as soon as possible.

 

3. If the breach or compromise referred to in paragraph 1 is not remedied within three months of the suspension or revocation, the notifying Member State shall notify the withdrawal of the electronic identification scheme to the other Member States and to the Commission. The Commission shall publish without undue delay in the Official Journal of the European Union the corresponding amendments to the list referred to in Article 7(2).

Amendment  65

Proposal for a regulation

Article 7 b (new)

Text proposed by the Commission

Amendment

 

Article 7b

 

Liability

 

1. The notifying Member State shall be liable with regard to electronic identification means issued by it or on its behalf for any direct damage caused by non-compliance with obligations under Article 6, unless it can show that it has not acted negligently.

 

2. The issuer of an electronic identification means recognized and notified by a Member State pursuant to the procedure referred to in Article 7 shall be liable for failure to ensure

 

– (i) the unambiguous attribution of the personal identification data, and

 

– (ii) the authentication possibility,

 

unless he can show that he has not acted negligently.

Justification

An important issue such as liability should, in analogy to the trust services section, be regulated separately from the notification procedure where it does not fit in. The proposed article takes account of both public as well as private e-ID schemes.

Amendment  66

Proposal for a regulation

Article 8

Text proposed by the Commission

Amendment

Coordination

Coordination and interoperability

1. Member States shall cooperate in order to ensure the interoperability of electronic identification means falling under a notified scheme and to enhance their security.

1. Member States shall cooperate in order to ensure the interoperability of electronic identification means. The interoperability between national electronic identification infrastructures shall be ensured through an interoperability model.

 

1a. The national electronic identification schemes notified pursuant to Article 7 shall be interoperable.

 

1b. The interoperability framework shall meet the following criteria:

 

(a) it shall be technology neutral and shall not discriminate between any specific national technical solutions for electronic identification within the Member State concerned;

 

(b) it shall facilitate the implementation of the principle of privacy by design.

 

1c. Member States and the Commission shall in particular prioritize interoperability for such e-services with the greatest cross-border relevance by:

 

(a) exchanging best practices concerning the electronic identification means falling within a notified scheme;

 

(b) providing and regularly updating best practices on trust and security of the electronic identification means;

 

(c) providing and regularly updating the promotion of the use of electronic identification means.

2. The Commission shall, by means of implementing acts, establish the necessary modalities to facilitate the cooperation between the Member States referred to in paragraph 1 with a view to fostering a high level of trust and security appropriate to the degree of risk. Those implementing acts shall concern, in particular, the exchange of information, experiences and good practice on electronic identification schemes, the peer review of notified electronic identification schemes and the examination of relevant developments arising in the electronic identification sector by the competent authorities of the Member States. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

2. The Commission shall, by means of implementing acts, establish the necessary modalities to facilitate the cooperation between the Member States referred to in paragraph 1 with a view to fostering a high level of trust and security appropriate to the degree of risk. Those implementing acts shall concern, in particular, the exchange of information, experiences and good practice on electronic identification schemes, the independent, third-party auditing of notified electronic identification schemes and the examination of relevant developments arising in the electronic identification sector by the competent authorities of the Member States. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the facilitation of cross border interoperability of electronic identification means by setting of minimum technical requirements.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the facilitation of cross border interoperability of electronic identification means by setting technologically neutral minimum requirements for the different security levels which shall not require changes to the fundamental design of national electronic identification schemes.

 

3a. With regard to the cross-border exchange of personal data necessary to ensure the interoperability of electronic identification means, the provisions of Article 11(2) shall apply mutatis mutandis.

Amendment  67

Proposal for a regulation

Article 9

Text proposed by the Commission

Amendment

1. A trust service provider shall be liable for any direct damage caused to any natural or legal person due to failure to comply with the obligations laid down in Article 15(1), unless the trust service provider can prove that he has not acted negligently.

1. A trust service provider shall be liable for direct damage caused to any natural or legal person due to failure to comply with the obligations laid down in Article 15(1), unless the trust service provider can prove that he has not acted negligently.

2. A qualified trust service provider shall be liable for any direct damage caused to any natural or legal person due to failure to meet the requirements laid down in this Regulation, in particular in Article 19, unless the qualified trust service provider can prove that he has not acted negligently.

2. A qualified trust service provider shall be liable for any direct damage caused to any natural or legal person due to failure to meet the requirements laid down in this Regulation, in particular in Article 19, unless the qualified trust service provider can prove that he has not acted negligently.

 

2a. The law applicable to trust services, particularly with regard to disputes, shall be that of the Member State in which the person receiving the service is established, unless otherwise agreed by both the service provider and the recipient.

Amendment  68

Proposal for a regulation

Article 10 – title

Text proposed by the Commission

Amendment

Trust services providers from third countries

Qualified trust services providers from third countries

Justification

As this article introduces only provisions covering qualified trust service providers, the title should be amended accordingly.

Amendment  69

Proposal for a regulation

Article 10 - paragraph 1

Text proposed by the Commission

Amendment

1. Qualified trust services and qualified certificates provided by qualified trust service providers established in a third country shall be accepted as qualified trust services and qualified certificates provided by a qualified trust service providers established in the territory of the Union if the qualified trust services or qualified certificates originating from the third country are recognised under an agreement between the Union and third countries or international organisations in accordance with Article 218 TFUE.

1. Qualified trust services and qualified certificates provided by qualified trust service providers established in a third country shall be accepted as qualified trust services and qualified certificates provided by a qualified trust service provider established in the territory of the Union if:

 

(a) the qualified trust service provider fulfils the requirements laid down in this Regulation and has been accredited under an accreditation scheme established in a Member State; or

 

(b) the qualified trust service provider established within the Union which fulfils the requirements laid down in this Regulation guarantees the compliance with the requirements laid down in this Regulation; or

 

(c) the qualified trust services or qualified certificates originating from a third country are recognised under an agreement between the Union and that third country or international organisation in accordance with Article 218 TFEU.

Amendment  70

Proposal for a regulation

Article 10 – paragraph 2

Text proposed by the Commission

Amendment

2. With reference to paragraph 1, such agreements shall ensure that the requirements applicable to qualified trust services and qualified certificates provided by qualified trust service providers established in the territory of the Union are met by the trust service providers in the third countries or international organisations, especially with regard to the protection of personal data, security and supervision.

2. With reference to paragraph 1, such agreements shall ensure that the requirements applicable to qualified trust services and qualified certificates provided by qualified trust service providers established in the territory of the Union are met by the trust service providers in the third countries or international organisations, especially the security of the trust services provided and the supervision of qualified trust service providers.

 

The third country in question shall afford adequate protection of personal data, in accordance with Article 25(2) of Directive 95/46/EC.

Justification

The rapporteur wishes to refer to the provision of EU personal data protection law which specifies that the adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations.

Amendment  71

Proposal for a regulation

Article 11

Text proposed by the Commission

Amendment

1. Trust service providers and supervisory bodies shall ensure fair and lawful processing in accordance with Directive 95/46/EC when processing personal data.

1. Trust service providers and supervisory bodies shall ensure fair and lawful processing in accordance with Directive 95/46/EC and applicable national law when processing personal data.

2. Trust service providers shall process personal data according to Directive 95/46/EC. Such processing shall be strictly limited to the minimum data needed to issue and maintain a certificate or to provide a trust service.

2. Trust service providers shall process personal data according to Directive 95/46/EC. Such processing shall be strictly limited to the minimum data needed to issue and maintain a certificate or to provide a trust service.

3. Trust service providers shall guarantee the confidentiality and integrity of data related to a person to whom the trust service is provided.

3. Trust service providers shall guarantee the confidentiality and integrity of data related to a person to whom the trust service is provided, in particular by ensuring that the data used for trust service generation cannot be tracked.

4. Without prejudice to the legal effect given to pseudonyms under national law, Member States shall not prevent trust service providers indicating in electronic signature certificates a pseudonym instead of the signatory’s name.

4. Without prejudice to the legal effect given to pseudonyms under national law, Member States shall not prevent trust service providers indicating in electronic signature certificates a pseudonym instead of the signatory’s name.

 

4a. Processing of personal data by or on behalf of the trust service provider, where strictly necessary to ensure network and information security for the purpose of complying with the requirements of Articles 11, 15, 16 and 19, shall be considered a legitimate interest within the meaning of point (f) of Article 7 of Directive 95/46/EC.

Amendment                72

Proposal for a regulation

Article 12

Text proposed by the Commission

Amendment

Trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities whenever possible.

Trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities in accordance with Union law.

Amendment  73

Proposal for a regulation

Article 12 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a. The Commission shall establish and award trust marks to distinguish products and services accessible for persons with disabilities.

Amendment  74

Proposal for a regulation

Article 12 – paragraph 1 b (new)

Text proposed by the Commission

Amendment

 

1b. Union standards organizations are responsible for the development of assessment criteria for products and services accessible for persons with disabilities.

Amendment  75

Proposal for a regulation

Article 13

Text proposed by the Commission

Amendment

1. Member States shall designate an appropriate body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. Supervisory bodies shall be given all supervisory and investigatory powers that are necessary for the exercise of their tasks.

1. Member States shall designate a supervisory body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. The name and address of the supervisory body shall be communicated to the Commission. Supervisory bodies shall be given adequate resources and powers necessary for the exercise of their tasks.

2. The supervisory body shall be responsible for the performance of the following tasks:

2. The supervisory body shall perform the following tasks:

(a) monitoring trust service providers established in the territory of the designating Member State to ensure that they fulfil the requirements laid down in Article 15;

(a) supervising trust service providers and qualified trust service providers established in the territory of the designating Member State in order to ensure that they meet the requirements laid down in this Regulation;

(b) undertaking supervision of qualified trust service providers established in the territory of the designating Member State and of the qualified trust services they provide in order to ensure that they and the qualified trust services provided by them meet the applicable requirements laid down in this Regulation;

 

(c) ensuring that relevant information and data referred to in point (g) of Article 19(2), and recorded by qualified trust service providers are preserved and kept accessible after the activities of a qualified trust service provider have ceased, for an appropriate time with a view to guaranteeing continuity of the service.

(c) ensuring that relevant information and data referred to in point (g) of Article 19(2), and recorded by qualified trust service providers are preserved and kept accessible after the activities of a qualified trust service provider have ceased, for an appropriate time, in particular taking into account the validity period of the services, with a view to guaranteeing continuity of the service.

3. Each supervisory body shall submit a yearly report on the last calendar year's supervisory activities to the Commission and Member States by the end of the first quarter of the following year. It shall include at least:

3. Each supervisory body shall make publically available a yearly report on the last calendar year's supervisory activities by the end of the first quarter of the following year. It shall include at least:

(a) information on its supervisory activities;

(a) information on its supervisory activities;

(b) a summary of breach notifications received from trust service providers in accordance with Article 15(2);

(b) a summary of all breach notifications received from trust service providers in accordance with Article 15(2);

(c) statistics on the market and usage of qualified trust services, including information on qualified trust service providers themselves, the qualified trust services they provide, the products they use and the general description of their customers.

 

4. Member States shall notify to the Commission and other Member States the names and the addresses of their respective designated supervisory bodies.

 

5. The Commission shall be empowered to adopt delegated acts, in accordance with Article 38, concerning the definition of procedures applicable to the tasks referred to in paragraph 2.

 

6. The Commission may, by means of implementing acts, define the circumstances, formats and procedures for the report referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

6. The Commission may, by means of implementing acts, define the formats for the report referred to in paragraph 3. The Commission shall ensure that stakeholder input is duly taken into account. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Amendment  76

Proposal for a regulation

Article 13 a (new)

Text proposed by the Commission

Amendment

 

Article 13a

 

Cooperation with data protection authorities

 

Member States shall provide that the supervisory bodies referred to in Article 13 shall cooperate with Member States' data protection authorities designated pursuant to Article 28 of Directive 95/46/EC in order to enable them to ensure compliance with national data protection rules adopted pursuant to Directive 95/46/EC.

Amendment  77

Proposal for a regulation

Article 14

Text proposed by the Commission

Amendment

1. Supervisory bodies shall cooperate with a view to exchange good practice and provide each other, within the shortest possible time, with relevant information and mutual assistance so that activities can be carried out in a consistent manner. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out inspections related to the security audits as referred to in Articles 15, 16 and 17.

1. Supervisory bodies shall cooperate with a view to exchanging good practice. They shall provide each other, within the shortest possible time, with relevant information, and upon justified requests, provide each other with mutual assistance so that activities can be carried out in a consistent manner. Requests for mutual assistance may cover, in particular, information requests and supervisory measures, such as requests to carry out inspections related to the security audits as referred to in Articles 15, 16 and 17.

2. A supervisory body to which a request for assistance is addressed may not refuse to comply with it unless:

2. A supervisory body to which a request for assistance is addressed may refuse that request under any of the following conditions:

(a) it is not competent to deal with the request; or

(a) the supervisory body is not competent to deal with the request; or

(b) compliance with the request would be incompatible with this Regulation.

(b) if the requested assistance would go beyond the tasks and powers of the supervisory body set out in this Regulation and applicable legislation.

3. Where appropriate, supervisory bodies may carry out joint investigations in which staff from other Member States’ supervisory bodies is involved.

3. Where appropriate, supervisory bodies may carry out joint actions.

The supervisory body of the Member State where the investigation is to take place, in compliance with its own national law, may devolve investigative tasks to the assisted supervisory body’s staff. Such powers may be exercised only under the guidance and in the presence of staff from the host supervisory body. The assisted supervisory body’s staff shall be subject to the host supervisory body’s national law. The host supervisory body shall assume responsibility for the assisted supervisory body staff’s actions.

The supervisory body of the Member State where the investigation is to take place, in compliance with its own national law, may devolve investigative tasks to the assisted supervisory body’s staff. Such powers may be exercised only under the guidance and in the presence of staff from the host supervisory body. The assisted supervisory body’s staff shall be subject to the host supervisory body’s national law. The host supervisory body shall assume responsibility for the assisted supervisory body staff’s actions.

4. The Commission may, by means of implementing acts, specify the formats and procedures for the mutual assistance provided for in this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

 

Amendment  78

Proposal for a regulation

Article 15

Text proposed by the Commission

Amendment

1. Trust service providers who are established in the territory of the Union shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. Having regard to state of the art, these measures shall ensure that the level of security is appropriate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of adverse effects of any incidents.

1. Trust service providers who are established in the territory of the Union shall take appropriate technical and organisational measures in accordance with existing industry best practise to manage the risks posed to the security and resilience of the trust services they provide. Having regard to technological developments, these measures shall fully respect data protection rights and ensure a level of security appropriate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders, of adverse effects of any incidents. Trust service providers shall also take appropriate measures to remedy any new security risks and restore the normal security level of the service.

Without prejudice to Article 16(1), any trust service provider may submit the report of a security audit carried out by a recognised independent body to the supervisory body to confirm that appropriate security measures have been taken.

Without prejudice to Article 16(1), any trust service provider shall, without undue delay and not later than six months following the commencement of its activities, submit the report of a compliance audit carried out by an independent body whose competence to carry out the audit has been demonstrated to confirm that appropriate security measures have been taken.

2. Trust service providers shall, without undue delay and where feasible not later than 24 hours after having become aware of it, notify the competent supervisory body, the competent national body for information security and other relevant third parties such as data protection authorities of any breach of security or loss of integrity that has a significant impact on the trust service provided and on the personal data maintained therein.

2. Trust service providers shall without undue delay and where feasible not later than 24 hours after having become aware of it, notify the competent supervisory body and, where appropriate, other relevant bodies such as the competent national body for information security or the data protection authorities of any breach of security or loss of integrity that has a significant impact on the trust service provided and on the personal data maintained therein. Where such notification cannot be made within 24 hours, an explanation of the reasons for the delay should accompany the notification.

Where appropriate, in particular if a breach of security or loss of integrity concerns two or more Member States, the supervisory body concerned shall inform supervisory bodies in other Member States and the European Network and Information Security Agency (ENISA).

Where appropriate, in particular if a breach of security or loss of integrity concerns two or more Member States, the supervisory body concerned shall inform supervisory bodies in those Member States and the European Network and Information Security Agency (ENISA).

The supervisory body concerned may also inform the public or require the trust service provider to do so, where it determines that disclosure of the breach is in the public interest.

The supervisory body concerned, in consultation with the trust service provider, shall inform the public or require the trust service provider to do so, where it determines that disclosure of the breach is in the public interest in order to allow them to take the necessary precautions. Publication shall normally be as soon as reasonably practicable; however the trust service provider may request a delay so that vulnerabilities can be remedied. If the supervisory body grants that request, it may be for no longer than 45 days.

3. The supervisory body shall provide to ENISA and to the Commission once a year with a summary of breach notifications received from trust service providers.

3. The supervisory body shall provide to the European Network and Information Security Agency (ENISA) and to the Commission once a year with a summary of breach notifications received from trust service providers.

4. In order to implement paragraphs 1 and 2, the competent supervisory body shall have the power to issue binding instructions to trust service providers.

4. In order to implement paragraphs 1 and 2, the competent supervisory body shall have the power to issue binding instructions to trust service providers. The supervisory body shall coordinate these binding instructions with other relevant regulatory bodies that supervise the trust service provider's activities other than the trust service provision. All such instructions shall be published.

5. The Commission shall be empowered to adopt delegated acts, in accordance with Article 38, concerning the further specification of the measures referred to in paragraph 1.

 

6. The Commission may, by means of implementing acts, define the circumstances, formats and procedures, including deadlines, applicable for the purpose of paragraphs 1 to 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

6. The Commission may, by means of implementing acts, define the further specification of the measures referred to in paragraph 1 and formats applicable for the purpose of paragraphs 1 to 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Amendment  79

Proposal for a regulation

Article 16

Text proposed by the Commission

Amendment

1. Qualified trust service providers shall be audited by a recognised independent body once a year to confirm that they and the qualified trust services provided by them fulfil the requirements set out in this Regulation, and shall submit the resulting security audit report to the supervisory body.

1. Qualified trust service providers shall be audited annually by an independent body whose competence to carry out the audit has been demonstrated to confirm that they and the qualified trust services provided by them fulfil the requirements set out in this Regulation, and shall submit the resulting compliance audit report to the supervisory body. Such audit shall also be carried out following any significant technological or organizational changes. If, after three years, the annual audit reports raise no concerns, the audits referred to in this paragraph shall be carried out every two years only.

2. Without prejudice to paragraph 1, the supervisory body may at any time audit the qualified trust service providers to confirm that they and the qualified trust services provided by them still meet the conditions set out in this Regulation, either on its own initiative or in response to a request from the Commission. The supervisory body shall inform the data protection authorities of the results of its audits, in case personal data protection rules appear to have been breached.

2. Without prejudice to paragraph 1, the supervisory body may at any time audit the qualified trust service providers to confirm that they and the qualified trust services provided by them meet the conditions set out in this Regulation. Where personal data protection rules as set out in Directive 95/46/EC appear to have been breached, the supervisory body shall inform the data protection authorities of the results of its audits.

3. The supervisory body shall have the power to issue binding instructions to qualified trust service providers to remedy any failure to fulfil the requirements indicated in the security audit report.

3. The supervisory body shall have the power to issue binding instructions to qualified trust service providers to remedy any failure to fulfil the requirements set out in this Regulation.

4. With reference to paragraph 3, if the qualified trust service provider does not remedy any such failure within a time limit set by the supervisory body, it shall lose its qualified status and be informed by the supervisory body that its status will be changed accordingly in the trusted lists referred to in Article 18.

4. With reference to paragraph 3, if the qualified trust service provider does not remedy any such failure within a time limit and in accordance with the procedure specified set by the supervisory body, it shall lose its qualified status and be informed by the supervisory body that its status will be changed accordingly in the trusted lists referred to in Article 18.

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the specification of the conditions under which the independent body carrying out the audit referred to in paragraph 1 of this Article and in Article 15(1) and in Article 17(1) shall be recognised.

 

6. The Commission may, by means of implementing acts, define the circumstances, procedures and formats applicable for the purpose of paragraphs 1, 2 and 4. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

6. The Commission may, by means of implementing acts, define the formats applicable for the purpose of paragraphs 1, 2 and 4. The Commission shall ensure that stakeholder input is duly taken into account, in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Amendment  80

Proposal for a regulation

Article 16 a (new)

Text proposed by the Commission

Amendment

 

Article 16a

 

Supervision of trust service providers

 

In order to facilitate supervision by the supervisory body referred to in point (a) of Article 13(2), trust service providers shall notify the supervisory body of their intention to start offering a trust service and shall inform it of the technical and organisational measures they have taken to manage the risks linked to the security of the trust services they provide in accordance with Article 15(1).

Justification

Correction by the rapporteur to Amendment 35, in which the word ‘qualified’ was written by mistake. Justification for Amendment 35: the rapporteur wishes to introduce this new article in order to facilitate the work of the supervisory body in respect of trust service providers (meaning non-qualified trust service providers) and to guarantee a minimum legal value for non-qualified trust services.

Amendment  81

Proposal for a regulation

Article 17

Text proposed by the Commission

Amendment

1. Qualified trust service providers shall notify the supervisory body of their intention to start providing a qualified trust service and shall submit to the supervisory body a security audit report carried out by a recognised independent body, as provided for in Article 16(1). Qualified trust service providers may start to provide the qualified trust service after they have submitted the notification and security audit report to the supervisory body.

1. Qualified trust service providers shall notify the supervisory body of their intention to provide a qualified trust service and shall submit to the supervisory body a security audit report carried out by an independent body whose competence to carry out the audit has been demonstrated, as provided for in Article 16(1). Qualified trust service providers may start to provide the qualified trust service after they have submitted the security audit report to the supervisory body, and only once they have obtained the qualified status.

2. Once the relevant documents are submitted to the supervisory body according to paragraph 1, the qualified service providers shall be included in the trusted lists referred to in Article 18 indicating that the notification has been submitted.

2. Once the relevant documents are submitted to the supervisory body according to paragraph 1 and the supervisory body confirms compliance, the qualified service providers shall be included in the trusted lists referred to in Article 18 indicating that the qualified status has been confirmed.

3. The supervisory body shall verify the compliance of the qualified trust service provider and of the qualified trust services provided by it with the requirements of the Regulation.

3. The supervisory body shall verify the compliance of the qualified trust service provider and of the qualified trust services provided by it with the requirements of the Regulation.

The supervisory body shall indicate the qualified status of the qualified service providers and the qualified trust services they provide in the trusted lists after the positive conclusion of the verification, not later than one month after the notification has been done in accordance with paragraph 1.

The supervisory body shall indicate the qualified status of the qualified service providers and the qualified trust services they provide in the trusted lists after the positive conclusion of the verification process without undue delay and not later than one month after such conclusion.

If the verification is not concluded within one month, the supervisory body shall inform the qualified trust service provider specifying the reasons of the delay and the period by which the verification shall be concluded.

If the verification is not concluded within one month, the supervisory body shall inform the qualified trust service provider specifying the reasons of the delay and the period by which the verification shall be concluded. Provided that the trust service provider has supplied the relevant documents, the verification may not exceed three months.

4. A qualified trust service which has been subject to the notification referred to in paragraph 1 cannot be refused for the fulfilment of an administrative procedure or formality by the concerned public sector body for not being included in the lists referred to in paragraph 3.

 

5. The Commission may, by means of implementing acts, define the circumstances, formats and procedures for the purpose of paragraphs 1, 2 and.3 Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

5. The Commission may, by means of implementing acts, define the formats for the purpose of paragraphs 1, 2 and.3 Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Amendment  82

Proposal for a regulation

Article 18

Text proposed by the Commission

Amendment

1. Each Member State shall establish, maintain and publish trusted lists with information related to the qualified trust service providers for which it is competent together with information related to the qualified trust services provided by them.

1. Each Member State shall establish, maintain and publish trusted lists with information related to the qualified trust service providers for which it is competent together with information related to the qualified trust services provided by them.

2. Member States shall establish, maintain and publish, in a secure manner, electronically signed or sealed trusted lists provided for in paragraph 1 in a form suitable for automated processing.

2. Member States shall establish, maintain and publish, in a secure manner, electronically signed or sealed trusted lists provided for in paragraph 1 in a form suitable for automated processing of both the list itself and the individual certificates.

3. Member States shall notify to the Commission, without undue delay, information on the body responsible for establishing, maintaining and publishing national trusted lists, and details of where such lists are published, the certificate used to sign or seal the trusted lists and any changes thereto.

3. Member States shall notify to the Commission, without undue delay, information on the body responsible for establishing, maintaining and publishing national trusted lists, and details of where such lists are published, the certificate used to sign or seal the trusted lists and any changes thereto.

4. The Commission shall make available to the public, through a secure channel, the information, referred to in paragraph 3 in electronically signed or sealed form suitable for automated processing.

4. The Commission shall make available to the public, through a secure channel, the information, referred to in paragraph 3 in electronically signed or sealed form suitable for automated processing.

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of the information referred to in paragraph 1.

 

6. The Commission may, by means of implementing acts, define the technical specifications and formats for trusted lists applicable for the purposes of paragraphs 1 to 4. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

6. The Commission may, by means of implementing acts, specify the information referred to in paragraph 1 and define the technical specifications and formats for trusted lists applicable for the purposes of paragraphs 1 to 4. The Commission shall ensure that stakeholder input is duly taken into account, in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Amendment  83

Proposal for a regulation

Article 18 a (new)

Text proposed by the Commission

Amendment

 

Article 18a

 

EU trustmark for qualified trust services

 

1. Qualified trust service providers may use an EU trustmark to present and advertise the qualified trust services which they offer that meet the requirements laid down in this Regulation.

 

2. By using the EU trustmark for the qualified trust services referred to in paragraph 1, qualified trust service providers shall be responsible for ensuring that the services meet all applicable requirements laid down in this Regulation.

 

3. By means of implementing acts, the Commission shall lay down specific, binding criteria relating to the presentation, composition, size and design of the EU trustmark for qualified trust services. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Justification

Parliament called for the creation of a trustmark in its resolution of 11 December 2012 on completing the Digital Single Market. Its aim in doing so was to boost users’ confidence online by creating an easily recognisable European label. Bearing in mind the aim of making trust services more secure online, qualified trust service providers who meet the requirements, especially those laid down in Article 19, should be able to benefit from this label and enjoy added value in e-commerce.

Amendment  84

Proposal for a regulation

Article 19

Text proposed by the Commission

Amendment

1. When issuing a qualified certificate, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity and, if applicable, any specific attributes of the natural or legal person to whom a qualified certificate is issued.

1. When issuing a qualified certificate, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity and, if applicable, any specific attributes of the natural or legal person to whom a qualified certificate is issued.

Such information shall be verified by the qualified service provider or by an authorised third party acting under the responsibility of the qualified service provider:

Such information shall be verified by the qualified service provider or by an authorised third party acting under the responsibility of the qualified service provider:

(a) by a physical appearance of the natural person or of an authorised representative of the legal person, or

(a) by a physical appearance of the natural person or of an authorised representative of the legal person, or

(b) remotely, using electronic identification means under a notified scheme issued in compliance with point (a).

(b) remotely, using electronic identification means under a notified scheme issued in compliance with point (a).

2. Qualified trust service providers providing qualified trust services shall:

2. Qualified trust service providers providing qualified trust services shall:

(a) employ staff who possess the necessary expertise, experience, and qualifications and apply administrative and management procedures which correspond to European or international standards and have received appropriate training regarding security and personal data protection rules;

(a) employ staff who possess the necessary expertise, experience, and qualifications and apply administrative and management procedures which correspond to European or international standards and have received appropriate training regarding security and personal data protection rules;

(b) bear the risk of liability for damages by maintaining sufficient financial resources or by an appropriate liability insurance scheme;

(b) bear the risk of liability for damages by maintaining sufficient financial resources or by an appropriate liability insurance scheme;

(c) before entering into a contractual relationship, inform any person seeking to use a qualified trust service of the precise terms and conditions regarding the use of that service;

(c) before entering into a contractual relationship, inform any person seeking to use a qualified trust service of the precise terms and conditions regarding the use of that service as well as the limitations of liability, in a clear and transparent manner;

(d) use trustworthy systems and products which are protected against modification and guarantee the technical security and reliability of the process supported by them;

(d) use systems and products which are protected against unauthorized modification and guarantee the technical security and reliability of the process supported by them;

(e) use trustworthy systems to store data provided to them, in a verifiable form so that:

(e) use systems to store data provided to them, in a verifiable form so that:

– they are publicly available for retrieval only where the consent of the person to whom the data has been issued has been obtained,

– they are publicly available for retrieval only where national or Union law allows for this and where the consent of the person to whom the data has been issued has been obtained,

– only authorised persons can make entries and changes,

– only authorised persons can make entries and changes,

– information can be checked for authenticity;

– information can be checked for authenticity;

(f) take measures against forgery and theft of data;

(f) take measures against forgery and theft of data;

(g) record for an appropriate period of time all relevant information concerning data issued and received by the qualified trust service provider, in particular for the purpose of providing evidence in legal proceedings. Such recording may be done electronically;

(g) record for an appropriate period of time, regardless of whether the qualified trust service provider has ceased to provide qualified trust services, relevant information concerning data issued and received by the qualified trust service provider, in particular for the purpose of providing evidence in legal proceedings. The retention of this information shall be strictly limited to the time period necessary. Such recording may be done electronically;

(h) have an up-to-date termination plan to ensure continuity of service in accordance with arrangements issued by the supervisory body under point (c) of Article 13(2);

(h) have an up-to-date termination plan to ensure continuity of service in accordance with arrangements issued by the supervisory body under point (c) of Article 13(2);

(i) ensure lawful processing of personal data in accordance with Article 11.

(i) ensure lawful processing of personal data in accordance with Article 11.

3. Qualified trust service providers issuing qualified certificates shall register in their certificate database the revocation of the certificate within ten minutes after such revocation has taken effect.

3. Qualified trust service providers issuing qualified certificates shall register in their certificate database the revocation of the certificate without undue delay.

4. With regard to paragraph 3, qualified trust service providers issuing qualified certificates shall provide to any relying party information on the validity or revocation status of qualified certificates issued by them. This information shall be made available at any time at least on a certificate basis in an automated manner which is reliable, free of charge and efficient.

4. With regard to paragraph 3, qualified trust service providers issuing qualified certificates shall provide to any relying party information on the validity or revocation status of qualified certificates issued by them. This information shall be made available at any time at least on a certificate basis in an automated manner.

5. The Commission may, by means of implementing acts, establish reference numbers of standards for trustworthy systems and products. Compliance with the requirements laid down in Article 19 shall be presumed where trustworthy systems and products meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

5. The Commission may, by means of implementing acts, establish reference numbers of standards for systems and products. The Commission shall ensure that stakeholder input is duly taken into account, in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in Article 19 shall be achieved through the compliance of systems and products with those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Amendment  85

Proposal for a regulation

Article 20 – paragraph 1

Text proposed by the Commission

Amendment

1. An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form.

1. An electronic signature shall have legal effect and may be admissible as evidence in legal proceedings. It shall be presumed that the qualified electronic signature offers a higher level of security than other types of electronic signatures.

Justification

Given the difficulties to translate the French version into English of Rapporteur's amendment 43, the Rapporteur decided to table a new amendment in English to rephrase this paragraph.

Amendment  86

Proposal for a regulation

Article 20 – paragraph 2

Text proposed by the Commission

Amendment

2. A qualified electronic signature shall have the equivalent legal effect of a handwritten signature.

2. A qualified electronic signature shall satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data.

Justification

The wording of Directive 1999/93/EC appears to better take into account different national forms and procedural requirements.

Amendment  87

Proposal for a regulation

Article 20 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

 

2a. A valid qualified electronic signature shall serve as prima facie evidence of the authenticity and integrity of the electronic document associated with it.

Justification

The term ‘valid’ refers to Article 25(1) of the proposal for a regulation. Only if a signature has been positively validated can it have a specific evidentiary value.

Amendment  88

Proposal for a regulation

Article 20 – paragraph 3

Text proposed by the Commission

Amendment

3. Qualified electronic signatures shall be recognised and accepted in all Member States.

3. Qualified electronic signatures shall be recognised and accepted in Member States and Union institutions.

Amendment  89

Proposal for a regulation

Article 20 – paragraph 4

Text proposed by the Commission

Amendment

4. If an electronic signature with a security assurance level below qualified electronic signature is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic signatures matching at least the same security assurance level shall be recognised and accepted.

4. If an electronic signature with a security assurance level below qualified electronic signature is required, by a Member State or by institutions, bodies, offices and agencies of the Union for completing a transaction offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic signatures matching at least the same security assurance level shall be recognised and accepted for access to that online service.

Amendment  90

Proposal for a regulation

Article 20 – paragraph 5

Text proposed by the Commission

Amendment

5. Member States shall not request for cross-border access to a service online offered by a public sector body an electronic signature at a higher security assurance level than qualified electronic signature.

5. Member States shall not request for cross-border access to a service online offered by a public sector body an electronic signature at a higher security level than qualified electronic signature.

Justification

The word ‘assurance’ is superfluous here.

Amendment  91

Proposal for a regulation

Article 20 – paragraph 6

Text proposed by the Commission

Amendment

6. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of the different security levels of electronic signature referred to in paragraph 4.

deleted

Justification

As the definition of the different security levels of electronic signature is a key element of the Regulation, the rapporteur takes the view that decisions on this matter should not be taken by means of delegated acts.

Amendment  92

Proposal for a regulation

Article 20 – paragraph 7

Text proposed by the Commission

Amendment

7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security levels of electronic signature. Compliance with the security level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security levels of electronic signature. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the security level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

This modification is relevant for each article throughout the text which mentions the use of standards.

Amendment  93

Proposal for a regulation

Article 21 – paragraph 4

Text proposed by the Commission

Amendment

4. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid down in Annex I.

deleted

Justification

An implementing act appears more appropriate, therefore it has been merged with the following paragraph.

Amendment  94

Proposal for a regulation

Article 21 – paragraph 5

Text proposed by the Commission

Amendment

5. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic signature. Compliance with the requirements laid down in Annex I shall be presumed where a qualified certificate for electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

5. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic signature. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in Annex I shall be presumed where a qualified certificate for electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

This modification is relevant for each article throughout the text which mentions the use of standards.

Amendment  95

Proposal for a regulation

Article 22 – paragraph 2

Text proposed by the Commission

Amendment

2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified electronic signature creation devices. Compliance with the requirements laid down in Annex II shall be presumed where a qualified electronic signature creation device meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified electronic signature creation devices. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in Annex II shall be presumed where a qualified electronic signature creation device meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Amendment  96

Proposal for a regulation

Article 23

Text proposed by the Commission

Amendment

1. Qualified electronic signature creation devices may be certified by appropriate public or private bodies designated by Member States provided that they have been submitted to a security evaluation process carried out in accordance with one of the standards for the security assessment of information technology products included in a list that shall be established by the Commission by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

1. Qualified electronic signature creation devices shall be certified by appropriate public or private bodies designated by Member States provided that they have been submitted to a security evaluation process carried out in accordance with one of the standards for the security assessment of information technology products included in a list that shall be established by the Commission by means of implementing acts. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

2. Member States shall notify to the Commission and other Member States the names and addresses of the public or private body designated by them as referred to in paragraph 1.

2. Member States shall notify to the Commission and other Member States the names and addresses of the public or private body designated by them as referred to in paragraph 1.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the establishment of specific criteria to be met by the designated bodies referred to in paragraph 1.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the establishment of specific criteria to be met by the designated bodies referred to in paragraph 1 for the purpose of carrying out the certification under paragraph 1.

Justification

In accordance with Article 290 TFEU, the objectives, content, scope and duration of the delegation of power shall be explicitly defined in the legislative acts. The amendment adds a necessary clarification to the delegation.

Amendment  97

Proposal for a regulation

Article 24 – paragraph 3

Text proposed by the Commission

Amendment

3. The Commission may, by means of implementing acts, define circumstances, formats and procedures applicable for the purpose of paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

3. The Commission may, by means of implementing acts, define formats and procedures applicable for the purpose of paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Amendment  98

Proposal for a regulation

Article 25 – paragraph 3

Text proposed by the Commission

Amendment

3. The Commission may, by means of implementing acts, establish reference numbers of standards for the validation of qualified electronic signatures. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation of qualified electronic signatures meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

3. The Commission may, by means of implementing acts, establish reference numbers of standards for the validation of qualified electronic signatures. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation of qualified electronic signatures meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Amendment  99

Proposal for a regulation

Article 26 - paragraph 2

Text proposed by the Commission

Amendment

2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified validation service referred to in paragraph 1. Compliance with the requirements laid down in point (b) of paragraph 1 shall be presumed where the validation service for qualified electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified validation service referred to in paragraph 1. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in point (b) of paragraph 1 shall be presumed where the validation service for qualified electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Amendment  100

Proposal for a regulation

Article 27 – paragraph 3

Text proposed by the Commission

Amendment

3. The Commission may, by means of implementing acts, establish reference numbers of standards for the preservation of qualified electronic signatures. Compliance with the requirements laid down in paragraph 1 shall be presumed where the arrangements for the preservation of qualified electronic signatures meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

3. The Commission may, by means of implementing acts, establish reference numbers of standards for the preservation of qualified electronic signatures. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in paragraph 1 shall be presumed where the arrangements for the preservation of qualified electronic signatures meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Amendment  101

Proposal for a regulation

Article 28 – paragraph 2

Text proposed by the Commission

Amendment

2. A qualified electronic seal shall enjoy the legal presumption of ensuring the origin and integrity of the data to which it is linked.

2. A valid qualified electronic seal shall serve at least as prima facie evidence for the authenticity and integrity of the electronic document associated with it. This shall be without prejudice to national law on powers of attorney and representation.

Amendment  102

Proposal for a regulation

Article 28 – paragraph 3

Text proposed by the Commission

Amendment

3. A qualified electronic seal shall be recognised and accepted in all Member States.

3. A qualified electronic seal shall be recognised in all Member States.

Justification

The difference between "recognised" and "accepted" is unclear. This paragraph is, in contrast to the corresponding provisions on electronic signatures, not deleted as the concept of an (electronic) seal does not exist in all Member States.

Amendment  103

Proposal for a regulation

Article 28 – paragraph 4

Text proposed by the Commission

Amendment

4. If an electronic seal security assurance level below the qualified electronic seal is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic seals matching at a minimum the same security assurance level shall be accepted.

4. If an electronic seal security level below the qualified electronic seal is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic seals matching at a minimum the same security assurance level shall be accepted for the purpose of access to that online service.

Justification

The word ‘assurance’ is superfluous here.

Amendment  104

Proposal for a regulation

Article 28 – paragraph 5

Text proposed by the Commission

Amendment

5. Member States shall not request for accessing a service online offered by a public sector body an electronic seal with higher security assurance level than qualified electronic seals.

5. Member States shall not request for cross-border access to a service online offered by a public sector body an electronic seal with higher security level than qualified electronic seals.

Justification

The word ‘assurance’ is superfluous here.

Amendment  105

Proposal for a regulation

Article 28 – paragraph 6

Text proposed by the Commission

Amendment

6. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of different security assurance levels of electronic seals referred to in paragraph 4.

deleted

Justification

As the definition of the different security levels of electronic seals is a key element of the Regulation, the rapporteur takes the view that decisions on this matter should not be taken by means of delegated acts.

Amendment  106

Proposal for a regulation

Article 28 – paragraph 7

Text proposed by the Commission

Amendment

7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security assurance levels of electronic seals. Compliance with the security assurance level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic seal meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security assurance levels of electronic seals. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the security assurance level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic seal meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

This modification is relevant for each article throughout the text which mentions the use of standards.

Amendment  107

Proposal for a regulation

Article 29 – paragraph 2

Text proposed by the Commission

Amendment

2. Qualified certificates for electronic seal shall not be subject to any mandatory requirements exceeding the requirements laid down in Annex III.

2. Qualified certificates for electronic seal for cross-border use shall not be subject to any mandatory requirements exceeding the requirements laid down in Annex III.

Amendment  108

Proposal for a regulation

Article 29 – paragraph 5

Text proposed by the Commission

Amendment

5. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic seal. Compliance with the requirements laid down in Annex III shall be presumed where a qualified certificate for electronic seal meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

5. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic seal The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in Annex III shall be presumed where a qualified certificate for electronic seal meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Amendment  109

Proposal for a regulation

Article 30 – paragraph 1

Text proposed by the Commission

Amendment

1. Article 22 shall apply mutatis mutandis to requirements for qualified electronic seal creation devices.

1. Article 22 shall apply mutatis mutandis to requirements for qualified electronic seal and/or stamp creation devices.

Amendment  110

Proposal for a regulation

Article 30 – paragraph 2

Text proposed by the Commission

Amendment

2. Article 23 shall apply mutatis mutandis to the certification of qualified electronic seal creation devices.

2. Article 23 shall apply mutatis mutandis to the certification of qualified electronic seal and/or stamp creation devices.

Amendment  111

Proposal for a regulation

Article 30 – paragraph 3

Text proposed by the Commission

Amendment

3. Article 24 shall apply mutatis mutandis to the publication of a list of certified qualified electronic seal creation devices.

3. Article 24 shall apply mutatis mutandis to the publication of a list of certified qualified electronic seal and/or stamp creation devices.

Amendment  112

Proposal for a regulation

Article 31

Text proposed by the Commission

Amendment

Articles 25, 26 and 27 shall apply mutatis mutandis to the validation and preservation of qualified electronic seals.

Articles 25, 26 and 27 shall apply mutatis mutandis to the validation and preservation of qualified electronic seals and/or stamps.

Amendment  113

Proposal for a regulation

Article 32 – paragraph 2

Text proposed by the Commission

Amendment

2. Qualified electronic time stamp shall enjoy a legal presumption of ensuring the time it indicates and the integrity of the data to which the time is bound.

2. A qualified electronic time stamp shall constitute at least prima facie evidence of the correctness of the time it indicates and the integrity of the document with which it is associated.

Amendment  114

Proposal for a regulation

Article 33

Text proposed by the Commission

Amendment

1. A qualified electronic time stamp shall meet the following requirements:

1. A qualified electronic time stamp shall meet the following requirements:

(a) it is accurately linked to Coordinated Universal Time (UTC) in such a manner as to preclude any possibility of the data being changed undetectably;

(a) it is accurately linked to Coordinated Universal Time (UTC) in such a manner as to preclude any possibility of the data being changed undetectably;

(b) it is based on an accurate time source;

(b) it is based on an accurate time source;

(c) it is issued by a qualified trust service provider;

(c) it is issued by a qualified trust service provider;

(d) it is signed using an advanced electronic signature or an advanced electronic seal of the qualified trust service provider, or by some equivalent method.

(d) it is signed using an advanced electronic signature or an advanced electronic seal of the qualified trust service provider.

2. The Commission may, by means of implementing acts, establish reference numbers of standards for the accurate linkage of time to data and an accurate time source. Compliance with the requirements laid down in paragraph 1 shall be presumed where an accurate linkage of time to data and an accurate time source meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

2. The Commission may, by means of implementing acts, establish reference numbers of standards for the accurate linkage of time to data and an accurate time source. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in paragraph 1 shall be presumed where an accurate linkage of time to data and an accurate time source meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

The Commission shall publish those acts in the Official Journal of the European Union.

The Commission shall publish those acts in the Official Journal of the European Union.

Amendment  115

Proposal for a regulation

Article 34 – paragraph 2

Text proposed by the Commission

Amendment

2. A document bearing a qualified electronic signature or a qualified electronic seal of the person who is competent to issue the relevant document, shall enjoy legal presumption of its authenticity and integrity provided the document does not contain any dynamic features capable of automatically changing the document.

2. A document bearing a qualified electronic signature or a qualified electronic seal shall have the equivalent legal effect of a paper document bearing a handwritten signature or a physical seal, where this exists under national law, provided the document does not contain any dynamic features capable of automatically changing the document.

Amendment  116

Proposal for a regulation

Article 34 – paragraph 3

Text proposed by the Commission

Amendment

3. When an original document or a certified copy is required for the provision of a service online offered by a public sector body, at least electronic documents issued by the persons who are competent to issue the relevant documents and that are considered to be originals or certified copies in accordance with national law of the Member State of origin, shall be accepted in other Member States without additional requirements.

deleted

Justification

Art. 34 (3) would call into question the tried and tested instrument of the endorsement (apostille) for the recognition of foreign documents, which is also to be the subject of new regulation by the Commission.

Amendment  117

Proposal for a regulation

Article 34 – paragraph 4

Text proposed by the Commission

Amendment

4. The Commission may, by means of implementing acts, define formats of electronic signatures and seals that shall be accepted whenever a signed or sealed document is requested by a Member State for the provision of a service online offered by a public sector body referred to in paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

deleted

Amendment  118

Proposal for a regulation

Article 35 – paragraph 1

Text proposed by the Commission

Amendment

1. Data sent or received using an electronic delivery service shall be admissible as evidence in legal proceedings with regard to the integrity of the data and the certainty of the date and time at which the data were sent to or received by a specified addressee.

1. Data sent or received using an electronic delivery service shall be admissible as evidence in legal proceedings.

Amendment  119

Proposal for a regulation

Article 35 – paragraph 2

Text proposed by the Commission

Amendment

2. Data sent or received using a qualified electronic delivery service shall enjoy legal presumption of the integrity of the data and the accuracy of the date and time of sending or receiving the data indicated by the qualified electronic delivery system.

2. Data sent or received using a qualified electronic delivery service shall constitute at least prima facie evidence of the authenticity of the data and the correctness of the date and time of sending or receiving the data indicated by the qualified electronic delivery system.

Amendment  120

Proposal for a regulation

Article 35 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

 

2a. This Article shall be without prejudice to Regulation (EC) No 1348/2000.

Amendment  121

Proposal for a regulation

Article 35 – paragraph 3

Text proposed by the Commission

Amendment

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the specification of mechanisms for sending or receiving data using electronic delivery services, which shall be used with a view to fostering interoperability between electronic delivery services.

deleted

Amendment  122

Proposal for a regulation

Article 36 – paragraph 2

Text proposed by the Commission

Amendment

2. The Commission may, by means of implementing acts, establish reference numbers of standards for processes for sending and receiving data. Compliance with the requirements laid down in paragraph 1 shall be presumed where the process for sending and receiving data meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

2. The Commission may, by means of implementing acts, establish reference numbers of standards for processes for sending and receiving data. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in paragraph 1 shall be presumed where the process for sending and receiving data meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Amendment  123

Proposal for a regulation

Article 37 – paragraph 4

Text proposed by the Commission

Amendment

4. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for website authentication. Compliance with the requirements laid down in Annex IV shall be presumed where a qualified certificate for website authentication meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

4. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for website authentication. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in Annex IV shall be presumed where a qualified certificate for website authentication meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

This modification is relevant for every article which mentions the use of standards throughout the text.

Amendment  124

Proposal for a regulation

Article 38

Text proposed by the Commission

Amendment

1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2. The power to adopt delegated acts referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall be conferred on the Commission for an indeterminate period of time from the entry into force of this Regulation.

2. The power to adopt delegated acts referred to in Articles 8(3), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall be conferred on the Commission for a period of five years beginning on the date of the entry into force of this Regulation. The Commission shall draw up a report in respect of the delegation of power not later than six months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.

3. The delegation of power referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

3. The delegation of power referred to in Articles 8(3), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. The Commission may not adopt a delegated act under this Regulation without prior consultation with the relevant stakeholders.

5. A delegated act adopted pursuant to Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

5. A delegated act adopted pursuant to Articles 8(3), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

Amendment  125

Proposal for a regulation

Article 39 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a. Implementing acts may not be adopted under this Regulation without prior consultation of industry and the relevant stakeholders.

Amendment  126

Proposal for a regulation

Article 39 – paragraph 2

Text proposed by the Commission

Amendment

2. Where reference is made to this paragraph, Article 5 of Regulation 182/2011 shall apply.

2. Where reference is made to this paragraph, Article 4 of Regulation 182/2011 shall apply.

Amendment  127

Proposal for a regulation

Article 40

Text proposed by the Commission

Amendment

The Commission shall report to the European Parliament and to the Council on the application of this Regulation. The first report shall be submitted no later than four years after the entry into force of this Regulation. Subsequent reports shall be submitted every four years thereafter.

1. The Commission shall report to the European Parliament and to the Council on the application of this Regulation. The first report shall be submitted no later than two years after the entry into force of this Regulation. Subsequent reports shall be submitted every four years thereafter accompanied, if necessary by appropriate legislative proposals.

 

1a. That report should evaluate whether the scope of this Regulation needs to be changed for the purposes of adaptation to developments in technology, in the market and in the legal context in the Member States and internationally; generally, the report must indicate whether the Regulation has made it possible to attain its stated objectives with regard to building trust in the online environment.

Amendment  128

Proposal for a regulation

Annex II – point 1 – point c

Text proposed by the Commission

Amendment

(c) the electronic signature creation data used for electronic signature generation cannot, with reasonable assurance, be derived and the electronic signature is protected against forgery using currently available technology;

(c) the electronic signature creation data used for electronic signature generation cannot be derived and the electronic signature is protected against forgery using currently available technology;

Amendment  129

Proposal for a regulation

Annex III – subparagraph 1 a (new)

Text proposed by the Commission

Amendment

 

Sensitive data within the meaning of Article 8 of Directive 95/46/CE shall not be processed.

Amendment  130

Proposal for a regulation

Annex IV – subparagraph 1 a (new)

Text proposed by the Commission

Amendment

 

Sensitive data within the meaning of Article 8 of Directive 95/46/CE shall not be processed.

Amendment  131

Proposal for a regulation

Annex IV – point c

Text proposed by the Commission

Amendment

(c) a set of data unambiguously representing the legal person to whom the certificate is issued, including at least name and registration number as stated in the official records;

(c) a set of data unambiguously representing the natural or legal person to whom the certificate is issued, including at least name and registration number as the case may be, as stated in the official records;

Amendment  132

Proposal for a regulation

Annex IV – point d

Text proposed by the Commission

Amendment

(d) elements of the address, including at least city and Member State, of the legal person to whom the certificate is issued as stated in the official records;

(d) elements of the address, including at least city and Member State, of the natural or legal person to whom the certificate is issued as stated in the official records;

  • [1]  OJ C 351, 15.11.2012, p. 73.

EXPLANATORY STATEMENT

There is no comprehensive EU cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions that encompasses electronic identification, authentication and trust services. The existing EU legislation, namely Directive 1999/93/EC on a Community framework for electronic signatures, essentially covers electronic signatures only.

The Digital Agenda for Europe identifies existing barriers to Europe’s digital development and foresees legislation on trust services such as e-signatures and the mutual recognition of electronic identification and authentication, establishing a clear legal framework so as to eliminate fragmentation and the lack of interoperability, enhance digital citizenship and prevent cybercrime. Legislation ensuring the mutual recognition of electronic identification and authentication across the EU is also a key action in the Single Market Act, as well as the Roadmap for Stability and Growth. The European Parliament has repeatedly stressed the importance of the security of electronic services.

The Commission proposal consists of two parts. The first focuses on the mutual recognition and acceptance at EU level of notified electronic identification schemes. The second part purports to establish a common framework for trust services such as electronic signatures.

The Rapporteur welcomes the Commission's proposal as a good starting point and supports the efforts to establish a legal framework at EU level. The rapporteur however considers that both the objectives and the content of the proposed Regulation could be further clarified and it is important that the legislators consider the full extent of the proposal carefully. In its current form the Commission proposal is too vaguely defined in order to be properly evaluated by the legislator. In particular the definition of trust services needs to be further elaborated. The “universe” of trust service providers will vary depending on the definition chosen and thus so will the actors falling under the Regulation. The Rapporteur narrows the definition of trust services.

The Commission considers a Regulation to be the most appropriate legal instrument due to the direct applicability which in turn would reduce legal fragmentation and provide greater legal certainty. While this harmonised approach could be considered to benefit all the stakeholders, the Rapporteur will continue to evaluate if a more gradual approach would have been more constructive and if certain prioritisation of cross-border services to be tackled by the proposed Regulation could have been beneficial for the overall result.

The proposed Regulation empowers the Commission in many provisions to adopt delegated acts or implementing measures. The Rapporteur shares the view that such further acts and measures might contribute to the uniform application of the Regulation and may allow for further alignment of national practices based on experience gained after the Regulation applies but the Rapporteur also has reservations to an approach that relies upon them so heavily. The Rapporteur would advise a critical look on the proposed implementing acts and proposes therefore amendments that will restrict the proposed acts strictly to technical implementation of the legal act in question in a uniform manner.

Concerning the delegated acts the Rapporteur would like to further assess the necessity and scope of these acts and proposes a more selective approach. The Rapporteur proposes deletion of certain delegated acts until the Commission further specifies their intended scope and purpose. To the greatest extent possible obligations should be specified in the basic act itself rather than through delegated acts. Due to the complexity of these acts, the Rapporteur reserves the possibility to further consider also these acts and propose possible further modifications by amendments to the draft report later on.

The Rapporteur is aware of the economic and social potential of this proposal but is also aware of the challenges, often very technical in their nature, that need to be addressed in order to achieve to a legislative text that delivers its full potential. With regards to electronic identification schemes it is important to build interoperability without substantially altering the national solutions chosen for electronic identification. Therefore the mutual standards for ensuring technical interoperability should be technologically neutral so as to respect the various choices made by Member States.

Furthermore, another challenge will be to strike the right balance between the security elements that are essential in order to build trust and adoption by the citizens and the cost and other consequences they represent to involved players on the provider side. In this context it is important also to look into liability questions.

Finally, the Rapporteur considers that trust services provided, and end user products used in the provision of those services under the proposed Regulation, should be made accessible for persons with disabilities. Physical use of the devices should be accessible to any person with or without physical disabilities. The Rapporteur considers that in this the digital age effective barrier-free participation of persons with disabilities in the European digital single market should be mainstreamed.

OPINION of the Committee on the Internal Market and Consumer Protection (*) (23.7.2013)

for the Committee on Industry, Research and Energy

on the proposal for a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market
(COM(2012)0238 – C7‑0133/2012 – 2012/0146(COD))

Rapporteur (*): Marielle Gallo(*)       Associated committee – Rule 50 of the Rules of Procedure

SHORT JUSTIFICATION

The proposal for a regulation concerns the mutual recognition of notified electronic identification schemes, on the one hand, and electronic trust services, on the other.

It aims to expand the existing legal framework and, above all, to provide for a comprehensive transnational and cross‑sector framework for electronic transactions underpinned by legal certainty and a reliable level of security. The proposal is also consonant with the Single Market Act I as it constitutes one of the 12 key measures to boost growth and strengthen confidence in the single market.

The rapporteur would like to make the following comments:

The rapporteur supports the Commission proposal and the choice of a regulation rather than a directive; Directive 1999/93/EC, which covered only electronic signatures, has not lived up to expectations.

The rapporteur agrees with the general objectives of the proposal, which are to expand the European digital single market. The proposal therefore considerably reinforces the legal certainty of trust services, which is a prerequisite for increasing electronic transactions, in particular cross‑border electronic transactions.

The regulation will bring added value not only to national authorities, owing to the expansion of e‑government, but also to businesses, which will have more opportunities, for example, to access public procurement procedures online. There will also be added value for private individuals, who will no longer need to travel and incur the attendant costs, for example when registering at a university far from home.

Bearing in mind that trust services are a lucrative market which is set to expand further over the next decade, the rapporteur supports the approach taken in the proposal of attempting to ensure technological neutrality.

However, the rapporteur would also add that the issue of digital identity is a complex one. If an approach favouring interoperable national digital identities is an imperative, then it should not come at the expense of information system security requirements or of the fundamental principles of respect for and the protection of privacy, which is essential for boosting users’ confidence in the digital world.

The rapporteur therefore proposes introducing different security levels, a prerequisite for the principle of mutual recognition. This would also guarantee a minimum level of security, thereby boosting online security.

The rapporteur also takes the view that provisions on liability should concern only qualified trust service providers, just like in Directive 1999/93/EC.

The rapporteur welcomes the oversight provisions under Section 2 of Chapter III of the proposal. However, in order to facilitate the work of the supervisory bodies and to guarantee a minimum level of consistency as regards the legal effects of non‑qualified service providers offering trust services, the rapporteur wishes to make it an obligation for non‑qualified trust services providers to notify their intention to launch a trust service.

Given that the proposal lays down numerous supervision and security requirements for qualified trust service providers, the rapporteur proposes a new article to establish a ‘European Union’ qualified trustmark. Qualified trust service providers that meet the requirements of the regulation could use this label when presenting and advertising their qualified trust service. It would also help eligible qualified service providers to distinguish themselves from their competitors.

Lastly, the rapporteur takes the view that there are too many delegated acts in the proposal and has therefore included a number of amendments in order to limit their number.

AMENDMENTS

The Committee on the Internal Market and Consumer Protection calls on the Committee on Industry, Research and Energy, as the committee responsible, to incorporate the following amendments in its report:

Amendment  1

Proposal for a regulation

Recital 11

Text proposed by the Commission

Amendment

(11) One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States to access at least public services. This Regulation does not aim at intervening on electronic identity management systems and related infrastructures established in the Member States. The aim of this Regulation is to ensure that for the access to cross-border online services offered by the Member States, secure electronic identification and authentication is possible.

(11) One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States to access at least public services. This Regulation does not aim at intervening on electronic identity management systems and related infrastructures established in the Member States. Rather, it aims to introduce different security levels to guarantee a minimum common set of security requirements. The aim of this Regulation is to ensure that for the access to cross-border online services offered by the Member States, secure electronic identification and authentication is possible, with full respect to technology neutrality.

Justification

Unlike trust services, which are covered by a common set of security requirements, the Commission has no such provisions for electronic identification. The rapporteur takes the view that the introduction of different security levels (and consequently of a minimum level of security) is a prerequisite for the principle of mutual recognition and will help increase security in the digital world.

Amendment  2

Proposal for a regulation

Recital 13

Text proposed by the Commission

Amendment

(13) Some conditions need to be set in the Regulation with regard to which electronic identification means have to be accepted and how the schemes should be notified. These should help Member States to build the necessary trust in each other's electronic identification schemes and to mutually recognise and accept electronic identification means falling under their notified schemes. The principle of mutual recognition and acceptance should apply if the notifying Member State meets the conditions of notification and the notification was published in the Official Journal of the European Union. However, the access to these online services and their final delivery to the applicant should be closely linked to the right to receive such services under the conditions set by national legislation.

(13) Some conditions need to be set in the Regulation with regard to which electronic identification means have to be accepted and how the schemes should be notified. These should help Member States to build the necessary trust in each other's electronic identification schemes and to mutually recognise and accept electronic identification means falling under their notified schemes. The principle of mutual recognition and acceptance should apply if the notifying Member State meets the conditions of notification and the notification, including the description of the notified electronic identification scheme and the information on the different security levels, was published in the Official Journal of the European Union. However, the access to these online services and their final delivery to the applicant should be closely linked to the right to receive such services under the conditions set by national legislation.

Justification

Unlike trust services, which are covered by a common set of security requirements, the Commission has no such provisions for electronic identification. The rapporteur takes the view that the introduction of different security levels (and consequently of a minimum level of security) is a prerequisite for the principle of mutual recognition and will help increase security in the digital world.

Amendment  3

Proposal for a regulation

Recital 16

Text proposed by the Commission

Amendment

(16) Cooperation of Member States should serve the technical interoperability of the notified electronic identification schemes with a view to foster a high level of trust and security appropriate to the degree of risk. The exchange of information and the sharing of best practices between Member States with a view to their mutual recognition should help such cooperation.

(16) Cooperation of Member States should serve the technical interoperability of the notified electronic identification schemes with a view to foster a high level of trust and security appropriate to the degree of risk. The exchange of information and the sharing of best practices between Member States with a view to their mutual recognition should help such cooperation. To ensure efficiency, interoperability and security safeguards should be addressed prior to notification.

Amendment  4

Proposal for a regulation

Recital 17

Text proposed by the Commission

Amendment

(17) This Regulation should also establish a general legal framework for the use of electronic trust services. However, it should not create a general obligation to use them. In particular, it should not cover the provision of services based on voluntary agreements under private law. Neither should it cover aspects related to the conclusion and validity of contracts or other legal obligations where there are requirements as regards form prescribed by national or Union law.

(17) This Regulation should also establish a general legal framework for the use of electronic trust services. However, it should not create a general obligation to use them. In particular, it should not cover the provision of services based on voluntary agreements under private law. It should also be without prejudice to provisions on the form, formation or effect of contracts or to the form, creation or validity of other private-law obligations irrespective of whether they are founded on national or Union law, for example Articles 10 and 11 of Regulation (EC) No 593/2008. Furthermore this Regulation should be without prejudice to the rules and restrictions in national or Union law on the use of documents, and should not apply to register procedures, particularly those relating to land registers and trade registers.

Amendment  5

Proposal for a regulation

Recital 20

Text proposed by the Commission

Amendment

(20) Because of the pace of technological change, this Regulation should adopt an approach which is open to innovations.

(20) Because of the pace of technological change, this Regulation should adopt an approach which aims at stimulating innovations.

Amendment  6

Proposal for a regulation

Recital 22

Text proposed by the Commission

Amendment

(22) To enhance people's trust in the internal market and to promote the use of trust services and products, the notions of qualified trust services and qualified trust service provider should be introduced with a view to indicating requirements and obligations to ensure high-level security of whatever qualified trust services and products are used or provided.

(22) To enhance trust of small and medium enterprises (SMEs) and consumers in the internal market and to promote the use of trust services and products, the notions of qualified trust services and qualified trust service provider should be introduced with a view to indicating requirements and obligations to ensure high-level security of whatever qualified trust services and products are used or provided. Both qualified and advanced electronic signatures may be legally equivalent to handwritten signatures. Nothing in this Regulation shall limit the ability of any natural or legal person to demonstrate with evidence the non-reliability of any form of electronic signature. However, in case of qualified electronic signature the burden of proof when questioning the identity of the signatory shall rest with the contesting party.

Justification

It should be made clear that even a non-qualified signature can have the same effect as a handwritten one. The only difference is the burden of proof.

Amendment  7

Proposal for a regulation

Recital 23

Text proposed by the Commission

Amendment

(23) In line with the obligations under the UN Convention on the Rights of Persons with Disabilities that has entered into force in the EU, persons with disabilities should be able to use trust services and end user products used in the provision of those services on equal bases with other consumers.

(23) In line with the obligations under the UN Convention on the Rights of Persons with Disabilities that has entered into force in the EU, and with respect to and in full compliance with Union legislation on accessibility of public sector bodies' websites, persons with disabilities should be able to use trust services, electronic identification services and end user products used in the provision of those services on equal bases with other consumers.

Amendment  8

Proposal for a regulation

Recital 29

Text proposed by the Commission

Amendment

(29) Notification of security breaches and security risk assessments is essential with a view to providing adequate information to concerned parties in the event of a breach of security or loss of integrity.

(29) Notification to the competent supervisory body by trust services providers of security breaches and security risk assessments is essential with a view to providing adequate information to concerned parties in the event of a breach of security or loss of integrity.

Amendment  9

Proposal for a regulation

Recital 34

Text proposed by the Commission

Amendment

(34) To facilitate the supervision of qualified trust services providers, for example when a provider is providing its services in the territory of another Member State and is not subject to supervision there, or when the computers of a provider are located in the territory of another Member State than the one where it is established, a mutual assistance system between supervisory bodies in the Member States should be set up.

(34) To facilitate the supervision of qualified trust services providers and ensure that it is effective, as stipulated in this Regulation, for example when a provider is providing its services in the territory of another Member State and is not subject to supervision there, or when the computers of a provider are located in the territory of another Member State than the one where it is established, a mutual assistance system between supervisory bodies in the Member States should be set up. The system should also aim to simplify and reduce the administrative burden on trust service providers by having a one-stop-shop supervisory body.

Amendment  10

Proposal for a regulation

Recital 39 a (new)

Text proposed by the Commission

Amendment

 

(39a) In order to boost users’ confidence online and to make it easier to identify the qualified trust services providers which meet the requirements of this Regulation, an 'EU' qualified trustmark should be created.

Justification

Parliament called for the creation of a trustmark in its resolution of 11 December 2012 on completing the Digital Single Market. Its aim in doing so was to boost users’ confidence online by creating an easily recognisable European label. Bearing in mind the aim of making trust services more secure online, qualified trust service providers who meet the requirements, especially those laid down in Article 19, should be able to benefit from this label and enjoy added value in e-commerce.

Amendment  11

Proposal for a regulation

Recital 40 a (new)

Text proposed by the Commission

Amendment

 

(40a) The creation of remote electronic signatures, where the electronic signature creation environment is managed by a trust services provider on behalf of the signatory, is set to increase in the light of its multiple economic benefits. However, in order to ensure that such electronic signatures receive the same legal recognition as electronic signatures created in an entirely user‑managed environment, remote signature services providers should apply specific management and administrative security procedures, and use reliable systems and products, including secure electronic communication channels, in order to guarantee that the electronic signature creation environment is reliable and is used under the sole control of the signatory. Where a qualified electronic signature has been created using a remote electronic signature creation device, the requirements applicable to qualified trust services providers set out in this Regulation will apply.

Justification

Although the server signature service is exposed to greater risks than other services, it is of benefit to users and is set to expand. The rapporteur therefore takes the view that express reference should be made to this service in order to ensure that the supervisory audits focus on the weaknesses inherent to this type of signature.

Amendment  12

Proposal for a regulation

Recital 42

Text proposed by the Commission

Amendment

(42) When a transaction requires a qualified electronic seal from a legal person, a qualified electronic signature from the authorised representative of the legal person should be equally acceptable.

(42) When national or Union law requires a qualified electronic seal from a legal person, a qualified electronic signature from the authorised representative of the legal person should be equally acceptable.

Amendment  13

Proposal for a regulation

Recital 43

Text proposed by the Commission

Amendment

(43) Electronic seals should serve as evidence that an electronic document was issued by a legal person, ensuring certainty of the document’s origin and integrity.

(43) Valid electronic seals should serve as prima facie evidence for the authenticity and integrity of an electronic document associated with them. This should be without prejudice to national provisions on power of attorney, representation and legal capacity.

Amendment  14

Proposal for a regulation

Recital 45

Text proposed by the Commission

Amendment

(45) In order to enhance the cross-border use of electronic documents this Regulation should provide for the legal effect of electronic documents which should be considered as equal to paper documents dependent on the risk assessment and provided the authenticity and integrity of the documents are ensured. It also important for further development of cross-border electronic transactions in the internal market that original electronic documents or certified copies issued by relevant competent bodies in a Member State under their national law are accepted as such also in other Member States. This Regulation should not affect Member States’ right to determine what constitutes an original or a copy at a national level but ensures that these can be used as such also across borders.

deleted

Amendment  15

Proposal for a regulation

Recital 46 a (new)

Text proposed by the Commission

Amendment

 

(46a) Member States should ensure that the possibilities and limitations of use of electronic identification are clearly communicated to the citizens.

Amendment  16

Proposal for a regulation

Recital 49

Text proposed by the Commission

Amendment

(49) In order to complement certain detailed technical aspects of this Regulation in a flexible and rapid manner, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of interoperability of electronic identification; security measures required of trust service providers; recognised independent bodies responsible for auditing the service providers; trusted lists; requirements related to the security levels of electronic signatures; requirements of qualified certificates for electronic signatures their validation and their preservation; the bodies responsible for the certification of qualified electronic signature creation devices; and the requirements related to the security levels of electronic seals and to qualified certificates for electronic seals; the interoperability between delivery services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level.

(49) In order to complement certain detailed technical aspects of this Regulation in a flexible and rapid manner, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of interoperability of electronic identification; recognised independent bodies responsible for auditing the service providers; requirements of qualified certificates for electronic signatures their validation and their preservation; the bodies responsible for the certification of qualified electronic signature creation devices; and the requirements related to qualified certificates for electronic seals. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level.

Justification

Recital 49 needs to be modified in line with the amendments introduced by the rapporteur on delegated acts.

Amendment  17

Proposal for a regulation

Recital 51 a (new)

Text proposed by the Commission

Amendment

 

(51a) The standardisation work carried out by international and European organisations enjoys international recognition. This work is undertaken in cooperation with the industries and stakeholders concerned, and is funded by the Union and national authorities, among others. With a view to ensuring a high level of security in electronic identification and in electronic trust services, particularly in the Commission’s drafting of delegated and implementing acts, due account should be paid to standards drawn up by organisations such as the European Committee for Standardisation (CEN), the European Telecommunications Standards Institute (ETSI), the European Committee for Electrotechnical Standardisation (CENELEC) or the International Organisation for Standardisation (ISO).

Amendment  18

Proposal for a regulation

Article 1 – paragraph 1

Text proposed by the Commission

Amendment

1. This Regulation lays down rules for electronic identification and electronic trust services for electronic transactions with a view to ensuring the proper functioning of the internal market.

1. This Regulation lays down rules for electronic identification and trust services for electronic transactions with a view to ensuring the proper functioning of the internal market, guaranteeing a high level of security for identification means and trust services and boosting public trust in the digital world.

Justification

Article 3(12) refers to trust services rather than electronic trust services.

Amendment  19

Proposal for a regulation

Article 1 – paragraph 3

Text proposed by the Commission

Amendment

3. This Regulation establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services and website authentication.

3. This Regulation establishes a legal framework for electronic signatures, electronic seals, electronic validation and verification, electronic time stamps, electronic documents, electronic delivery services and website authentication.

Amendment  20

Proposal for a regulation

Article 1 – paragraph 4

Text proposed by the Commission

Amendment

4. This Regulation ensures that trust services and products which comply with this Regulation are permitted to circulate freely in the internal market.

4. This Regulation ensures that both qualified and non-qualified trust services and products which comply with this Regulation are permitted to circulate freely in the internal market.

Justification

Article 3 defines ‘trust services’ and ‘products’ (see also the wording of Article 4).

Amendment  21

Proposal for a regulation

Article 2 – paragraph 1

Text proposed by the Commission

Amendment

1. This Regulation applies to electronic identification provided by, on behalf or under the responsibility of Member States and to trust service providers established in the Union.

1. This Regulation applies to electronic identification mandated, recognised or issued by or on behalf of Member States.

Amendment  22

Proposal for a regulation

Article 2 – paragraph 2

Text proposed by the Commission

Amendment

2. This Regulation does not apply to the provision of electronic trust services based on voluntary agreements under private law.

2. This Regulation applies to both qualified and non qualified trust service providers established in the Union. This Regulation does not apply to trust services which are chosen by a closed group of parties and which are used exclusively within that group.

Amendment  23

Proposal for a regulation

Article 2 – paragraph 3

Text proposed by the Commission

Amendment

(3) This Regulation does not apply to aspects related to the conclusion and validity of contracts or other legal obligations where there are requirements as regards form prescribed by national or Union law.

(3) This Regulation shall be without prejudice to provisions of national or Union law on the formation or validity of contracts or other private law obligations.

Justification

The wording proposed by the Commission is too imprecise for a regulation.

Amendment  24

Proposal for a regulation

Article 2 – paragraph 3 a (new)

Text proposed by the Commission

Amendment

 

(3a) This Regulation shall be without prejudice to rules and restrictions in national or Union law on the use of documents. It shall not apply to register procedures, particularly those relating to land registers and trade registers.

Amendment  25

Proposal for a regulation

Article 3 – point 1

Text proposed by the Commission

Amendment

(1) electronic identification means the process of using person identification data in electronic form unambiguously representing a natural or legal person;

(1) 'electronic identification' means the process of using person identification data in electronic form representing a natural or legal person either unambiguously or to the degree necessary for the specific purpose;

Justification

The principle of data minimization should be integrated in this proposal. While some services require unambiguous identification others might not require the transfer of all data. A practical example would be a simple age verification for which other personal details are not required.

Amendment  26

Proposal for a regulation

Article 3 – point 4

Text proposed by the Commission

Amendment

(4) ‘authentication’ means an electronic process that allows the validation of the electronic identification of a natural or legal person; or of the origin and integrity of an electronic data;

(4) ‘authentication’ means an electronic process that allows the validation of the electronic identification of a natural or legal person; or of the origin and integrity of electronic data;

Amendment  27

Proposal for a regulation

Article 3 – point 7 – point b

Text proposed by the Commission

Amendment

(b) it is capable of identifying the signatory;

(b) it is capable of guaranteeing the legal validity of the identity of the signatory;

Justification

The use of the term ‘identifying’ could prove confusing given that the regulation concerns electronic identification. This particular point is a definition of an advanced electronic signature, which relates to the ‘trust services’ part of the proposal (Chapter III).

Amendment  28

Proposal for a regulation

Article 3 – point 7 – point c

Text proposed by the Commission

Amendment

(c) it is created using electronic signature creation data that the signatory can, with high level of confidence, use under his sole control; and

(c) it is created using an electronic signature creation device that the signatory can use under his sole control; and

Justification

Wording changed to bring the text into line with the terminology used in Articles 22 and 23. The expression ‘high level of confidence’ is legally meaningless.

Amendment  29

Proposal for a regulation

Article 3 – point 7 – point d

Text proposed by the Commission

Amendment

(d) it is linked to the data to which it relates in such a way that any subsequent change in the data is detectable;

(d) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable;

Amendment  30

Proposal for a regulation

Article 3 – point 8

Text proposed by the Commission

Amendment

(8) ‘qualified electronic signature’ means an advanced electronic signature which is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures;

(8) ‘qualified electronic signature’ means an advanced electronic signature which is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures issued by a qualified trust provider;

Amendment  31

Proposal for a regulation

Article 3 – point 10

Text proposed by the Commission

Amendment

(10) certificate means an electronic attestation which links electronic signature or seal validation data of a natural or a legal person respectively to the certificate and confirms those data of that person;

(10) 'certificate' means an electronic attestation which links electronic signature or seal validation data with the identification data of an entity, or a natural or a legal person respectively and confirms those data of that person;

Amendment  32

Proposal for a regulation

Article 3 – point 11

Text proposed by the Commission

Amendment

(11) ‘qualified certificate for electronic signature’ means an attestation which is used to support electronic signatures, is issued by a qualified trust service provider and meet the requirements laid down in Annex I;

(11) ‘qualified certificate for electronic signature’ means a certificate which is used to support electronic signatures, is issued by a qualified trust service provider and meet the requirements laid down in Annex I;

Amendment  33

Proposal for a regulation

Article 3 – point 12

Text proposed by the Commission

Amendment

(12) trust service means any electronic service consisting in the creation, verification, validation, handling and preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication, and electronic certificates, including certificates for electronic signature and for electronic seals;

(12) 'trust service' means an electronic service consisting in the creation, verification, validation or preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication, and electronic certificates, including certificates for electronic signature and for electronic seals;

Amendment  34

Proposal for a regulation

Article 3 – point 13

Text proposed by the Commission

Amendment

(13) ‘qualified trust service’ means a trust service that meets the applicable requirements provided for in this Regulation;

(13) ‘qualified trust service’ means a trust service that meets the applicable requirements laid down in this Regulation;

Amendment  35

Proposal for a regulation

Article 3 – point 19

Text proposed by the Commission

Amendment

(19) ‘creator of a seal’ means a legal person who creates an electronic seal;

(19) ‘creator of a seal’ means a natural or legal person who creates an electronic seal;

Amendment  36

Proposal for a regulation

Article 3 – point 20

Text proposed by the Commission

Amendment

(20) ‘electronic seal’ means data in electronic form which are attached to or logically associated with other electronic data to ensure the origin and the integrity of the associated data;

(20) ‘electronic seal’ means data in electronic form which are attached to or logically associated with other electronic data to ensure the authenticity and the integrity of the associated data;

Amendment  37

Proposal for a regulation

Article 3 – point 21 – point c

Text proposed by the Commission

Amendment

(c) it is created using electronic seal creation data that the creator of the seal can, with a high level of confidence under its control, use for electronic seal creation; and

(c) it is created using an electronic seal creation device that the creator of the seal can, with a high level of confidence under its control, use for electronic seal creation; and

Justification

Wording changed to bring the text into line with the terminology used in Articles 22 and 23.

Amendment  38

Proposal for a regulation

Article 3 – point 21 – point d

Text proposed by the Commission

Amendment

(d) it is linked to the data to which it relates in such a way that any subsequent change in the data is detectable;

(d) it is linked to the data the origin and integrity of which it attests in such a way that any subsequent change in the data is detectable;

Amendment  39

Proposal for a regulation

Article 3 – point 22

Text proposed by the Commission

Amendment

22) ‘qualified electronic seal’ means an advanced electronic seal which is created by a qualified electronic seal creation device, and which is based on a qualified certificate for electronic seal;

22) ‘qualified electronic seal’ means an advanced electronic seal which is created by a qualified electronic seal creation device, and which is based on a qualified certificate for electronic seal issued by a qualified trust service provider;

Amendment  40

Proposal for a regulation

Article 3 – point 27

Text proposed by the Commission

Amendment

(27) ‘electronic document’ means a document in any electronic format;

(27) ‘electronic document’ means a separate set of structured data in any electronic format;

Amendment  41

Proposal for a regulation

Article 4 – paragraph 1

Text proposed by the Commission

Amendment

1. There shall be no restriction on the provision of trust services in the territory of a Member State by a trust service provider established in another Member States for reasons which fall within the fields covered by this Regulation.

1. There shall be no restriction on the provision of trust services in the territory of a Member State by a trust service provider established in another Member States for reasons which fall within the fields covered by this Regulation. Member States shall ensure that trust services originating from another Member States are admissible as evidence in legal proceedings.

Amendment  42

Proposal for a regulation

Article 4 – paragraph 2

Text proposed by the Commission

Amendment

2. Products which comply with this Regulation shall be permitted to circulate freely in the internal market.

2. Products which comply with this Regulation shall circulate freely and securely in the internal market.

Amendment  43

Proposal for a regulation

Article 5 - title

Text proposed by the Commission

Amendment

Mutual recognition and acceptance

Mutual recognition

Amendment  44

Proposal for a regulation

Article 5

Text proposed by the Commission

Amendment

When an electronic identification using an electronic identification means and authentication is required under national legislation or administrative practice to access a service online, any electronic identification means issued in another Member State falling under a scheme included in the list published by the Commission pursuant to the procedure referred to in Article 7 shall be recognised and accepted for the purposes of accessing this service.

When an electronic identification using an electronic identification means and authentication is required under Union or national legislation or administrative practice to access a service online in one Member State or provided online by Union institutions, bodies, offices and agencies, this electronic identification means issued in another Member State or by Union institutions, bodies, offices and agencies under a scheme included in the list published by the Commission pursuant to Article 7, and with a security level equal to or higher than the security level required to access the service, shall be recognised in the Member State or by Union institutions, bodies, offices and agencies for the purposes of accessing that service online, not later than six months after the list, including that scheme, is published.

Amendment  45

Proposal for a regulation

Article 6 – paragraph 1 – point a

Text proposed by the Commission

Amendment

(a) the electronic identification means are issued by, on behalf of or under the responsibility of the notifying Member State;

(a) the electronic identification means are mandated, recognised or issued by or on behalf the notifying Member State;

Amendment  46

Proposal for a regulation

Article 6 – paragraph 1 – point b

Text proposed by the Commission

Amendment

(b) the electronic identification means can be used to access at least public services requiring electronic identification in the notifying Member State;

(b) the electronic identification means can be used to access at least public services which accept electronic identification in the notifying Member State;

Amendment  47

Proposal for a regulation

Article 6 – paragraph 1 – point c

Text proposed by the Commission

Amendment

(c) the notifying Member State ensures that the person identification data are attributed unambiguously to the natural or legal person referred to in Article 3 point1;

(c) the notifying Member State ensures that the person identification data are attributed to the natural or legal person referred to in Article 3 point1 either unambiguously or to the degree necessary for the specific purpose;

Justification

The principle of data minimization should be integrated in the proposal. While some services require unambiguous identification others might not require the transfer of all data. A practical example would be a simple age verification for which other personal details are not required.

Amendment  48

Proposal for a regulation

Article 6 – paragraph 1 – point d

Text proposed by the Commission

Amendment

(d) the notifying Member State ensures the availability of an authentication possibility online, at any time and free of charge so that any relying party can validate the person identification data received in electronic form. Member States shall not impose any specific technical requirements on relying parties established outside of their territory intending to carry out such authentication. When either the notified identification scheme or authentication possibility is breached or partly compromised, Member States shall suspend or revoke without delay the notified identification scheme or authentication possibility or the compromised parts concerned and inform the other Member States and the Commission pursuant to Article 7;

(d) the notifying Member State ensures the availability of an authentication online, at any time so that any relying party established outside of the territory of that Member State can validate the person identification data received in electronic form. Such authentication shall be provided free of charge where access to a service is provided online by a public sector body. Member States shall not impose any disproportionate specific technical requirements on relying parties intending to carry out such authentication.

Amendment  49

Proposal for a regulation

Article 6 – paragraph 1 – point e – introductory part

Text proposed by the Commission

Amendment

(e) the notifying Member State takes liability for:

(e) the notifying Member State ensures:

Justification

Liability of Member States should be addressed separately. See subsequent amendments.

Amendment  50

Proposal for a regulation

Article 6 – paragraph 1 – point e – point i

Text proposed by the Commission

Amendment

(i) the unambiguous attribution of the person identification data referred to in point (c), and

(i) the attribution of the person identification data referred to in point (c), and

Amendment  51

Proposal for a regulation

Article 6 – paragraph 1 – point e – subpoint ii

Text proposed by the Commission

Amendment

ii) the authentication possibility specified in point (d).

ii) the authentication arrangements specified in point (d).

Amendment  52

Proposal for a regulation

Article 7 – paragraph 1 – point a

Text proposed by the Commission

Amendment

(a) a description of the notified electronic identification scheme;

(a) a description of the notified electronic identification scheme and, in particular, information on the different security levels;

Justification

Unlike trust services, which are covered by a common set of security requirements, the Commission has no such provisions for electronic identification. The rapporteur takes the view that the introduction of different security levels (and consequently of a minimum level of security) is a prerequisite for the principle of mutual recognition and will help increase security in the digital world.

Amendment  53

Proposal for a regulation

Article 7 – paragraph 1 – point c

Text proposed by the Commission

Amendment

(c) information on by whom the registration of the unambiguous person identifiers is managed;

(c) information on who is responsible for managing the registration of the person identifiers;

Amendment  54

Proposal for a regulation

Article 7 – paragraph 1 – point d

Text proposed by the Commission

Amendment

(d) a description of the authentication possibility;

(d) a description of the authentication arrangements and in particular the minimum levels of security required and any technical requirements imposed on relying parties;

Justification

Unlike trust services, which are covered by a common set of security requirements, the Commission has no such provisions for electronic identification. The rapporteur takes the view that the introduction of different security levels (and consequently of a minimum level of security) is a prerequisite for the principle of mutual recognition and will help increase security in the digital world.

Amendment  55

Proposal for a regulation

Article 7 – paragraph 2

Text proposed by the Commission

Amendment

2. Six months after the entry into force of the Regulation, the Commission shall publish in the Official Journal of the European Union the list of the electronic identification schemes which were notified pursuant to paragraph 1 and the basic information thereon.

2. Six months after the entry into force of the Regulation, the Commission shall publish in the Official Journal of the European Union as well as on a publicly available website the list of the electronic identification schemes which were notified pursuant to paragraph 1 and the basic information thereon.

Justification

Publication on publicly available website would ensure user friendliness.

Amendment  56

Proposal for a regulation

Article 7 – paragraph 3

Text proposed by the Commission

Amendment

3. If the Commission receives a notification after the period referred to in paragraph 2 expired, it shall amend the list within three months.

3. If the Commission receives a notification after the period referred to in paragraph 2 expired, it shall amend the list within one month.

Justification

The time limit proposed by the Commission does not seem justified in this case.

Amendment  57

Proposal for a regulation

Article 7 – paragraph 4

Text proposed by the Commission

Amendment

4. The Commission may, by means of implementing acts, define the circumstances, formats and procedures of the notification referred to in paragraphs 1 and 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

4. The Commission may, by means of implementing acts, define the formats and procedures of the notification referred to in paragraphs 1 and 3. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Amendment  58

Proposal for a regulation

Article 7 a (new)

Text proposed by the Commission

Amendment

 

Article 7a

 

Security breach

 

1. When either the electronic identification scheme notified pursuant to Article 7(1) or the authentication referred to in point (d) of Article 6(1) is breached or partly compromised in a way that would affect the reliability of that scheme for cross-border transactions, the notifying Member State shall without undue delay suspend or revoke the cross-border function of that electronic identification scheme or that authentication or the compromised parts concerned and inform other Member States and the Commission thereof.

 

2. When the breach or compromise referred to in paragraph 1 has been remedied, the notifying Member State shall re-establish the authentication and shall inform other Member States and the Commission as soon as possible.

 

3. If the breach or compromise referred to in paragraph 1 is not remedied within three months of the suspension or revocation, the notifying Member State shall notify the withdrawal of the electronic identification scheme to other Member States and to the Commission. The Commission shall publish without undue delay in the Official Journal of the European Union the corresponding amendments to the list referred to in Article 7(2).

Amendment  59

Proposal for a regulation

Article 7 b (new)

Text proposed by the Commission

Amendment

 

Article 7b

 

Liability

 

1. The notifying Member State shall be liable for any damage caused to a natural or legal person which could reasonably be expected to arise under normal circumstances as a result of its failure to comply with its obligations under points (c) and (d) of Article 6(1), unless it can show that it has acted with due diligence.

 

2. The party issuing the electronic identification means shall be liable for any damage caused to any natural or legal person which could reasonably be expected to arise under normal circumstances as a result of its failure to ensure, consistent with the application of the identity assurance levels within national schemes:

 

(i) the attribution of the person identification data referred to in point (ca) of Article 6(1), and

 

(ii) the correct operation of the authentication referred to in point (d) of Article 6(1), unless it can show that he has acted with due diligence.

 

3. Paragraphs 1 and 2 are without prejudice to the liability under national legislation of parties to a transaction in which electronic identification means falling under the notified scheme are used.

Amendment  60

Proposal for a regulation

Article 8 – title

Text proposed by the Commission

Amendment

Coordination

Coordination and interoperability

Amendment  61

Proposal for a regulation

Article 8 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a. Member States and the Commission shall in particular prioritize interoperability for such e-services with the greatest cross border relevance by:

 

(a) exchanging best practices concerning the electronic identification means falling under a notified scheme;

 

(b) providing and regularly update best practices on trust and security of the electronic identification means;

 

(c) providing and regularly update on the promotion of the use of electronic identification means.

Amendment  62

Proposal for a regulation

Article 8 – paragraph 3

Text proposed by the Commission

Amendment

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the facilitation of cross border interoperability of electronic identification means by setting of minimum technical requirements.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the facilitation of cross border interoperability of electronic identification means by setting of minimum, technology-neutral, technical requirements.

Amendment  63

Proposal for a regulation

Article 9 – title

Text proposed by the Commission

Amendment

Liability

Liability of qualified trust service providers

Justification

The rapporteur takes the view that only qualified trust service providers should be subject to the liability scheme, as in Directive 1999/93/EC. Non-qualified service providers should be covered by the general scheme of civil and contractual liability defined in the national law of each Member State.

Amendment  64

Proposal for a regulation

Article 9 – paragraph 1

Text proposed by the Commission

Amendment

1. A trust service provider shall be liable for any direct damage caused to any natural or legal person due to failure to comply with the obligations laid down in Article 15(1), unless the trust service provider can prove that he has not acted negligently.

deleted

Justification

The rapporteur takes the view that only qualified trust service providers should be subject to the liability scheme, as in Directive 1999/93/EC. Non-qualified service providers should be covered by the general system of civil and contractual liability defined in national law.

Amendment  65

Proposal for a regulation

Article 9 - paragraph 2

Text proposed by the Commission

Amendment

2. A qualified trust service provider shall be liable for any direct damage caused to any natural or legal person due to failure to meet the requirements laid down in this Regulation, in particular in Article 19, unless the qualified trust service provider can prove that he has not acted negligently.

2. A qualified trust service provider shall be liable for:

 

(a) any damage caused to any natural or legal person which could reasonably be expected to arise under normal circumstances as a result of its failure to meet the requirements laid down in this Regulation, in particular in Article 19, unless the qualified trust service provider can prove that it has acted with due diligence;

 

(b) point (a) shall apply mutatis mutandis where the qualified trust service provider has guaranteed, pursuant to point (b) of Article 10(1), the compliance with the requirements of this Regulation of a qualified trust service provider established in a third country, unless the qualified trust service provider established in the Union can prove that the former has acted with due diligence.

Amendment  66

Proposal for a regulation

Article 9 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

 

2a. In the event of loss attributable to a qualified trust service provider as a result of failure to comply with the requirements set out in Article 19, the court with jurisdiction and the applicable law shall be those of the country in which the loss was suffered.

Justification

The rapporteur wishes to specify the applicable law.

Amendment  67

Proposal for a regulation

Article 10 – title

Text proposed by the Commission

Amendment

Trust services providers from third countries

Qualified trust services providers from third countries

Justification

As this article introduces only provisions covering qualified trust service providers, the title should be amended accordingly.

Amendment  68

Proposal for a regulation

Article 10 - paragraph 1

Text proposed by the Commission

Amendment

1. Qualified trust services and qualified certificates provided by qualified trust service providers established in a third country shall be accepted as qualified trust services and qualified certificates provided by a qualified trust service providers established in the territory of the Union if the qualified trust services or qualified certificates originating from the third country are recognised under an agreement between the Union and third countries or international organisations in accordance with Article 218 TFUE.

1. Qualified trust services and qualified certificates provided by qualified trust service providers established in a third country shall be accepted as qualified trust services and qualified certificates provided by a qualified trust service provider established in the territory of the Union if:

 

(a) the qualified trust service provider fulfils the requirements laid down in this Regulation and has been accredited under an accreditation scheme established in a Member State; or

 

(b) the qualified trust service provider established within the Union which fulfils the requirements laid down in this Regulation guarantees the compliance with the requirements laid down in this Regulation; or

 

(c) the qualified trust services or qualified certificates originating from a third country are recognised under an agreement between the Union and that third country or international organisation in accordance with Article 218 TFEU.

Amendment  69

Proposal for a regulation

Article 10 – paragraph 2

Text proposed by the Commission

Amendment

2. With reference to paragraph 1, such agreements shall ensure that the requirements applicable to qualified trust services and qualified certificates provided by qualified trust service providers established in the territory of the Union are met by the trust service providers in the third countries or international organisations, especially with regard to the protection of personal data, security and supervision.

2. With reference to paragraph 1, such agreements shall ensure that the requirements applicable to qualified trust services and qualified certificates provided by qualified trust service providers established in the territory of the Union are met by the trust service providers in the third countries or international organisations, especially the security of the trust services provided and the supervision of qualified trust service providers.

 

The third country in question shall afford adequate protection of personal data, in accordance with Article 25(2) of Directive 95/46/EC.

Justification

The rapporteur wishes to refer to the provision of EU personal data protection law which specifies that the adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations.

Amendment  70

Proposal for a regulation

Article 11 – paragraph 1

Text proposed by the Commission

Amendment

1. Trust service providers and supervisory bodies shall ensure fair and lawful processing in accordance with Directive 95/46/EC when processing personal data.

1. Trust service providers and supervisory bodies shall ensure fair and lawful processing in accordance with Directive 95/46/EC when processing personal data, adhering to the principles of data minimization.

Amendment  71

Proposal for a regulation

Article 11 – paragraph 4 a (new)

Text proposed by the Commission

Amendment

 

4a. Processing of personal data by or on behalf of the trust service provider, where strictly necessary to ensure network and information security for the purpose of complying with the requirements of Articles 11, 15, 16 and 19 of this Regulation, shall be considered a legitimate interest in the meaning of point (f) of Article 7 of Directive 95/46/EC.

Justification

Processing of personal data might be necessary in case of a breach or in order to take appropriate counter measures and should be applied where this is absolutely necessary and be a "legitimate interest" under the Data Protection Directive and thus be lawful.

Amendment  72

Proposal for a regulation

Article 12

Text proposed by the Commission

Amendment

Trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities whenever possible.

Trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities in accordance with Union law.

Amendment  73

Proposal for a regulation

Article 13 – paragraph 1

Text proposed by the Commission

Amendment

1. Member States shall designate an appropriate body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. Supervisory bodies shall be given all supervisory and investigatory powers that are necessary for the exercise of their tasks.

1. Member States shall designate a supervisory body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. The designated supervisory body, its addresses and the names of responsible persons shall be communicated to the Commission. Supervisory bodies shall be given adequate resources necessary for the exercise of their tasks.

Justification

The primary powers of the supervisory bodies have been established in this Regulation, however it is important that these authorities can function properly. Furthermore, "investigatory powers" might imply powers that are usually limited to law enforcement authorities, which would go beyond what is necessary.

Amendment  74

Proposal for a regulation

Article 13 – paragraph 3 – point c

Text proposed by the Commission

Amendment

(c) statistics on the market and usage of qualified trust services, including information on qualified trust service providers themselves, the qualified trust services they provide, the products they use and the general description of their customers.

(c) statistics on the market and usage of qualified trust services.

Justification

The rapporteur takes the view that this information is not useful and should not therefore be included in the body of the regulation.

Amendment  75

Proposal for a regulation

Article 13 – paragraph 5

Text proposed by the Commission

Amendment

5. The Commission shall be empowered to adopt delegated acts, in accordance with Article 38, concerning the definition of procedures applicable to the tasks referred to in paragraph 2.

deleted

Justification

Under Article 290, a legislative act may delegate to the Commission the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of the legislative act. The proposed delegation would go beyond mere supplementing or amending of non-essential elements of the proposed Regulation.

Amendment  76

Proposal for a regulation

Article 13 – paragraph 6

Text proposed by the Commission

Amendment

6. The Commission may, by means of implementing acts, define the circumstances, formats and procedures for the report referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

6. The Commission may, by means of implementing acts, define the formats and procedures for the report referred to in paragraph 3. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Amendment  77

Proposal for a regulation

Article 14 – paragraph 2 – point b

Text proposed by the Commission

Amendment

(b) compliance with the request would be incompatible with this Regulation.

(b) compliance with the request would be incompatible with this Regulation and applicable legislation.

Amendment  78

Proposal for a regulation

Article 14 – paragraph 3 – subparagraph 1

Text proposed by the Commission

Amendment

3. Where appropriate, supervisory bodies may carry out joint investigations in which staff from other Member States’ supervisory bodies is involved.

3. Where appropriate, supervisory bodies may carry out joint supervisory actions.

Justification

The word "investigation" appears to be closely linked to law enforcement authorities. Furthermore, formulation "joint actions" implies that staff from other Member State' bodies is involved, thus is considered redundant.

Amendment  79

Proposal for a regulation

Article 14 – paragraph 3 – subparagraph 2

Text proposed by the Commission

Amendment

The supervisory body of the Member State where the investigation is to take place, in compliance with its own national law, may devolve investigative tasks to the assisted supervisory body's staff. Such powers may be exercised only under the guidance and in the presence of staff from the host supervisory body. The assisted supervisory body's staff shall be subject to the host supervisory body's national law. The host supervisory body shall assume responsibility for the assisted supervisory body staff's actions.

deleted

Justification

The purpose of this paragraph is not entirely clear. If a Member State allows to devolve powers to public bodies of other Member States then there is no need for a EU legal base for this. However, if a Member State has the power to do so then it naturally also has the powers to set the specific conditions and procedures. With a view to the lack of added value and the subsidiarity principle this paragraph should be deleted.

Amendment  80

Proposal for a regulation

Article 14 – paragraph 4

Text proposed by the Commission

Amendment

4. The Commission may, by means of implementing acts, specify the formats and procedures for the mutual assistance provided for in this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

deleted

Justification

The article does not necessarily require an implementing act as the tasks of supervisory bodies are clearly set out.

Amendment  81

Proposal for a regulation

Article 15 – paragraph 1 – subparagraph 1

Text proposed by the Commission

Amendment

1. Trust service providers who are established in the territory of the Union shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. Having regard to state of the art, these measures shall ensure that the level of security is appropriate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of adverse effects of any incidents.

1. Trust service providers who are established in the territory of the Union shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. Having regard to the technological development, these measures shall fully respect the data protection rights and ensure a level of security appropriate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of adverse effects of any significant incidents.

Justification

Referring to technological development seems more appropriate and better describes the ongoing process of adapting to new technologies. Also, state of the art could be mistaken for "best technology available" which would take out cost as a factor and put a disproportionate burden on service providers, which is probably not the aim of the provision. Finally, only significant incidents should be reported to avoid disproportionate burden and information overflow for users.

Amendment  82

Proposal for a regulation

Article 15 – paragraph 1 – subparagraph 2

Text proposed by the Commission

Amendment

Without prejudice to Article 16(1), any trust service provider may submit the report of a security audit carried out by a recognised independent body to the supervisory body to confirm that appropriate security measures have been taken.

Without prejudice to Article 16(1), any trust service provider shall, without undue delay and not later than six months following the commencement of its activities, submit the report of a compliance audit carried out by a recognised independent body to the supervisory body to confirm that appropriate security measures have been taken.

Justification

With a view to the reliability and safety requirements of trust services, a mandatory compliance audit should always be carried out.

Amendment  83

Proposal for a regulation

Article 15 – paragraph 2 – subparagraph 2

Text proposed by the Commission

Amendment

Where appropriate, in particular if a breach of security or loss of integrity concerns two or more Member States, the supervisory body concerned shall inform supervisory bodies in other Member States and the European Network and Information Security Agency (ENISA).

Where appropriate, in particular if a breach of security or loss of integrity concerns two or more Member States, the supervisory body concerned shall inform supervisory bodies in these Member States and the European Network and Information Security Agency (ENISA).

Amendment  84

Proposal for a regulation

Article 15 – paragraph 2 – subparagraph 3

Text proposed by the Commission

Amendment

The supervisory body concerned may also inform the public or require the trust service provider to do so, where it determines that disclosure of the breach is in the public interest.

The supervisory body concerned, in consultation with the trust service provider, may also inform the public or require the trust service provider to do so, where it determines that disclosure of the breach is in the public interest.

Justification

While the ultimate decision to notify the public should rest with the public authority, a consultation with the service provider should take place as well. The provider might be better placed to assess the impact of the breach on users and the consequences for incident investigation / remedies.

Amendment  85

Proposal for a regulation

Article 15 – paragraph 4

Text proposed by the Commission

Amendment

4. In order to implement paragraphs 1 and 2, the competent supervisory body shall have the power to issue binding instructions to trust service providers.

4. In order to ensure compliance with paragraphs 1 and 2, the competent supervisory body shall have the power to issue binding instructions to trust service providers.

Amendment  86

Proposal for a regulation

Article 15 – paragraph 5

Text proposed by the Commission

Amendment

5. The Commission shall be empowered to adopt delegated acts, in accordance with Article 38, concerning the further specification of the measures referred to in paragraph 1.

deleted

Justification

Merged with following paragraph.

Amendment  87

Proposal for a regulation

Article 16 – paragraph 1

Text proposed by the Commission

Amendment

1. Qualified trust service providers shall be audited by a recognised independent body once a year to confirm that they and the qualified trust services provided by them fulfil the requirements set out in this Regulation, and shall submit the resulting security audit report to the supervisory body.

1. Qualified trust service providers shall be audited by a recognised independent body every two years and following any significant technological or organizational changes to confirm that they and the qualified trust services provided by them fulfil the requirements set out in this Regulation, and shall submit the resulting compliance audit report to the supervisory body.

Justification

The report should not only limit to the security requirements but also include all requirements for qualified trust service providers stemming from this Regulation. Furthermore, an issuance of the report every 2 years should constitute a sufficient and proportionate measure, taking account of the administrative and financial burden introduced by it. However, in case of significant changes an audit should be conducted to ensure the changes do not affect compliance.

Amendment  88

Proposal for a regulation

Article 16 – paragraph 2

Text proposed by the Commission

Amendment

2. Without prejudice to paragraph 1, the supervisory body may at any time audit the qualified trust service providers to confirm that they and the qualified trust services provided by them still meet the conditions set out in this Regulation, either on its own initiative or in response to a request from the Commission. The supervisory body shall inform the data protection authorities of the results of its audits, in case personal data protection rules appear to have been breached.

2. Without prejudice to paragraph 1, in case of substantiated doubts, the supervisory body may at any time audit the qualified trust service providers to confirm that they and the qualified trust services provided by them still meet the conditions set out in this Regulation, either on its own initiative or in response to a request from a supervisory body in another Member State. The supervisory body shall inform the data protection authorities of the results of its audits, in case personal data protection rules appear to have been breached.

Justification

It should be clarified that such audits cannot be conducted arbitrarily but should be based on substantiated indications of non-compliance. The reference to "on request from the Commission" has been deleted since supervisory bodies are in a better position to assess the necessity of such an audit.

Amendment  89

Proposal for a regulation

Article 16 – paragraph 3

Text proposed by the Commission

Amendment

3. The supervisory body shall have the power to issue binding instructions to qualified trust service providers to remedy any failure to fulfil the requirements indicated in the security audit report.

3. The supervisory body shall have the power to issue binding instructions to qualified trust service providers to remedy any failure to fulfil the requirements set out in this Regulation.

Justification

The original wording would mean the supervisory body would only have the power to issue binding instructions based on the security audit. It is unclear why these powers should be limited to this source of information.

Amendment  90

Proposal for a regulation

Article 16 – paragraph 6

Text proposed by the Commission

Amendment

6. The Commission may, by means of implementing acts, define the circumstances, procedures and formats applicable for the purpose of paragraphs 1, 2 and 4. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

6. The Commission may, by means of implementing acts, define the procedures and formats applicable for the purpose of paragraphs 1, 2 and 4. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Amendment  91

Proposal for a regulation

Article 16 a (new)

Text proposed by the Commission

Amendment

 

Article 16a

 

Supervision of trust service providers

 

In order to facilitate supervision by the supervisory body referred to in point (a) of Article 13(2), trust service providers shall notify the supervisory body of their intention to start offering a trust service and shall inform it of the technical and organisational measures they have taken to manage the risks linked to the security of the trust services they provide in accordance with Article 15(1).

Justification

Correction by the rapporteur to Amendment 35, in which the word ‘qualified’ was written by mistake. Justification for Amendment 35: the rapporteur wishes to introduce this new article in order to facilitate the work of the supervisory body in respect of trust service providers (meaning non-qualified trust service providers) and to guarantee a minimum legal value for non-qualified trust services.

Amendment  92

Proposal for a regulation

Article 17

Text proposed by the Commission

Amendment

1. Qualified trust service providers shall notify the supervisory body of their intention to start providing a qualified trust service and shall submit to the supervisory body a security audit report carried out by a recognised independent body, as provided for in Article 16(1). Qualified trust service providers may start to provide the qualified trust service after they have submitted the notification and security audit report to the supervisory body.

1. Where trust service providers intend to provide a qualified trust service, they shall submit to the supervisory body a notification of their intention together with a security audit report carried out by a recognised independent body, as provided for in Article 16(1).

2. Once the relevant documents are submitted to the supervisory body according to paragraph 1, the qualified service providers shall be included in the trusted lists referred to in Article 18 indicating that the notification has been submitted.

2. Once the relevant documents are submitted in accordance with paragraph 1, the supervisory body shall verify the compliance of the trust service provider and of the trust services to be provided by it with the requirements of this Regulation.

3. The supervisory body shall verify the compliance of the qualified trust service provider and of the qualified trust services provided by it with the requirements of the Regulation.

3. If the verification process confirms compliance with this Regulation, the supervisory body shall grant qualified status to the trust service provider and indicate such status in the trusted list referred to in Article 18, not later than one month after notification has been submitted in accordance with paragraph 1.

The supervisory body shall indicate the qualified status of the qualified service providers and the qualified trust services they provide in the trusted lists after the positive conclusion of the verification, not later than one month after the notification has been done in accordance with paragraph 1.

 

If the verification is not concluded within one month, the supervisory body shall inform the qualified trust service provider specifying the reasons of the delay and the period by which the verification shall be concluded.

If the verification is not concluded within one month, the supervisory body shall inform the qualified trust service provider specifying the reasons for the delay and the period by which the verification shall be concluded. The total period shall not exceed three months.

4. A qualified trust service which has been subject to the notification referred to in paragraph 1 cannot be refused for the fulfilment of an administrative procedure or formality by the concerned public sector body for not being included in the lists referred to in paragraph 3.

4. A trust service which has been subject to the notification and has been granted qualified status in accordance with the procedure laid down in this Article cannot be refused for the fulfilment of an administrative procedure or formality by the concerned public sector body for not being included in the lists referred to in paragraph 3.

5. The Commission may, by means of implementing acts, define the circumstances, formats and procedures for the purpose of paragraphs 1, 2 and.3 Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

 

Amendment  93

Proposal for a regulation

Article 18 – paragraph 2

Text proposed by the Commission

Amendment

2. Member States shall establish, maintain and publish, in a secure manner, electronically signed or sealed trusted lists provided for in paragraph 1 in a form suitable for automated processing.

2. Member States shall establish, maintain and publish, in a secure manner, electronically signed or sealed trusted lists provided for in paragraph 1 in a form suitable for automated processing of both the list itself as well as the individual certificates.

Justification

Clarification has been introduced to ensure that applications can process the certificates, what is necessary for validation in practice.

Amendment  94

Proposal for a regulation

Article 18 – paragraph 5

Text proposed by the Commission

Amendment

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of the information referred to in paragraph 1.

deleted

Justification

The information on qualified trust service providers should be defined in an implementing act rather than a delegated act.

Amendment  95

Proposal for a regulation

Article 18 a (new)

Text proposed by the Commission

Amendment

 

Article 18a

 

EU trustmark for qualified trust services

 

1. Qualified trust service providers may use an EU trustmark to present and advertise the qualified trust services they offer that meet the requirements laid down in this Regulation.

 

2. By using the EU trustmark for qualified trust services referred to in paragraph 1, qualified trust service providers shall be responsible for ensuring that the services meet all applicable requirements laid down in this Regulation.

 

3. By means of implementing acts, the Commission shall lay down specific, binding criteria relating to the presentation, composition, size and design of the EU trustmark for qualified trust services. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Justification

Parliament called for the creation of a trustmark in its resolution of 11 December 2012 on completing the Digital Single Market. Its aim in doing so was to boost users’ confidence online by creating an easily recognisable European label. Bearing in mind the aim of making trust services more secure online, qualified trust service providers who meet the requirements, especially those laid down in Article 19, should be able to benefit from this label and enjoy added value in e-commerce.

Amendment  96

Proposal for a regulation

Article 19 – paragraph 1 – subparagraph 1

Text proposed by the Commission

Amendment

When issuing a qualified certificate, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity and, if applicable, any specific attributes of the natural or legal person to whom a qualified certificate is issued.

When issuing a qualified certificate, a qualified trust service provider shall verify, by appropriate means and in accordance with national and Union law, the identity and, if applicable, any specific attributes of the natural or legal person to whom a qualified certificate is issued.

Justification

Clarification.

Amendment  97

Proposal for a regulation

Article 19 – paragraph 2 – point c

Text proposed by the Commission

Amendment

(c) before entering into a contractual relationship, inform any person seeking to use a qualified trust service of the precise terms and conditions regarding the use of that service;

(c) before entering into a contractual relationship, inform any person seeking to use a qualified trust service of the precise terms and conditions regarding the use of that service, including any limitation on its use;

Amendment  98

Proposal for a regulation

Article 19 – paragraph 2 – point d

Text proposed by the Commission

Amendment

(d) use trustworthy systems and products which are protected against modification and guarantee the technical security and reliability of the process supported by them;

(d) use systems and products which are protected against unauthorized modification and guarantee the technical security and reliability of the process supported by them;

Justification

While trustworthy might imply a higher standard, the system ultimately has to comply with the requirements of this paragraph. It is unclear whether "trustworthy" constitutes an additional requirement in itself. To clarify, authorized modifications should be possible.

Amendment  99

Proposal for a regulation

Article 19 – paragraph 2 – point e – introductory part

Text proposed by the Commission

Amendment

(e) use trustworthy systems to store data provided to them, in a verifiable form so that:

(e) use systems to store data provided to them, in a verifiable form so that:

Justification

While trustworthy might imply a higher standard, the system ultimately has to comply with the requirements of this paragraph. It is unclear whether "trustworthy" constitutes an additional requirement in itself.

Amendment  100

Proposal for a regulation

Article 19 – paragraph 2 – point e – indent 1

Text proposed by the Commission

Amendment

– they are publicly available for retrieval only where the consent of the person to whom the data has been issued has been obtained,

– they are publicly available for retrieval only where national or Union law allows for this or where the consent of the person to whom the data relates has been obtained,

Amendment  101

Proposal for a regulation

Article 19 – paragraph 2 – point g

Text proposed by the Commission

Amendment

(g) record for an appropriate period of time all relevant information concerning data issued and received by the qualified trust service provider, in particular for the purpose of providing evidence in legal proceedings. Such recording may be done electronically;

(g) record for an appropriate period of time, regardless of whether the qualified trust service provider has ceased to provide qualified trust services, all relevant information concerning data issued and received by the qualified trust service provider, in particular for the purpose of providing evidence in legal proceedings. Such recording may be done electronically;

Justification

It is important that relevant information is still accessible even if the service provider has ceased its activities.

Amendment  102

Proposal for a regulation

Article 19 – paragraph 3

Text proposed by the Commission

Amendment

3. Qualified trust service providers issuing qualified certificates shall register in their certificate database the revocation of the certificate within ten minutes after such revocation has taken effect.

3. Qualified trust service providers issuing qualified certificates shall register the revocation of the certificate in their certificate database on the same working day that such revocation has taken effect, and if such revocation has taken effect on a weekend or public holiday, on the next working day.

Amendment  103

Proposal for a regulation

Article 19 – paragraph 4

Text proposed by the Commission

Amendment

4. With regard to paragraph 3, qualified trust service providers issuing qualified certificates shall provide to any relying party information on the validity or revocation status of qualified certificates issued by them. This information shall be made available at any time at least on a certificate basis in an automated manner which is reliable, free of charge and efficient.

4. With regard to paragraph 3, qualified trust service providers issuing qualified certificates shall provide to any relying party information on the validity or revocation status of qualified certificates issued by them. This information shall be made available at any time at least on a certificate basis in an automated manner.

Justification

It is unclear what "efficient" and "reliable" mean exactly. "Available at any time" already implies reliability. Furthermore, in contrast to public sector services, private sector solutions cannot be always free of charge. Parties using such services should be free to choose their underlying business model.

Amendment  104

Proposal for a regulation

Article 19 – paragraph 5

Text proposed by the Commission

Amendment

5. The Commission may, by means of implementing acts, establish reference numbers of standards for trustworthy systems and products. Compliance with the requirements laid down in Article 19 shall be presumed where trustworthy systems and products meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

5. The Commission may, by means of implementing acts, establish reference numbers of standards for trustworthy systems and products. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in Article 19 shall be presumed where trustworthy systems and products meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

This modification is relevant for each article throughout the text which mentions the use of standards.

Amendment  105

Proposal for a regulation

Article 20 – paragraph 1

Text proposed by the Commission

Amendment

1. An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form.

1. An electronic signature shall have legal effect and may be admissible as evidence in legal proceedings. It shall be taken into account that the qualified electronic signature offers a higher level of security than other types of electronic signatures.

Justification

Given the difficulties to translate the French version into English of Rapporteur's amendment 43, the Rapporteur decided to table a new amendment in English to rephrase this paragraph.

Amendment  106

Proposal for a regulation

Article 20 – paragraph 2

Text proposed by the Commission

Amendment

2. A qualified electronic signature shall have the equivalent legal effect of a handwritten signature.

2. A qualified electronic signature shall satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data;

Justification

The wording of Directive 1999/93/EC appears to better take into account different national forms and procedural requirements.

Amendment  107

Proposal for a regulation

Article 20 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

 

2a. A valid qualified electronic signature shall serve as prima facie evidence for the authenticity and integrity of the electronic document associated with it.

Justification

The term ‘valid’ refers to Article 25(1) of the proposal for a regulation. Only if a signature has been positively validated can it have a specific evidentiary value.

Amendment  108

Proposal for a regulation

Article 20 – paragraph 3

Text proposed by the Commission

Amendment

3. Qualified electronic signatures shall be recognised and accepted in all Member States.

3. Qualified electronic signatures shall be recognised and accepted in Member States and institutions of the Union.

Amendment  109

Proposal for a regulation

Article 20 – paragraph 4

Text proposed by the Commission

Amendment

4. If an electronic signature with a security assurance level below qualified electronic signature is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic signatures matching at least the same security assurance level shall be recognised and accepted.

4. If an electronic signature with a security assurance level below qualified electronic signature is required, by a Member State or by institutions, bodies, offices and agencies of the Union for completing a transaction offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic signatures matching at least the same security assurance level shall be recognised and accepted for access to that online service.

Amendment  110

Proposal for a regulation

Article 20 – paragraph 5

Text proposed by the Commission

Amendment

5. Member States shall not request for cross-border access to a service online offered by a public sector body an electronic signature at a higher security assurance level than qualified electronic signature.

5. Member States shall not request for cross-border access to a service online offered by a public sector body an electronic signature at a higher security level than qualified electronic signature.

Justification

The word ‘assurance’ is superfluous here.

Amendment  111

Proposal for a regulation

Article 20 – paragraph 6

Text proposed by the Commission

Amendment

6. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of the different security levels of electronic signature referred to in paragraph 4.

deleted

Justification

As the definition of the different security levels of electronic signature is a key element of the Regulation, the rapporteur takes the view that decisions on this matter should not be taken by means of delegated acts.

Amendment  112

Proposal for a regulation

Article 20 – paragraph 7

Text proposed by the Commission

Amendment

7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security levels of electronic signature. Compliance with the security level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security levels of electronic signature. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the security level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

This modification is relevant for each article throughout the text which mentions the use of standards.

Amendment  113

Proposal for a regulation

Article 21 – paragraph 4

Text proposed by the Commission

Amendment

4. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid down in Annex I.

deleted

Justification

An implementing act appears more appropriate, therefore it has been merged with the following paragraph.

Amendment  114

Proposal for a regulation

Article 21 – paragraph 5

Text proposed by the Commission

Amendment

5. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic signature. Compliance with the requirements laid down in Annex I shall be presumed where a qualified certificate for electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

5. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic signature. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in Annex I shall be presumed where a qualified certificate for electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

This modification is relevant for each article throughout the text which mentions the use of standards.

Amendment  115

Proposal for a regulation

Article 22 – paragraph 2

Text proposed by the Commission

Amendment

2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified electronic signature creation devices. Compliance with the requirements laid down in Annex II shall be presumed where a qualified electronic signature creation device meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified electronic signature creation devices. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in Annex II shall be presumed where a qualified electronic signature creation device meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

This modification is relevant for each article throughout the text which mentions the use of standards.

Amendment  116

Proposal for a regulation

Article 23 – paragraph 1

Text proposed by the Commission

Amendment

1. Qualified electronic signature creation devices may be certified by appropriate public or private bodies designated by Member States provided that they have been submitted to a security evaluation process carried out in accordance with one of the standards for the security assessment of information technology products included in a list that shall be established by the Commission by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

1. Qualified electronic signature creation devices must be certified by public or private certification bodies designated by Member States following a security evaluation process carried out in accordance with one of the standards for the security assessment of information technology products included in a list that shall be established by the Commission by means of implementing acts. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

The certification process is crucial in ensuring the security of electronic services. If it is not made mandatory, it is unlikely that providers will take the trouble to have their services certified. However, parties wishing to make use of validation services provided by a trust service provider needs to know whether signature creation devices are trustworthy. Mandatory certification by a certification body would thus appear to be indispensable.

Amendment  117

Proposal for a regulation

Article 25 – paragraph 3

Text proposed by the Commission

Amendment

3. The Commission may, by means of implementing acts, establish reference numbers of standards for the validation of qualified electronic signatures. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation of qualified electronic signatures meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

3. The Commission may, by means of implementing acts, establish reference numbers of standards for the validation of qualified electronic signatures. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation of qualified electronic signatures meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

This modification is relevant for each article throughout the text which mentions the use of standards.

Amendment  118

Proposal for a regulation

Article 26 – paragraph 1 – point b

Text proposed by the Commission

Amendment

(b) allows relying parties to receive the result of the validation process in an automated manner which is reliable, efficient and bearing the advanced electronic signature or advanced electronic seal of the provider of the qualified validation service.

(b) allows relying parties to receive the result of the validation process in an automated manner bearing the advanced electronic signature or advanced electronic seal of the provider of the qualified validation service.

Justification

It is unclear what is meant by "efficient and reliable". In any case, this should be left to the business model of the service provider as it lies in their very own interest to offer efficient and reliable services to users.

Amendment  119

Proposal for a regulation

Article 26 – paragraph 2

Text proposed by the Commission

Amendment

2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified validation service referred to in paragraph 1. Compliance with the requirements laid down in point (b) of paragraph 1 shall be presumed where the validation service for qualified electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified validation service referred to in paragraph 1. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in point (b) of paragraph 1 shall be presumed where the validation service for qualified electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

This modification is relevant for each article throughout the text which mentions the use of standards.

Amendment  120

Proposal for a regulation

Article 27 – paragraph 3

Text proposed by the Commission

Amendment

3. The Commission may, by means of implementing acts, establish reference numbers of standards for the preservation of qualified electronic signatures. Compliance with the requirements laid down in paragraph 1 shall be presumed where the arrangements for the preservation of qualified electronic signatures meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

3. The Commission may, by means of implementing acts, establish reference numbers of standards for the preservation of qualified electronic signatures. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in paragraph 1 shall be presumed where the arrangements for the preservation of qualified electronic signatures meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

This modification is relevant for each article throughout the text which mentions the use of standards.

Amendment  121

Proposal for a regulation

Article 28 – paragraph 2

Text proposed by the Commission

Amendment

2. A qualified electronic seal shall enjoy the legal presumption of ensuring the origin and integrity of the data to which it is linked.

2. A valid qualified electronic seal shall serve at least as prima facie evidence for the authenticity and integrity of the electronic document associated with it. This shall be without prejudice to national provisions on power of attorney and representation.

Amendment  122

Proposal for a regulation

Article 28 – paragraph 3

Text proposed by the Commission

Amendment

3. A qualified electronic seal shall be recognised and accepted in all Member States.

3. A qualified electronic seal shall be recognised in all Member States.

Justification

The difference between "recognised" and "accepted" is unclear. This paragraph is, in contrast to the corresponding provisions on electronic signatures, not deleted as the concept of an (electronic) seal does not exist in all Member States.

Amendment  123

Proposal for a regulation

Article 28 – paragraph 4

Text proposed by the Commission

Amendment

4. If an electronic seal security assurance level below the qualified electronic seal is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic seals matching at a minimum the same security assurance level shall be accepted.

4. If an electronic seal security level below the qualified electronic seal is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic seals matching at a minimum the same security assurance level shall be accepted for access to that online service.

Justification

The word ‘assurance’ is superfluous here.

Amendment  124

Proposal for a regulation

Article 28 – paragraph 5

Text proposed by the Commission

Amendment

5. Member States shall not request for accessing a service online offered by a public sector body an electronic seal with higher security assurance level than qualified electronic seals.

5. Member States shall not request for cross-border access to a service online offered by a public sector body an electronic seal with higher security level than qualified electronic seals.

Justification

The word ‘assurance’ is superfluous here.

Amendment  125

Proposal for a regulation

Article 28 – paragraph 6

Text proposed by the Commission

Amendment

6. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of different security assurance levels of electronic seals referred to in paragraph 4.

deleted

Justification

As the definition of the different security levels of electronic seals is a key element of the Regulation, the rapporteur takes the view that decisions on this matter should not be taken by means of delegated acts.

Amendment  126

Proposal for a regulation

Article 28 – paragraph 7

Text proposed by the Commission

Amendment

7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security assurance levels of electronic seals. Compliance with the security assurance level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic seal meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security assurance levels of electronic seals. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the security assurance level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic seal meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

This modification is relevant for each article throughout the text which mentions the use of standards.

Amendment  127

Proposal for a regulation

Article 29 – paragraph 5

Text proposed by the Commission

Amendment

5. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic seal. Compliance with the requirements laid down in Annex III shall be presumed where a qualified certificate for electronic seal meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

5. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic seal. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in Annex III shall be presumed where a qualified certificate for electronic seal meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

This modification is relevant for each article throughout the text which mentions the use of standards.

Amendment  128

Proposal for a regulation

Article 32 – paragraph 2

Text proposed by the Commission

Amendment

2. Qualified electronic time stamp shall enjoy a legal presumption of ensuring the time it indicates and the integrity of the data to which the time is bound.

2. A qualified electronic time stamp shall constitute at least prima facie evidence of the correctness of the time it indicates and the integrity of the document with which it is associated.

Amendment  129

Proposal for a regulation

Article 33 – paragraph 2

Text proposed by the Commission

Amendment

2. The Commission may, by means of implementing acts, establish reference numbers of standards for the accurate linkage of time to data and an accurate time source. Compliance with the requirements laid down in paragraph 1 shall be presumed where an accurate linkage of time to data and an accurate time source meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

2. The Commission may, by means of implementing acts, establish reference numbers of standards for the accurate linkage of time to data and an accurate time source. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in paragraph 1 shall be presumed where an accurate linkage of time to data and an accurate time source meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

This modification is relevant for each article throughout the text which mentions the use of standards.

Amendment  130

Proposal for a regulation

Article 34 – paragraph 1

Text proposed by the Commission

Amendment

1. An electronic document shall be considered as equivalent to a paper document and admissible as evidence in legal proceedings, having regard to its assurance level of authenticity and integrity.

1. An electronic document shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic format.

Amendment  131

Proposal for a regulation

Article 34 – paragraph 2

Text proposed by the Commission

Amendment

2. A document bearing a qualified electronic signature or a qualified electronic seal of the person who is competent to issue the relevant document, shall enjoy legal presumption of its authenticity and integrity provided the document does not contain any dynamic features capable of automatically changing the document.

2. A document bearing a qualified electronic signature or a qualified electronic seal, shall have the equivalent legal effect of a paper document bearing a handwritten signature or a physical seal, where this exists under national law, provided the document does not contain any dynamic features capable of automatically changing the document.

Amendment  132

Proposal for a regulation

Article 34 – paragraph 3

Text proposed by the Commission

Amendment

3. When an original document or a certified copy is required for the provision of a service online offered by a public sector body, at least electronic documents issued by the persons who are competent to issue the relevant documents and that are considered to be originals or certified copies in accordance with national law of the Member State of origin, shall be accepted in other Member States without additional requirements.

deleted

Justification

Art. 34 (3) would call into question the tried and tested instrument of the endorsement (apostille) for the recognition of foreign documents, which is also to be the subject of new regulation by the Commission.

Amendment  133

Proposal for a regulation

Article 34 – paragraph 4

Text proposed by the Commission

Amendment

4. The Commission may, by means of implementing acts, define formats of electronic signatures and seals that shall be accepted whenever a signed or sealed document is requested by a Member State for the provision of a service online offered by a public sector body referred to in paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

deleted

Amendment  134

Proposal for a regulation

Article 35 – paragraph 1

Text proposed by the Commission

Amendment

1. Data sent or received using an electronic delivery service shall be admissible as evidence in legal proceedings with regard to the integrity of the data and the certainty of the date and time at which the data were sent to or received by a specified addressee.

1. Data sent or received using an electronic delivery service shall be admissible as evidence in legal proceedings.

Amendment  135

Proposal for a regulation

Article 35 – paragraph 2

Text proposed by the Commission

Amendment

2. Data sent or received using a qualified electronic delivery service shall enjoy legal presumption of the integrity of the data and the accuracy of the date and time of sending or receiving the data indicated by the qualified electronic delivery system.

2. Data sent or received using a qualified electronic delivery service shall constitute at least prima facie evidence of the authenticity of the data and the correctness of the date and time of sending or receiving the data indicated by the qualified electronic delivery system.

Amendment  136

Proposal for a regulation

Article 35 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

 

2a. This Article shall be without prejudice to Regulation (EC) No 1348/2000.

Amendment  137

Proposal for a regulation

Article 35 – paragraph 3

Text proposed by the Commission

Amendment

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the specification of mechanisms for sending or receiving data using electronic delivery services, which shall be used with a view to fostering interoperability between electronic delivery services.

deleted

Amendment  138

Proposal for a regulation

Article 36 – paragraph 2

Text proposed by the Commission

Amendment

2. The Commission may, by means of implementing acts, establish reference numbers of standards for processes for sending and receiving data. Compliance with the requirements laid down in paragraph 1 shall be presumed where the process for sending and receiving data meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

2. The Commission may, by means of implementing acts, establish reference numbers of standards for processes for sending and receiving data. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in paragraph 1 shall be presumed where the process for sending and receiving data meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

This modification is relevant for each article throughout the text which mentions the use of standards.

Amendment  139

Proposal for a regulation

Article 37 – paragraph 4

Text proposed by the Commission

Amendment

4. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for website authentication. Compliance with the requirements laid down in Annex IV shall be presumed where a qualified certificate for website authentication meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

4. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for website authentication. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in Annex IV shall be presumed where a qualified certificate for website authentication meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

This modification is relevant for each article throughout the text which mentions the use of standards.

Amendment  140

Proposal for a regulation

Article 38 – paragraph 2

Text proposed by the Commission

Amendment

2. The power to adopt delegated acts referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall be conferred on the Commission for an indeterminate period of time from the entry into force of this Regulation.

2. The power to adopt delegated acts referred to in Articles 8(3), 16(5), 23(3), 25(2), 27(2), 29(4), 30(2), 31 and 37(3) shall be conferred on the Commission for an indeterminate period of time from the entry into force of this Regulation.

Amendment  141

Proposal for a regulation

Article 38 – paragraph 3

Text proposed by the Commission

Amendment

3. The delegation of power referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) may be revoked at any time by the European Parliament or by the Council. The revocation decision shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated act already in force.

3. The delegation of power referred to in Articles 8(3), 16(5), 23(3), 25(2), 27(2), 29(4), 30(2), 31 and 37(3) may be revoked at any time by the European Parliament or by the Council. The revocation decision shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated act already in force.

Amendment  142

Proposal for a regulation

Article 38 – paragraph 5

Text proposed by the Commission

Amendment

5. A delegated act adopted pursuant to Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

5. A delegated act adopted pursuant to Articles 8(3), 16(5), 23(3), 25(2), 27(2), 29(4), 30(2), 31 and 37(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

Amendment  143

Proposal for a regulation

Article 40

Text proposed by the Commission

Amendment

The Commission shall report to the European Parliament and to the Council on the application of this Regulation. The first report shall be submitted no later than four years after the entry into force of this Regulation. Subsequent reports shall be submitted every four years thereafter.

The Commission shall report to the European Parliament and to the Council on the application of this Regulation. The first report shall be submitted no later than two years after the entry into force of this Regulation. Subsequent reports shall be submitted every four years thereafter.

Justification

With all the new elements that have been added to the regulation and given that it is directly applicable in the Member States, the rapporteur takes the view that the first assessment report should be submitted at the most two years after the entry into force of the regulation.

Amendment  144

Proposal for a regulation

Article 40 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a. The report must make it possible to establish whether the scope of this Regulation needs to be changed for the purposes of adaptation to developments in technology, in the market and in the legal context in the Member States and internationally; generally, the report must indicate whether the Regulation has made it possible to attain its stated objectives with regard to building trust in the online environment. The report must, in particular, include an assessment of the application of Articles 13, 16 and 19. The report shall be accompanied by legislative proposals, if necessary.

Amendment  145

Proposal for a regulation

Article 40 – paragraph 1 b (new)

Text proposed by the Commission

Amendment

 

1b. The report must make it possible to establish whether the scope of this Regulation needs to be changed for the purposes of adaptation to developments in technology, in the market and in the legal context in the Member States and internationally; generally, the report must indicate whether the Regulation has made it possible to attain its stated objectives with regard to building trust in the online environment. The report must, in particular, include an assessment of the application of Articles 13, 16 and 19. The report shall be accompanied by legislative proposals, if necessary.

Amendment  146

Proposal for a regulation

Annex III – paragraph 1 – point b – subparagraph 2 a (new)

Text proposed by the Commission

Amendment

 

Sensitive data within the meaning of Article 8 of Directive 95/46/CE shall not be processed.

Amendment  147

Proposal for a regulation

Annex IV – paragraph 1 – point b – subparagraph 2 a (new)

Text proposed by the Commission

Amendment

 

Sensitive data within the meaning of Article 8 of Directive 95/46/CE shall not be processed.

PROCEDURE

Title

Electronic identification and trust services for electronic transactions in the internal market

References

COM(2012)0238 – C7-0133/2012 – 2012/0146(COD)

Committee responsible

       Date announced in plenary

ITRE

14.6.2012

 

 

 

Opinion by

       Date announced in plenary

IMCO

14.6.2012

Associated committee(s) - date announced in plenary

7.2.2013

Rapporteur

       Date appointed

Marielle Gallo

21.6.2012

Discussed in committee

21.2.2013

24.4.2013

8.7.2013

 

Date adopted

9.7.2013

 

 

 

Result of final vote

+:

–:

0:

31

0

2

Members present for the final vote

Claudette Abela Baldacchino, Pablo Arias Echeverría, Adam Bielan, Preslav Borissov, Sergio Gaetano Cofferati, Birgit Collin-Langen, Lara Comi, Anna Maria Corazza Bildt, Cornelis de Jong, Vicente Miguel Garcés Ramón, Evelyne Gebhardt, Thomas Händel, Małgorzata Handzlik, Philippe Juvin, Edvard Kožušník, Toine Manders, Sirpa Pietikäinen, Phil Prendergast, Robert Rochefort, Heide Rühle, Christel Schaldemose, Andreas Schwab, Róża Gräfin von Thun und Hohenstein, Emilie Turunen, Bernadette Vergnaud, Barbara Weiler

Substitute(s) present for the final vote

Jürgen Creutzmann, Marielle Gallo, Ildikó Gáll-Pelcz, María Irigoyen Pérez, Roberta Metsola, Olle Schmidt, Sabine Verheyen

OPINION of the Committee on Legal Affairs (26.6.2013)

for the Committee on Industry, Research and Energy

on the proposal for a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market
(COM(2012)0238 – C7‑0133/2012 – 2012/0146(COD))

Rapporteur: Alajos Mészáros

SHORT JUSTIFICATION

On 4 June 2012, the Commission proposed a regulation on electronic identification and trust services for electronic transactions in the internal market, as the last of 12 key actions proposed in the Single Market Act. The proposal is an answer to the needs of the participants of the digital market to ensure a comprehensive legal framework for secure and trustworthy electronic transactions on EU level.

The aim of the proposal is to ensure that citizens and businesses can use their national electronic identification schemes to access public services in other EU countries where these schemes are available. It also creates an internal market for e-Signatures and related online trust services across borders, in particular by ensuring that these services will have the same legal status as traditional paper based processes. Through the new EU legislation the mutual recognition of electronic identification and authentication shall be guaranteed.

Your rapporteur for opinion welcomes the Commission proposal in the context of efforts to strengthen and complete the functioning of the digital single market by enhancing the trust in electronic transactions. The importance of the proposal for citizens and businesses, in particular SMEs, as well as for national authorities cannot be over-estimated.

However, your rapporteur strongly believes that the system proposed can only strengthen the digital single market and allow all players to fully benefit from its potential if sufficient legal security and certainty is assured so that citizens and businesses can have confidence and trust in secure cross-border electronic transactions. Therefore some changes in notification procedures and clarifications on liability and data protection have been proposed. At the same time, unnecessary red tape, in particular unnecessary burdens on SMEs, should be avoided. He has suggested a number of amendments in order to improve the Commission proposal as regards these aspects.

Your rapporteur has further suggested a number of changes to the provisions relating to implementing and delegated acts as proposed by the Commission, with a view to better reflecting the objectives of Articles 290 and 291 TFEU. In particular, on a number of issues, a delegation of legislative power to the Commission did not appear appropriate; in some cases, a further specification as to the content and objective of the delegation seemed necessary.

AMENDMENTS

The Committee on Legal Affairs calls on the Committee on Industry, Research and Energy, as the committee responsible, to incorporate the following amendments in its report:

Amendment  1

Proposal for a regulation

Recital 10

Text proposed by the Commission

Amendment

(10) Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare sets up a network of national authorities responsible for eHealth. To enhance safety and the continuity of cross-border healthcare, the network is required to produce guidelines on cross-border access to electronic health data and services, including by supporting ‘common identification and authentication measures to facilitate transferability of data in cross-border healthcare’. Mutual recognition and acceptance of electronic identification and authentication is key to make cross border healthcare for European citizens a reality. When people travel for treatment, their medical data needs to be accessible in the country of treatment. This requires a solid, safe and trusted electronic identification framework.

(10) Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare sets up a network of national authorities responsible for eHealth. To enhance safety and the continuity of cross-border healthcare, the network is required to produce guidelines on cross-border access to electronic health data and services, including by supporting ‘common identification and authentication measures to facilitate transferability of data in cross-border healthcare’. Mutual recognition and acceptance of electronic identification and authentication is key to make cross-border healthcare for European citizens a reality. When people travel for treatment, their medical data need to be accessible in the country of treatment. This requires a solid, safe and trusted electronic identification framework that should be such as to rule out infringement of current consumer and data protection standards.

Amendment  2

Proposal for a regulation

Recital 11

Text proposed by the Commission

Amendment

(11) One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States to access at least public services. This Regulation does not aim at intervening on electronic identity management systems and related infrastructures established in the Member States. The aim of this Regulation is to ensure that for the access to cross-border online services offered by the Member States, secure electronic identification and authentication is possible.

(11) One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States to access at least public services. This Regulation does not aim at intervening on electronic identity management systems and related infrastructures established in the Member States. The aim of this Regulation is to ensure that for the access to cross-border online services offered by the Member States, a high degree of security can be provided for electronic identification and authentication, for instance by establishing different security levels corresponding to particular types of services to be accessed.

Justification

Security has to be organised according to distinct levels. The proposal for a regulation does not say what type of online services is to be accessed by means of electronic identification. Access to sensitive private data ought to imply, for the purposes of identification, reliability of a different degree from what is required for general information or transaction services.

Amendment  3

Proposal for a regulation

Recital 11

Text proposed by the Commission

Amendment

(11) One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States to access at least public services. This Regulation does not aim at intervening on electronic identity management systems and related infrastructures established in the Member States. The aim of this Regulation is to ensure that for the access to cross-border online services offered by the Member States, secure electronic identification and authentication is possible.

(11) One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States to access at least public services. This Regulation does not aim at intervening on electronic identity management systems and related infrastructures established in the Member States. The aim of this Regulation is to ensure that for the access to cross-border online services offered by the Member States, a high degree of security can be provided for electronic identification and authentication, for instance by establishing security levels adjusted according to the types of services to be accessed.

Amendment  4

Proposal for a regulation

Recital 16

Text proposed by the Commission

Amendment

(16) Cooperation of Member States should serve the technical interoperability of the notified electronic identification schemes with a view to foster a high level of trust and security appropriate to the degree of risk. The exchange of information and the sharing of best practices between Member States with a view to their mutual recognition should help such cooperation.

(16) Cooperation of Member States should serve the technical interoperability and neutrality of the notified electronic identification schemes with a view to fostering a high level of trust and security appropriate to the degree of risk. The exchange of information and the sharing of best practices between Member States with a view to their mutual recognition should help such cooperation.

Justification

The proposal for a regulation does not provide the means for a Member State to challenge the technical conformity of a notified electronic identification scheme. Because of this gap, schemes not conforming to the requirements might spread within the EU. The desired harmonisation to be brought about by the regulation is in danger of boiling down to circumvention of national legislation and encouraging forum shopping.

Amendment  5

Proposal for a regulation

Recital 23 a (new)

Text proposed by the Commission

Amendment

 

(23a) The concepts of accessibility and design for all should be mainstreamed when legislative measures on electronic identification are being pursued at Union level.

Amendment  6

Proposal for a regulation

Recital 25

Text proposed by the Commission

Amendment

(25) Supervisory bodies should cooperate and exchange information with data protection authorities to ensure proper implementation of data protection legislation by service providers. The exchange of information should in particular cover security incidents and personal data breaches.

(25) Supervisory bodies should cooperate and exchange information with data protection authorities to ensure proper implementation of data and consumer protection legislation by service providers. The exchange of information should in particular cover security incidents and personal data breaches.

Amendment  7

Proposal for a regulation

Recital 28

Text proposed by the Commission

Amendment

(28) All Member States should follow common essential supervision requirements to ensure a comparable security level of qualified trust services. To ease the consistent application of these requirements across the Union, Member States should adopt comparable procedures and should exchange information on their supervision activities and best practices in the field.

(28) All Member States should follow common essential supervision requirements to ensure a comparable security and data protection level of qualified trust services. To ensure the consistent application of these requirements across the Union, Member States should adopt comparable procedures and should exchange information on their supervision activities and best practices in the field.

Amendment  8

Proposal for a regulation

Recital 49

Text proposed by the Commission

Amendment

(49) In order to complement certain detailed technical aspects of this Regulation in a flexible and rapid manner, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of interoperability of electronic identification; security measures required of trust service providers; recognised independent bodies responsible for auditing the service providers; trusted lists; requirements related to the security levels of electronic signatures; requirements of qualified certificates for electronic signatures their validation and their preservation; the bodies responsible for the certification of qualified electronic signature creation devices; and the requirements related to the security levels of electronic seals and to qualified certificates for electronic seals; the interoperability between delivery services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level.

(49) In order to complement certain detailed technical aspects of this Regulation in a flexible and rapid manner, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of interoperability of electronic identification; trusted lists; requirements of qualified certificates for electronic signatures their validation and their preservation; the bodies responsible for the certification of qualified electronic signature creation devices; and to qualified certificates for electronic seals; the interoperability between delivery services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level.

Amendment  9

Proposal for a regulation

Article 1 – paragraph 1

Text proposed by the Commission

Amendment

1. This Regulation lays down rules for electronic identification and electronic trust services for electronic transactions with a view to ensuring the proper functioning of the internal market.

1. This Regulation lays down rules for electronic identification and electronic trust services for electronic transactions with the aim to develop the digital single market by guaranteeing a high degree of security, and strengthening confidence and trust in cross-border electronic transactions of the digital environment.

Amendment  10

Proposal for a regulation

Article 1 – paragraph 2

Text proposed by the Commission

Amendment

2. This Regulation lays down the conditions under which Member States shall recognise and accept electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another Member State.

2. This Regulation lays down the conditions under which Member States shall recognise and accept electronic identification means of any entity or natural or legal persons falling under a notified electronic identification scheme of another Member State.

Amendment  11

Proposal for a regulation

Article 1 – paragraph 3

Text proposed by the Commission

Amendment

3. This Regulation establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services and website authentication.

3. This Regulation establishes a legal framework for electronic signatures, electronic seals, electronic validation and verification, electronic time stamps, electronic documents, electronic delivery services and website authentication.

Amendment  12

Proposal for a regulation

Article 1 – paragraph 4

Text proposed by the Commission

Amendment

4. This Regulation ensures that trust services and products which comply with this Regulation are permitted to circulate freely in the internal market.

4. This Regulation ensures that trust services and products which comply with this Regulation circulate freely in the internal market.

Amendment  13

Proposal for a regulation

Article 2 – paragraph 1

Text proposed by the Commission

Amendment

1. This Regulation applies to electronic identification provided by, on behalf or under the responsibility of Member States and to trust service providers established in the Union.

1. This Regulation applies to electronic identification provided by, on behalf or under the responsibility of Member States and to trust service providers established in the Union. This regulation applies to trust services offered to the public.

Amendment  14

Proposal for a regulation

Article 2 – paragraph 3 a (new)

Text proposed by the Commission

Amendment

 

3a. This Regulation does not apply to trust services deployed solely for testing, training or scientific research purposes.

Amendment  15

Proposal for a regulation

Article 3 – paragraph 1 – point 1

Text proposed by the Commission

Amendment

(1) ‘electronic identification’ means the process of using person identification data in electronic form unambiguously representing a natural or legal person;

(1) ‘electronic identification’ means the process of using person identification data in electronic form unambiguously representing an entity or a natural or legal person;

Amendment  16

Proposal for a regulation

Article 3 – paragraph 1 – point 2

Text proposed by the Commission

Amendment

(2) ‘electronic identification means’ means a material or immaterial unit containing data as referred to in point 1 of this Article, and which is used to access services online as referred to in Article 5;

(2) ‘electronic identification means’ means a material or immaterial unit containing data as referred to in point 1 of this Article, and which is used to access electronic services as referred to in Article 5;

Amendment  17

Proposal for a regulation

Article 3 – paragraph 1 – point 10

Text proposed by the Commission

Amendment

(10) ‘certificate’ means an electronic attestation which links electronic signature or seal validation data of a natural or a legal person respectively to the certificate and confirms those data of that person;

(10) ‘certificate’ means an electronic attestation which links electronic signature or seal validation data with the identification data of any entity or a natural or a legal person respectively and confirms those data of that person;

Amendment  18

Proposal for a regulation

Article 3 – paragraph 1 – point 14

Text proposed by the Commission

Amendment

(14) ‘trust service provider’ means a natural or a legal person who provides one or more trust services;

(14) ‘trust service provider’ means an entity or a natural or a legal person who provides at least one trust service;

Amendment  19

Proposal for a regulation

Article 3 – paragraph 1 – point 19

Text proposed by the Commission

Amendment

(19) ‘creator of a seal’ means a legal person who creates an electronic seal;

(19) ‘creator of a seal’ means an entity or a legal person who creates an electronic seal;

Amendment  20

Proposal for a regulation

Article 3 – paragraph 1 – point 27

Text proposed by the Commission

Amendment

(27) ‘electronic document’ means a document in any electronic format;

(27) ‘electronic document’ means a separate set of structured data in any electronic format;

Amendment  21

Proposal for a regulation

Article 3 – paragraph 1 – point 31 a (new)

Text proposed by the Commission

Amendment

 

(31a) ‘breach of security’ means a security incident leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Amendment  22

Proposal for a regulation

Article 4 – paragraph 2

Text proposed by the Commission

Amendment

2. Products which comply with this Regulation shall be permitted to circulate freely in the internal market.

2. Products which comply with this Regulation shall circulate freely and securely in the internal market.

Amendment  23

Proposal for a regulation

Article 4 a (new)

Text proposed by the Commission

Amendment

 

Article 4 a

 

Data processing and protection

 

1. Trust service providers, issuers, validation services, relying parties and supervisory bodies shall ensure fair and lawful processing in accordance with Directive 95/46/EC when processing personal data. Such processing shall be strictly limited to the minimum data needed to issue and maintain an eID or certificate, validate an electronic authentication or to provide a trust service.

 

2. Trust service providers, issuers, validation services shall guarantee the confidentiality and integrity of data related to a person to whom the eID is issued or the service is provided.

 

3. Without prejudice to the legal effect given to pseudonyms under national law, Member States shall not prevent issuers from indicating in electronic authentication means a pseudonym instead of or in addition to the holder's name or prevent trust service providers indicating in electronic signature certificates a pseudonym instead of the signatory's name.

 

4. Validation services must not collect or retain data beyond the extent necessary for the process of validation. Validation services must not profile signatories, relying parties or any other customers. Logs may be retained for the purpose of detecting fraud and intrusions but for no more than 90 days.

 

5. Qualified trust service providers shall store documents or information related to the provided service according to national laws. After termination of their activities, qualified trust ervice providers shall depose those documents and data with the supervisory body.

Amendment  24

Proposal for a regulation

Article 4 b (new)

Text proposed by the Commission

Amendment

 

Article 4b

 

Right of access and information for users of trust services

 

Trust service providers shall provide users at least with information on the collection, communication, and retention of their personal data as well as information on the verification procedure, which shall be put in place.

Amendment  25

Proposal for a regulation

Article 5 – title

Text proposed by the Commission

Amendment

Mutual recognition and acceptance

Mutual recognition of electronic identification means

Amendment  26

Proposal for a regulation

Article 5

Text proposed by the Commission

Amendment

When an electronic identification using an electronic identification means and authentication is required under national legislation or administrative practice to access a service online, any electronic identification means issued in another Member State falling under a scheme included in the list published by the Commission pursuant to the procedure referred to in Article 7 shall be recognised and accepted for the purposes of accessing this service.

When an electronic identification using an electronic identification means and authentication is allowed under national legislation or administrative practice to access a service online, any electronic identification means issued in another Member State that ensures the same or an higher level of assurance and that falls under a scheme included in the list published by the Commission pursuant to the procedure referred to in Article 7 shall be recognised and accepted for the purposes of accessing this service.

Amendment  27

Proposal for a regulation

Article 6 – paragraph 1 – point b

Text proposed by the Commission

Amendment

(b) the electronic identification means can be used to access at least public services requiring electronic identification in the notifying Member State;

(b) the electronic identification means can be used to access at least public services allowing electronic identification in the notifying Member State;

Amendment  28

Proposal for a regulation

Article 6 – paragraph 1 – point b a (new)

Text proposed by the Commission

Amendment

 

(ba) the electronic identification means have built-in security levels adjusted according to the types of services to which they give access;

Justification

Security has to be based on distinct levels. The proposal does not say what type of online services is to be accessed by means of electronic identification. Access to sensitive private data ought to imply, for the purposes of identification, reliability of a different degree from what is required for general information. The recognition of identity should be a process designed to provide the proper degree of security, corresponding to the type of services that citizens are to access.

Amendment  29

Proposal for a regulation

Article 6 – paragraph 1 – point d

Text proposed by the Commission

Amendment

(d) the notifying Member State ensures the availability of an authentication possibility online, at any time and free of charge so that any relying party can validate the person identification data received in electronic form. Member States shall not impose any specific technical requirements on relying parties established outside of their territory intending to carry out such authentication. When either the notified identification scheme or authentication possibility is breached or partly compromised, Member States shall suspend or revoke without delay the notified identification scheme or authentication possibility or the compromised parts concerned and inform the other Member States and the Commission pursuant to Article 7;

(d) the notifying Member State ensures the availability of authentication online, so that any relying party established outside of the territory of that Member State can validate the person identification data received in electronic form. Such authentication shall be provided free of charge when accessing a service online provided by a public sector body. Member States shall not unduly impose any specific technical requirements on relying parties intending to carry out such authentication;

Justification

The unambiguous attribution of the person identification data to the person themselves would require a very high level of background check (at least Level 4) and which is inconsistent with use of different levels of assurance. The level of certainty applying to the attribution of data should be based on the level of assurance. This level should always be the minimum required to safeguard the interests of the relying party. The question of data minimisation is relevant here.

Amendment  30

Proposal for a regulation

Article 7 – paragraph 1 – points a to c

Text proposed by the Commission

Amendment

1. Member States which notify an electronic identification scheme shall forward to the Commission the following information and without undue delay, any subsequent changes thereof:

1. The notifying Member State shall forward to the Commission the following information and without undue delay, any subsequent changes thereof:

(a) a description of the notified electronic identification scheme;

(a) a description of the notified electronic identification scheme, including its identity assurance levels;

(b) the authorities responsible for the notified electronic identification scheme;

(b) the authority or authorities responsible for the notified electronic identification scheme;

(c) information on by whom the registration of the unambiguous person identifiers is managed;

(c) information on the entity or entities which manages the verification of the person identification data;

Justification

These changes compliment those made to the other ‘eID’ articles and reiterate that “unambiguous” attribution is inconsistent with levels of assurance.

Amendment  31

Proposal for a regulation

Article 7 – paragraph 1 – point a

Text proposed by the Commission

Amendment

(a) a description of the notified electronic identification scheme;

(a) a description of the notified electronic identification scheme, including the security levels corresponding to the types of services to be accessed;

Amendment  32

Proposal for a regulation

Article 7 – paragraph 1 – point d

Text proposed by the Commission

Amendment

(d) a description of the authentication possibility;

(d) a description of the authentication possibility, taking into account the different security levels required for access;

Amendment  33

Proposal for a regulation

Article 7 – paragraph 3

Text proposed by the Commission

Amendment

3. If the Commission receives a notification after the period referred to in paragraph 2 expired, it shall amend the list within three months.

3. If the Commission receives a notification after the period referred to in paragraph 2 expired, it shall amend the list within one month.

Amendment  34

Proposal for a regulation

Article 7 – paragraph 4

Text proposed by the Commission

Amendment

4. The Commission may, by means of implementing acts, define the circumstances, formats and procedures of the notification referred to in paragraphs 1 and 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

4. The Commission may, by means of implementing acts, define the formats of the notification referred to in paragraphs 1 and 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Justification

The definition of circumstances and procedures of the notification goes beyond mere implementation of the proposed Regulation and therefore should not be conferred upon the Commission by way of implementing powers under Article 291 TFEU.

Amendment  35

Proposal for a regulation

Article 8 – title

Text proposed by the Commission

Amendment

Coordination

Coordination and interoperability

Amendment  36

Proposal for a regulation

Article 8 – paragraph 1

Text proposed by the Commission

Amendment

1. Member States shall cooperate in order to ensure the interoperability of electronic identification means falling under a notified scheme and to enhance their security.

1. Member States shall cooperate in order to ensure the interoperability and technological neutrality of electronic identification means falling under a notified scheme and to enhance their security.

Justification

The provisions intended to guarantee technical interoperability have to be technologically neutral so as not to interfere with the options favoured by Member States when developing their national electronic identification and authentication schemes.

Amendment  37

Proposal for a regulation

Article 8 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a. Where an electronic identification scheme has been shown to be unacceptable from the point of view of neutrality and interoperability in the light of the technological pre-checking for which Member States are to be responsible under the cooperation arrangement referred to in paragraph 1, it shall not be eligible for notification under Article 7 for the purposes of mutual recognition within the meaning of Article 5.

Amendment  38

Proposal for a regulation

Article 8 – paragraph 1 d (new)

Text proposed by the Commission

Amendment

 

1d. Member States shall cooperate in order to ensure the interoperability of electronic identification means falling under a notified electronic identification scheme and to enhance their security.

Justification

The interoperability model will be key to the success of the Regulation. Further discussion between Member States is required to determine what this needs to include and how this should work.

Amendment  39

Proposal for a regulation

Article 8 – paragraph 3

Text proposed by the Commission

Amendment

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the facilitation of cross border interoperability of electronic identification means by setting of minimum technical requirements.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the facilitation of cross border interoperability of electronic identification means by setting of technologically neutral minimum requirements for the different security levels.

Justification

In accordance with Article 290 TFEU, the objectives, content, scope and duration of the delegation of power shall be explicitly defined in the legislative acts. The amendment adds a necessary clarification to the delegation.

Amendment  40

Proposal for a regulation

Article 9 – paragraph 1

Text proposed by the Commission

Amendment

1. A trust service provider shall be liable for any direct damage caused to any natural or legal person due to failure to comply with the obligations laid down in Article 15(1), unless the trust service provider can prove that he has not acted negligently.

1. A trust service provider shall be liable for damage caused to any entity or natural or legal person due to failure to comply with the obligations laid down in Article 15(1), unless the trust service provider can prove that he has not acted negligently.

Amendment  41

Proposal for a regulation

Article 9 – paragraph 2

Text proposed by the Commission

Amendment

2. A qualified trust service provider shall be liable for any direct damage caused to any natural or legal person due to failure to meet the requirements laid down in this Regulation, in particular in Article 19, unless the qualified trust service provider can prove that he has not acted negligently.

2. A qualified trust service provider shall be liable for any damage caused to any natural or legal person due to failure to meet the requirements laid down in this Regulation, in particular in Article 19, unless the qualified trust service provider can prove that he has not acted negligently.

Amendment  42

Proposal for a regulation

Article 9 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

 

2a. This Regulation is without prejudice to Regulation (EC) No 864/2007 of the European Parliament and of the Council of 11 July 2007 on the law applicable to non-contractual obligations (Rome II)1 in particular the application of the law which, under Article 4 of the Rome II Regulation, applies to a non-contractual obligation arising out of a tort/delict.

 

__________________

 

1 Regulation (EC) No 864/2007 of the European Parliament and of the Council of 11 July 2007 on the law applicable to non-contractual obligations (Rome II), OJ L 199, 31.7.2007, p. 40.

Amendment  43

Proposal for a regulation

Article 11

Text proposed by the Commission

Amendment

Article 11

deleted

Data processing and protection

 

1. Trust service providers and supervisory bodies shall ensure fair and lawful processing in accordance with Directive 95/46/EC when processing personal data.

 

2. Trust service providers shall process personal data according to Directive 95/46/EC. Such processing shall be strictly limited to the minimum data needed to issue and maintain a certificate or to provide a trust service.

 

3. Trust service providers shall guarantee the confidentiality and integrity of data related to a person to whom the trust service is provided.

 

4. Without prejudice to the legal effect given to pseudonyms under national law, Member States shall not prevent trust service providers indicating in electronic signature certificates a pseudonym instead of the signatory's name.

 

(See amendment for Article 4a (new))

Amendment  44

Proposal for a regulation

Article 12 – paragraph 1

Text proposed by the Commission

Amendment

Trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities whenever possible.

Trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities unless it is technically impossible.

Amendment  45

Proposal for a regulation

Article 12 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a. The Commission shall establish and award trust mark to distinguish products and services accessible for persons with disabilities.

Amendment  46

Proposal for a regulation

Article 12 – paragraph 1 b (new)

Text proposed by the Commission

Amendment

 

1b. EU standards organizations are responsible for development of assessment criteria for products and services accessible for persons with disabilities.

Amendment  47

Proposal for a regulation

Article 13 – paragraph 1

Text proposed by the Commission

Amendment

1. Member States shall designate an appropriate body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. Supervisory bodies shall be given all supervisory and investigatory powers that are necessary for the exercise of their tasks.

1. Member States shall designate an appropriate body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. Supervisory bodies shall be given supervisory and investigatory powers that are necessary for the exercise of their tasks.

Amendment  48

Proposal for a regulation

Article 13 – paragraph 1

Text proposed by the Commission

Amendment

1. Member States shall designate an appropriate body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. Supervisory bodies shall be given all supervisory and investigatory powers that are necessary for the exercise of their tasks.

1. Member States shall designate an appropriate body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. Supervisory bodies shall be given all supervisory and investigatory powers that are necessary for the exercise of their tasks. Member States shall notify to the Commission the names and the addresses of their respective designated supervisory bodies.

(See amendment for paragraph 4)

Justification

Restructuring for the sake of clarity: paragraph 1 deals with the designation of supervisory body. The provision has been moved from paragraph 4 as it deals with the same subject.

Amendment  49

Proposal for a regulation

Article 13 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a. The Commission shall be empowered to adopt implementing acts in accordance with the examination procedure referred to in Article 39(2) concerning specific means of supervision.

Amendment  50

Proposal for a regulation

Article 13 – paragraph 3 – introductory part

Text proposed by the Commission

Amendment

3. Each supervisory body shall submit a yearly report on the last calendar year's supervisory activities to the Commission and Member States by the end of the first quarter of the following year. It shall include at least:

3. Each supervisory body shall submit a yearly report on the last calendar year's supervisory activities to the Commission by the end of the first quarter of the following year. It shall include at least:

Justification

It appears unnecessarily burdensome to require the submission of the yearly report also to the Member States.

Amendment  51

Proposal for a regulation

Article 13 – paragraph 4

Text proposed by the Commission

Amendment

4. Member States shall notify to the Commission and other Member States the names and the addresses of their respective designated supervisory bodies.

deleted

(See amendment for paragraph 1)

Amendment  52

Proposal for a regulation

Article 13 – paragraph 5

Text proposed by the Commission

Amendment

5. The Commission shall be empowered to adopt delegated acts, in accordance with Article 38, concerning the definition of procedures applicable to the tasks referred to in paragraph 2.

deleted

Justification

Under Article 290, a legislative act may delegate to the Commission the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of the legislative act. The proposed delegation would go beyond mere supplementing or amending of non-essential elements of the proposed Regulation.

Amendment  53

Proposal for a regulation

Article 13 – paragraph 6

Text proposed by the Commission

Amendment

6. The Commission may, by means of implementing acts, define the circumstances, formats and procedures for the report referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

6. The Commission may, by means of implementing acts, define the formats for the report referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Justification

The definition of circumstances and procedures for the report goes beyond mere implementation of the proposed Regulation and therefore should not be conferred upon the Commission by way of implementing powers under Article 291 TFEU.

Amendment  54

Proposal for a regulation

Article 14 – paragraph 1

Text proposed by the Commission

Amendment

1. Supervisory bodies shall cooperate with a view to exchange good practice and provide each other, within the shortest possible time, with relevant information and mutual assistance so that activities can be carried out in a consistent manner. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out inspections related to the security audits as referred to in Articles 15, 16 and 17.

1. Supervisory bodies shall cooperate with a view to exchange good practice and provide each other, within the shortest possible time, with relevant information and mutual assistance so that activities as referred to in Article 13 can be carried out in a consistent manner. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out inspections related to the security audits as referred to in Articles 15, 16 and 17.

Amendment  55

Proposal for a regulation

Article 14 – paragraph 4

Text proposed by the Commission

Amendment

4. The Commission may, by means of implementing acts, specify the formats and procedures for the mutual assistance provided for in this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

deleted

Justification

The specification of formats and procedures for the mutual assistance goes beyond mere implementation of the proposed Regulation and therefore should not be conferred upon the Commission by way of implementing powers under Article 291 TFEU.

Amendment  56

Proposal for a regulation

Article 15 – paragraph 1 – subparagraph 1

Text proposed by the Commission

Amendment

1. Trust service providers who are established in the territory of the Union shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. Having regard to state of the art, these measures shall ensure that the level of security is appropriate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of adverse effects of any incidents.

1. Trust service providers who are established in the territory of the Union shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. Having regard to the latest technological developments, any such measures shall ensure that the level of security is appropriate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of the adverse effects of any incidents.

Amendment  57

Proposal for a regulation

Article 15 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

 

2a. When the breach of security is likely to adversely affect the users of trust services, the supervisory body shall without undue delay notify the breach to those users in order to enable them to take the necessary precautions.

Amendment  58

Proposal for a regulation

Article 15 – paragraph 5

Text proposed by the Commission

Amendment

5. The Commission shall be empowered to adopt delegated acts, in accordance with Article 38, concerning the further specification of the measures referred to in paragraph 1.

deleted

Justification

Under Article 290, a legislative act may delegate to the Commission the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of the legislative act. The proposed delegation would go beyond mere supplementing or amending of non-essential elements of the proposed Regulation.

Amendment  59

Proposal for a regulation

Article 15 – paragraph 6

Text proposed by the Commission

Amendment

6. The Commission may, by means of implementing acts, define the circumstances, formats and procedures, including deadlines, applicable for the purpose of paragraphs 1 to 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

6. The Commission may, by means of implementing acts, define the formats applicable for the purpose of paragraphs 1 to 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Justification

The definition of circumstances and procedures, including deadlines, goes beyond mere implementation of the proposed Regulation and therefore should not be conferred upon the Commission by way of implementing powers under Article 291 TFEU.

Amendment  60

Proposal for a regulation

Article 16 – paragraph 5

Text proposed by the Commission

Amendment

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the specification of the conditions under which the independent body carrying out the audit referred to in paragraph 1 of this Article and in Article 15(1) and in Article 17(1) shall be recognised.

deleted

Justification

Under Article 290, a legislative act may delegate to the Commission the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of the legislative act. The proposed delegation would go beyond mere supplementing or amending of non-essential elements of the proposed Regulation

Amendment  61

Proposal for a regulation

Article 16 – paragraph 6

Text proposed by the Commission

Amendment

6. The Commission may, by means of implementing acts, define the circumstances, procedures and formats applicable for the purpose of paragraphs 1, 2 and 4. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

6. The Commission may, by means of implementing acts, define the formats applicable for the purpose of paragraphs 1, 2 and 4. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Justification

The definition of circumstances and procedures goes beyond mere implementation of the proposed Regulation and therefore should not be conferred upon the Commission by way of implementing powers under Article 291 TFEU.

Amendment  62

Proposal for a regulation

Article 17 – paragraph 1

Text proposed by the Commission

Amendment

1. Qualified trust service providers shall notify the supervisory body of their intention to start providing a qualified trust service and shall submit to the supervisory body a security audit report carried out by a recognised independent body, as provided for in Article 16(1). Qualified trust service providers may start to provide the qualified trust service after they have submitted the notification and security audit report to the supervisory body.

1. Qualified trust service providers shall notify the supervisory body of their intention to start providing a qualified trust service and shall submit to the supervisory body a security audit report carried out by a recognised independent body, as provided for in Article 16(1). Qualified trust service providers may start to provide the qualified trust service after the positive conclusion of the verification under paragraph 3.

Justification

It appears premature to allow qualified trust service providers to start to provide the qualified trust service already after they have submitted the notification and the security audit report to the supervisory body. Only qualified trust service providers complying with the requirements of the Regulation should be allowed to start to provide qualified trust services.

Amendment  63

Proposal for a regulation

Article 17 – paragraph 2

Text proposed by the Commission

Amendment

2. Once the relevant documents are submitted to the supervisory body according to paragraph 1, the qualified service providers shall be included in the trusted lists referred to in Article 18 indicating that the notification has been submitted.

deleted

Amendment  64

Proposal for a regulation

Article 17 – paragraph 5

Text proposed by the Commission

Amendment

5. The Commission may, by means of implementing acts, define the circumstances, formats and procedures for the purpose of paragraphs 1, 2 and.3 Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

5. The Commission may, by means of implementing acts, define the formats for the purpose of paragraphs 1, 2 and.3 Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Justification

The definition of circumstances and procedures, including deadlines, goes beyond mere implementation of the proposed Regulation and therefore should not be conferred upon the Commission by way of implementing powers under Article 291 TFEU.

Amendment  65

Proposal for a regulation

Article 18 – paragraph 1

Text proposed by the Commission

Amendment

1. Each Member State shall establish, maintain and publish trusted lists with information related to the qualified trust service providers for which it is competent together with information related to the qualified trust services provided by them.

1. Each Member State shall establish, maintain and publish trusted lists with information related to the qualified trust service providers referred to in Article 17 for which it is responsible including information allowing identification of the qualified trust service providers and an indication on their qualified status together with information related to the qualified trust services provided by them.

Amendment  66

Proposal for a regulation

Article 19 – paragraph 2 – point b

Text proposed by the Commission

Amendment

(b) bear the risk of liability for damages by maintaining sufficient financial resources or by an appropriate liability insurance scheme;

(b) with regard to the risk of liability for damages as referred to in Article 8(2), maintain sufficient financial resources or obtain appropriate liability insurance;

Justification

This provides the additional detail necessary to ensure that trust service providers know what is required of them.

Amendment  67

Proposal for a regulation

Article 19 – paragraph 2 – point c

Text proposed by the Commission

Amendment

(c) before entering into a contractual relationship, inform any person seeking to use a qualified trust service of the precise terms and conditions regarding the use of that service;

(c) before entering into a contractual relationship, inform any person seeking to use a qualified trust service of the terms and conditions regarding the use of that service, including any limitation on its use;

Justification

This provides the additional detail necessary to ensure that trust service providers know what is required of them.

Amendment  68

Proposal for a regulation

Article 19 – paragraph 2 – point e

Text proposed by the Commission

Amendment

(e) use trustworthy systems to store data provided to them, in a verifiable form so that:

(e) use trustworthy systems to store data provided to them, in a verifiable form so that:

– they are publicly available for retrieval only where the consent of the person to whom the data has been issued has been obtained,

- they are publicly available for retrieval only where the consent of the person to whom the data relates has been obtained,

– only authorised persons can make entries and changes,

- only authorised persons can make entries and changes to the stored data,

information can be checked for authenticity;

- the data can be checked for authenticity;

Justification

This provides the additional detail necessary to ensure that trust service providers know what is required of them.

Amendment  69

Proposal for a regulation

Article 19 – paragraph 2 – point f

Text proposed by the Commission

Amendment

(f) take measures against forgery and theft of data;

(f) take appropriate measures against forgery and theft of data;

Justification

This provides the additional detail necessary to ensure that trust service providers know what is required of them.

Amendment  70

Proposal for a regulation

Article 19 – paragraph 2 – point g

Text proposed by the Commission

Amendment

(g) record for an appropriate period of time all relevant information concerning data issued and received by the qualified trust service provider, in particular for the purpose of providing evidence in legal proceedings. Such recording may be done electronically;

(g) record and keep accessible for an appropriate period of time, including after the activities of the qualified trust service provider have ceased, all relevant information concerning data issued and received by the qualified trust service provider, in particular for the purpose of providing evidence in legal proceedings. Such recording may be done electronically;

Justification

This provides the additional detail necessary to ensure that trust service providers know what is required of them.

Amendment  71

Proposal for a regulation

Article 19 – paragraph 2 – point i a (new)

Text proposed by the Commission

Amendment

 

(ia) when the qualified trust service includes the issuing of qualified certificates, establish and keep updated a certificate database.

Justification

This provides the additional detail necessary to ensure that trust service providers know what is required of them.

Amendment  72

Proposal for a regulation

Article 20 – paragraph 6

Text proposed by the Commission

Amendment

6. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of the different security levels of electronic signature referred to in paragraph 4.

deleted

Justification

Under Article 290, a legislative act may delegate to the Commission the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of the legislative act. The proposed delegation would go beyond mere supplementing or amending of non-essential elements of the proposed Regulation..

Amendment  73

Proposal for a regulation

Article 21 – paragraph 4

Text proposed by the Commission

Amendment

4. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid down in Annex I.

4. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid down in Annex I in order to ensure the necessary adaptation to technological development.

Justification

In accordance with Article 290 TFEU, the objectives, content, scope and duration of the delegation of power shall be explicitly defined in the legislative acts. The amendment adds a necessary clarification to the delegation.

Amendment  74

Proposal for a regulation

Article 23 – paragraph 3

Text proposed by the Commission

Amendment

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the establishment of specific criteria to be met by the designated bodies referred to in paragraph 1.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the establishment of specific criteria to be met by the designated bodies referred to in paragraph 1 for the purpose of carrying out the certification under paragraph 1.

Justification

In accordance with Article 290 TFEU, the objectives, content, scope and duration of the delegation of power shall be explicitly defined in the legislative acts. The amendment adds a necessary clarification to the delegation.

Amendment  75

Proposal for a regulation

Article 24 – paragraph 3

Text proposed by the Commission

Amendment

3. The Commission may, by means of implementing acts, define circumstances, formats and procedures applicable for the purpose of paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

3. The Commission may, by means of implementing acts, define formats applicable for the purpose of paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Justification

The definition of circumstances and procedures goes beyond mere implementation of the proposed Regulation and therefore should not be conferred upon the Commission by way of implementing powers under Article 291 TFEU.

Amendment  76

Proposal for a regulation

Article 25 – paragraph 2

Text proposed by the Commission

Amendment

2. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid in down in paragraph 1.

2. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid in down in paragraph 1 in order to ensure the necessary adaptation to technological development.

Justification

In accordance with Article 290 TFEU, the objectives, content, scope and duration of the delegation of power shall be explicitly defined in the legislative acts. The amendment adds a necessary clarification to the delegation.

Amendment  77

Proposal for a regulation

Article 27 – paragraph 2

Text proposed by the Commission

Amendment

2. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid down in paragraph 1.

2. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid down in paragraph 1 in order to ensure the necessary adaptation to technological development.

Justification

In accordance with Article 290 TFEU, the objectives, content, scope and duration of the delegation of power shall be explicitly defined in the legislative acts. The amendment adds a necessary clarification to the delegation.

Amendment  78

Proposal for a regulation

Article 28 – paragraph 6

Text proposed by the Commission

Amendment

6. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of different security assurance levels of electronic seals referred to in paragraph 4.

deleted

Amendment  79

Proposal for a regulation

Article 29 – paragraph 4

Text proposed by the Commission

Amendment

4. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid down in Annex III.

4. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid down in Annex III in order to ensure the necessary adaptation to technological development.

Justification

In accordance with Article 290 TFEU, the objectives, content, scope and duration of the delegation of power shall be explicitly defined in the legislative acts. The amendment adds a necessary clarification to the delegation.

Amendment  80

Proposal for a regulation

Article 38 – paragraph 2

Text proposed by the Commission

Amendment

2. The power to adopt delegated acts referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall be conferred on the Commission for an indeterminate period of time from the entry into force of this Regulation.

2. The power to adopt delegated acts referred to in Articles 8(3), 18(5), 21(4), 23(3), 25(2), 27(2), 29(4), 30(2), 31, 35(3) and 37(3) shall be conferred on the Commission for an indeterminate period of time from the entry into force of this Regulation.

Amendment  81

Proposal for a regulation

Article 38 – paragraph 3

Text proposed by the Commission

Amendment

3. The delegation of power referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

3. The delegation of power referred to in Articles 8(3), 18(5), 21(4), 23(3), 25(2), 27(2), 29(4), 30(2), 31, 35(3) and 37(3) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

Amendment  82

Proposal for a regulation

Article 38 – paragraph 5

Text proposed by the Commission

Amendment

5. A delegated act adopted pursuant to Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

5. A delegated act adopted pursuant to Articles 8(3), 18(5), 21(4), 23(3), 25(2), 27(2), 29(4), 30(2), 31, 35(3) and 37(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

Amendment  83

Proposal for a regulation

Article 40 – paragraph 1

Text proposed by the Commission

Amendment

The Commission shall report to the European Parliament and to the Council on the application of this Regulation. The first report shall be submitted no later than four years after the entry into force of this Regulation. Subsequent reports shall be submitted every four years thereafter.

The Commission shall report to the European Parliament and to the Council on the application of this Regulation, in particular with a view to reaching the aim of the Regulation to develop the digital single market by strengthening confidence and trust in secure cross-border electronic transactions. The report shall take account of, amongst others, market developments as well as legal and technological developments. It shall further be accompanied by appropriate legislative proposals if necessary. The first report shall be submitted no later than two years after the entry into force of this Regulation. Subsequent reports shall be submitted every four years thereafter.

PROCEDURE

Title

Electronic identification and trust services for electronic transactions in the internal market

References

COM(2012)0238 – C7-0133/2012 – 2012/0146(COD)

Committee responsible

       Date announced in plenary

ITRE

14.6.2012

 

 

 

Opinion by

       Date announced in plenary

JURI

14.6.2012

Rapporteur

       Date appointed

Alajos Mészáros

11.12.2012

Discussed in committee

24.4.2013

 

 

 

Date adopted

20.6.2013

 

 

 

Result of final vote

+:

–:

0:

25

0

0

Members present for the final vote

Raffaele Baldassarre, Luigi Berlinguer, Sebastian Valentin Bodu, Françoise Castex, Christian Engström, Marielle Gallo, Lidia Joanna Geringer de Oedenberg, Sajjad Karim, Klaus-Heiner Lehne, Antonio Masip Hidalgo, Jiří Maštálka, Alajos Mészáros, Bernhard Rapkay, Evelyn Regner, Dimitar Stoyanov, Rebecca Taylor, Alexandra Thein, Tadeusz Zwiefka

Substitute(s) present for the final vote

Sergio Gaetano Cofferati, Eva Lichtenberger, Angelika Niebler, Axel Voss

Substitute(s) under Rule 187(2) present for the final vote

Frédérique Ries, Nikolaos Salavrakos, Jacek Włosowicz

OPINION of the Committee on Civil Liberties, Justice and Home Affairs (09.7.2013)

for the Committee on Industry, Research and Energy

on the proposal for a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market
(COM(2012)0238 – C7‑0133/2012 – 2012/0146(COD))

Rapporteur:Jens Rohde

SHORT JUSTIFICATION

This proposal for a regulation aims at establishing a mutual recognition of notified electronic identifications schemes as well as electronic trust services in order to develop the internal digital market. The proposal thereby expands the legal framework of the existing directive 1999/93/EC on electronic signatures.

The rapporteur welcomes the Commission proposal that seeks to deal with the problems within the existing directive, not only trough the reinforcement of the legal framework, but also trough an introduction of an increasing legal certainty. The rapporteur thus agrees with the choice of a regulation rather than a directive.

In the view of the rapporteur the regulation is a much needed first step in the development of a well-functioning internal digital market that will make it much easier for companies and consumers to deal with electronic cross-border transactions and increase trust in electronic transactions.

The rapporteur supports the Commissions efforts to combine the largely differentiated use of electronic identification schemes in the various Member States with a strong mutual recognition mechanism.

However, the regulation fails to provide a model that can ensure an adequate level of security building on existing experience.

The rapporteur therefore suggests introducing and defining the security levels within the regulation in order to settle any ambiguities and ensure that the regulation works in practice. As a result a number of delegated and implementing acts have been deleted accordingly.

Another security issue is within the regulation of trust services, where the rapporteur holds the view that it should be clear whether trust services that appear on the trusted list have been approved or still await confirmation of conformity.

In regard to both the electronic identification scheme and the trust services, the amendments proposed aim at cutting unnecessary red tape within the supervision mechanisms to ease the burden on both Member States and companies, and ensure a clear and concise coordination mechanism.

Lastly the amendments address the issue of liability, which is defined to widely within the Commission proposal, and could create unintended obstacles in the further development of the digital field.

AMENDMENTS

The Committee on Civil Liberties, Justice and Home Affairs calls on the Committee on Industry, Research and Energy, as the committee responsible, to incorporate the following amendments in its report:

Amendment  1

Proposal for a regulation

Recital 20

Text proposed by the Commission

Amendment

(20) Because of the pace of technological change, this Regulation should adopt an approach which is open to innovations.

(20) Because of the pace of technological change, this Regulation should adopt an approach which is open to innovations but which focuses at all times primarily on consumers and their interests.

Amendment  2

Proposal for a regulation

Recital 23

Text proposed by the Commission

Amendment

(23) In line with the obligations under the UN Convention on the Rights of Persons with Disabilities that has entered into force in the EU, persons with disabilities should be able to use trust services and end user products used in the provision of those services on equal bases with other consumers.

(23) In line with the obligations under the UN Convention on the Rights of Persons with Disabilities that has entered into force in the EU and in line the Commission proposal on the accessibility of public sector bodies' websites1, persons with disabilities should be able to use trust services and end user products used in the provision of those services on equal bases with other consumers.

 

__________________

 

1Proposal for a Directive of the European Parliament and of the Council on the accessibility of public sector bodies' websites. (COM(2012)0721).

Amendment  3

Proposal for a regulation

Recital 24 a (new)

Text proposed by the Commission

Amendment

 

(24a)Electronic identification schemes should comply with Directive 95/46 of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data1, which governs the processing of personal data carried out in the Member States pursuant to this Regulation and under the supervision of the Member States' competent authorities, in particular the independent public authorities designated by the Member States.

 

__________________

 

1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281 , 23.11.1995, p. 31).

Amendment  4

Proposal for a regulation

Recital 25

Text proposed by the Commission

Amendment

(25) Supervisory bodies should cooperate and exchange information with data protection authorities to ensure proper implementation of data protection legislation by service providers. The exchange of information should in particular cover security incidents and personal data breaches.

(25) Supervisory bodies in the Member States should cooperate and exchange information with data protection authorities to ensure proper implementation of data protection legislation by service providers. The exchange of information should in particular cover security incidents and personal data breaches.

Justification

The rapporteur is of the view that Member States must cooperate if harmonisation within the digital field is to be achieved.

Amendment  5

Proposal for a regulation

Recital 30

Text proposed by the Commission

Amendment

(30) To enable the Commission and the Member States to assess the effectiveness of the breach notification mechanism introduced by this Regulation, supervisory bodies should be requested to provide summary information to the Commission and to European Network and Information Security Agency (ENISA).

(30) To enable the Commission and the Member States to assess the effectiveness of the breach notification mechanism introduced by this Regulation, supervisory bodies should be requested to provide summary information to the European Network and Information Security Agency (ENISA).

Justification

The rapporteur only finds it necessary to report to a single point of contact.

Amendment  6

Proposal for a regulation

Recital 49

Text proposed by the Commission

Amendment

(49) In order to complement certain detailed technical aspects of this Regulation in a flexible and rapid manner, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of interoperability of electronic identification; security measures required of trust service providers; recognised independent bodies responsible for auditing the service providers; trusted lists; requirements related to the security levels of electronic signatures; requirements of qualified certificates for electronic signatures their validation and their preservation; the bodies responsible for the certification of qualified electronic signature creation devices; and the requirements related to the security levels of electronic seals and to qualified certificates for electronic seals; the interoperability between delivery services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level.

deleted

Justification

The rapporteur finds that this needs to be done before the Regulation enters into force and should not be left to delegated acts c.f. the following amendment. This recital is thus unnecessary.

Amendment  7

Proposal for a regulation

Article 1 – paragraph 2

Text proposed by the Commission

Amendment

2. This Regulation lays down the conditions under which Member States shall recognise and accept electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another Member State.

2. This Regulation lays down the conditions under which Member States shall recognise and accept electronic identification means of any entity, natural or legal persons falling under a notified electronic identification scheme of another Member State.

Amendment  8

Proposal for a regulation

Article 1 – paragraph 3

Text proposed by the Commission

Amendment

3. This Regulation establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services and website authentication.

3. This Regulation establishes a legal framework for electronic signatures, electronic seals, electronic validation and verification, electronic time stamps, electronic documents, electronic delivery services and website authentication.

Amendment  9

Proposal for a regulation

Article 2 – paragraph 1

Text proposed by the Commission

Amendment

1. This Regulation applies to electronic identification provided by, on behalf or under the responsibility of Member States and to trust service providers established in the Union.

1. This Regulation applies to electronic identification provided by, on behalf of, under the responsibility or supervision of Member States.

Justification

The rapporteur is of the opinion that it should be possible for Member States to outsource eID to third parties that are only supervised by the Member States.

Amendment  10

Proposal for a regulation

Article 2 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

 

1a. This Regulation applies to trust service providers established in the Union.

Justification

The rapporteur would like to specify that the Regulation addresses two different issues.

Amendment  11

Proposal for a regulation

Article 3 – paragraph 1 – point 1

Text proposed by the Commission

Amendment

(1) ‘electronic identification’ means the process of using person identification data in electronic form unambiguously representing a natural or legal person;

(1) ‘electronic identification’ means the process of using person identification data in electronic form unambiguously representing an entity, a natural or legal person or a pseudonym thereof;

Amendment  12

Proposal for a regulation

Article 3 – paragraph 1 – point 2

Text proposed by the Commission

Amendment

(2) ‘electronic identification means’ means a material or immaterial unit containing data as referred to in point 1 of this Article, and which is used to access services online as referred to in Article 5;

(2) ‘electronic identification means’ means a material or immaterial unit containing data as referred to in point 1 of this Article, and which is used to access electronic services as referred to in Article 5;

Amendment  13

Proposal for a regulation

Article 3 – paragraph 1 – point 10

Text proposed by the Commission

Amendment

(10) ‘certificate’ means an electronic attestation which links electronic signature or seal validation data of a natural or a legal person respectively to the certificate and confirms those data of that person;

(10) ‘certificate’ means an electronic attestation which links electronic signature or seal validation data of an entity, a natural or a legal person respectively to the certificate and confirms those data of that person;

Amendment  14

Proposal for a regulation

Article 3 – paragraph 1 – point 12

Text proposed by the Commission

Amendment

(12) ‘trust service’ means any electronic service consisting in the creation, verification, validation, handling and preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication, and electronic certificates, including certificates for electronic signature and for electronic seals;

(12) ‘trust service’ means any electronic service consisting, among others, of the creation, verification, validation, handling and preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication, and electronic certificates, including certificates for electronic signature and for electronic seals;

Amendment  15

Proposal for a regulation

Article 3 – paragraph 1 – point 14

Text proposed by the Commission

Amendment

(14) ‘trust service provider’ means a natural or a legal person who provides one or more trust services;

(14) ‘trust service provider’ means an entity, a natural or a legal person who provides one or more trust services;

Amendment  16

Proposal for a regulation

Article 3 – paragraph 1 – point 19

Text proposed by the Commission

Amendment

(19) ‘creator of a seal’ means a legal person who creates an electronic seal;

(19) ‘creator of a seal’ means an entity or a legal or natural person who creates an electronic seal;

Amendment  17

Proposal for a regulation

Article 3 – paragraph 1 – point 31 a (new)

Text proposed by the Commission

Amendment

 

(31a) 'personal data breach' means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Amendment  18

Proposal for a regulation

Article 6 – paragraph 1 – point a

Text proposed by the Commission

Amendment

(a) the electronic identification means are issued by, on behalf of or under the responsibility of the notifying Member State;

(a) the electronic identification means are issued by, on behalf of, under the responsibility of, or supervised by the notifying Member State;

Justification

In the view of the rapporteur it should be possible for Member States to outsource eID to third parties that are only supervised by the Member States.

Amendment  19

Proposal for a regulation

Article 6 – paragraph 1 – point c

Text proposed by the Commission

Amendment

(c) the notifying Member State ensures that the person identification data are attributed unambiguously to the natural or legal person referred to in Article 3 point1;

(c) the notifying Member State ensures that the person identification data are attributed unambiguously to the entity, natural or legal person referred to in Article 3, point 1;

Amendment  20

Proposal for a regulation

Article 6 – paragraph 1 – point e – introductory part

Text proposed by the Commission

Amendment

(e) the notifying Member State takes liability for:

(e) unless the identity provider can establish that he has not acted negligently, the identity provider takes liability for:

Justification

The rapporteur is of the view that it should be possible for Member States to outsourced eID to third parties to ensure competition.

Amendment  21

Proposal for a regulation

Article 6 – paragraph 1 – point e a (new)

Text proposed by the Commission

Amendment

 

(ea) the notifying Member State takes responsibility for the establishment of a supervisory scheme for the identity provider and for supervision and reporting in accordance with this Regulation.

Justification

The rapporteur recognises that Member States needs to have strong control with their identity providers to ensure the mutual trust between Member States.

Amendment  22

Proposal for a regulation

Article 7 – paragraph 1 – point a

Text proposed by the Commission

Amendment

(a) a description of the notified electronic identification scheme;

(a) description of the notified electronic identification scheme, including the level of security;

Justification

The rapporteur finds it necessary to incorporate the security level into the interoperability model to ensure mutual trust.

Amendment  23

Proposal for a regulation

Article 7 a (new)

Text proposed by the Commission

Amendment

 

Article 7a

 

Protection and processing of personal data

 

1. Processing of personal data by electronic identification schemes shall be carried out in accordance with Directive 95/46/EC.

 

2. Such processing shall be fair and lawful and strictly limited to the minimum data needed to issue and maintain a certificate or to provide an electronic identification service.

 

3. Personal data shall be kept in a form which permits the identification of data subjects for no longer than necessary for the purpose for which the personal data are processed.

 

4. Electronic identification schemes shall ensure the confidentiality and integrity of data relating to a person to whom the trust service is provided.

 

5. Without prejudice to the legal effect given to pseudonyms under national law, Member States shall not prevent the indication in electronic identification certificates of a pseudonym instead of the signatory's name.

Amendment  24

Proposal for a regulation

Article 8 – paragraph 1

Text proposed by the Commission

Amendment

1. Member States shall cooperate in order to ensure the interoperability of electronic identification means falling under a notified scheme and to enhance their security.

1. Member States shall cooperate in order to ensure the interoperability and technological neutrality of electronic identification means falling under a notified scheme and to enhance their security.

Justification

The electronic identification requirement applies regardless of the means employed and should be neutral in terms of present and future identification technologies.

Amendment  25

Proposal for a regulation

Article 8 – paragraph 2

Text proposed by the Commission

Amendment

2. The Commission shall, by means of implementing acts, establish the necessary modalities to facilitate the cooperation between the Member States referred to in paragraph 1 with a view to fostering a high level of trust and security appropriate to the degree of risk. Those implementing acts shall concern, in particular, the exchange of information, experiences and good practice on electronic identification schemes, the peer review of notified electronic identification schemes and the examination of relevant developments arising in the electronic identification sector by the competent authorities of the Member States. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

2. The Commission shall, by means of implementing acts, establish the interoperability framework to facilitate the cooperation between the Member States referred to in paragraph 1 with a view to fostering a high level of trust and security appropriate to the degree of risk. Those implementing acts shall concern, in particular, the exchange of information, experiences and good practice on electronic identification schemes, the peer review of notified electronic identification schemes and the examination of relevant developments arising in the electronic identification sector by the competent authorities of the Member States. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Amendment  26

Proposal for a regulation

Article 8 – paragraph 3

Text proposed by the Commission

Amendment

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the facilitation of cross border interoperability of electronic identification means by setting of minimum technical requirements.

deleted

Amendment  27

Proposal for a regulation

Article 8 a (new)

Text proposed by the Commission

Amendment

 

Article 8a

 

Security requirements applicable to electronic identification schemes

 

1. Electronic identification schemes shall take appropriate technical and organisational measures to manage the risks posed to the security of the electronic identification means they provide. Having regard to the state of the art, those measures shall ensure that the level of security is appropriate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of the adverse effects of any incidents.

 

Electronic identification schemes shall submit the report of a security audit carried out by a recognised independent body to the supervisory body after an incident to confirm that appropriate security measures have been taken.

 

2. Electronic identification schemes shall, without undue delay and where feasible not later than 24 hours after having become aware of it, notify the competent supervisory body, the competent national body for information security and other relevant third parties, such as data protection authorities, of any personal data breach that has a significant impact on the electronic identification provided and on the personal data retained therein.

 

Where appropriate, in particular if a personal data breach concerns two or more Member States, the competent supervisory body shall inform the supervisory bodies in the other Member States.

 

The competent supervisory body may also inform the public or require the electronic identification scheme to do so, where it determines that disclosure of the breach is in the public interest.

 

3. Once a year the supervisory body of each Member State shall provide to ENISA a summary of breach notifications received from electronic identification schemes.

 

4. In order to implement paragraphs 1 and 2, the competent supervisory body shall have the power to issue binding instructions to electronic identification providers.

 

5. The Commission shall be empowered to adopt delegated acts, in accordance with Article 38, concerning the further specification of the measures referred to in paragraph 1.

 

6. The Commission may, by means of implementing acts, define the circumstances, formats and procedures, including deadlines, applicable for the purpose of paragraphs 1 to 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Amendment  28

Proposal for a regulation

Article 8 b (new)

Text proposed by the Commission

Amendment

 

Article 8b

 

Right of information and access of users electronic identification schemes

 

Electronic identification schemes shall provide data subjects with information regarding the collection, communication and retention of their data, as well as the means to access their data pursuant to Article 10 of Directive 95/46/CE.

Amendment  29

Proposal for a regulation

Article 9 – paragraph 1

Text proposed by the Commission

Amendment

1. A trust service provider shall be liable for any direct damage caused to any natural or legal person due to failure to comply with the obligations laid down in Article 15(1), unless the trust service provider can prove that he has not acted negligently.

1. A trust service provider shall be liable under national law for any damage caused to an entity, natural or legal person due to non-compliance with the obligations laid down in Article 15(1), unless the trust service provider can prove that he has not acted negligently.

Justification

The rapporteur finds that the liability is too far reaching.

Amendment  30

Proposal for a regulation

Article 11 – paragraph 1

Text proposed by the Commission

Amendment

1. Trust service providers and supervisory bodies shall ensure fair and lawful processing in accordance with Directive 95/46/EC when processing personal data.

1. Trust service providers and supervisory bodies shall ensure fair and lawful collecting and processing of personal data in accordance with Directive 95/46/EC.

Amendment  31

Proposal for a regulation

Article 11 – paragraph 2

Text proposed by the Commission

Amendment

2. Trust service providers shall process personal data according to Directive 95/46/EC. Such processing shall be strictly limited to the minimum data needed to issue and maintain a certificate or to provide a trust service.

2. Trust service providers and supervisory bodies shall collect and process personal data according to Directive 95/46/EC. Such collecting and processing shall be strictly limited to the minimum personal data needed to issue and maintain a certificate or to provide a trust service.

Amendment  32

Proposal for a regulation

Article 11 – paragraph 3

Text proposed by the Commission

Amendment

3. Trust service providers shall guarantee the confidentiality and integrity of data related to a person to whom the trust service is provided.

3. Trust service providers shall ensure the confidentiality and integrity of data related to a person to whom the trust service is provided.

Justification

In the view of the rapporteur the trust service provider can not guarantee that the integrity of information provided by the user - they can only safeguard the information given.

Amendment  33

Proposal for a regulation

Article 11 a (new)

Text proposed by the Commission

Amendment

 

Article 11a

 

Right of information and access of users of trust services

 

Trust services shall provide data subjects with information regarding the collection, communication and retention of their data, as well as the means to access their data pursuant to Article 10 of Directive 95/46/CE.

Amendment  34

Proposal for a regulation

Article 12

Text proposed by the Commission

Amendment

Trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities whenever possible.

Trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities.

Amendment  35

Proposal for a regulation

Article 13 a (new)

Text proposed by the Commission

Amendment

 

Article 13a

 

Cooperation with data protection authorities

 

Member States shall provide that the supervisory bodies referred to in Article 13 shall cooperate with Member States' data protection authorities designated pursuant to Article 28 of Directive 95/46/EC in order to enable them to ensure compliance with national data protection rules adopted pursuant to Directive 95/46/EC.

Amendment  36

Proposal for a regulation

Article 13 – paragraph 5

Text proposed by the Commission

Amendment

5. The Commission shall be empowered to adopt delegated acts, in accordance with Article 38, concerning the definition of procedures applicable to the tasks referred to in paragraph 2.

5. The Commission shall be empowered to adopt implementing acts, in accordance with Article 39, concerning the definition of procedures applicable to the tasks referred to in paragraph 2.

Justification

The rapporteur finds is necessary to change Article 13(5) to implementing acts, to ensure clarity.

Amendment  37

Proposal for a regulation

Article 15 – paragraph 1 – subparagraph 2

Text proposed by the Commission

Amendment

Without prejudice to Article 16(1), any trust service provider may submit the report of a security audit carried out by a recognised independent body to the supervisory body to confirm that appropriate security measures have been taken.

Without prejudice to Article 16(1), any trust service provider shall submit the report of a security audit carried out by a recognised independent body to the supervisory body after an incident to confirm that appropriate security measures have been taken.

Justification

The rapporteur is of the view that a trust service provider should be obliged to carry out an audit after an incident in order to avoid the same mistake in the future.

Amendment  38

Proposal for a regulation

Article 15 – paragraph 2 – subparagraph 3

Text proposed by the Commission

Amendment

The supervisory body concerned may also inform the public or require the trust service provider to do so, where it determines that disclosure of the breach is in the public interest.

The competent supervisory body may also inform the public or require the trust service provider to do so, where it determines that disclosure of the breach is in the public interest.

Justification

The amendment is made in consistency with the change to article 15, paragraph 1.

Amendment  39

Proposal for a regulation

Article 15 – paragraph 3

Text proposed by the Commission

Amendment

3. The supervisory body shall provide to ENISA and to the Commission once a year with a summary of breach notifications received from trust service providers.

3. The supervisory body of each Member State shall provide ENISA once a year with a summary of breach notifications received from trust service providers.

Justification

The rapporteur finds it unnecessary for supervisory boards to report to more than a single point.

Amendment  40

Proposal for a regulation

Article 16 – paragraph 1

Text proposed by the Commission

Amendment

1. Qualified trust service providers shall be audited by a recognised independent body once a year to confirm that they and the qualified trust services provided by them fulfil the requirements set out in this Regulation, and shall submit the resulting security audit report to the supervisory body.

1. Qualified trust service providers shall, at their own expense, be audited by a recognised independent body every second year to confirm that they and the qualified trust services provided by them fulfil the requirements set out in this Regulation, and shall submit the resulting security audit report to the competent supervisory body.

Justification

The rapporteur finds no need to have audits every year as long as the qualified trust service provider has previously proven to live up to the regulation as it is an extensive and costly measure.

Amendment  41

Proposal for a regulation

Article 17 – paragraph 2

Text proposed by the Commission

Amendment

2. Once the relevant documents are submitted to the supervisory body according to paragraph 1, the qualified service providers shall be included in the trusted lists referred to in Article 18 indicating that the notification has been submitted.

2. Once the relevant documents are submitted to the supervisory body according to paragraph 1, the qualified service providers shall be included in the trusted lists referred to in Article 18 indicating that the notification has been submitted and are awaiting confirmation of conformity by the supervisory body.

Justification

It is in the view of the rapporteur that it needs to be clear whether the trust services has been approved or still awaits conformation of conformity for security reasons.

Amendment  42

Proposal for a regulation

Article 17 – paragraph 3 – subparagraph 2

Text proposed by the Commission

Amendment

The supervisory body shall indicate the qualified status of the qualified service providers and the qualified trust services they provide in the trusted lists after the positive conclusion of the verification, not later than one month after the notification has been done in accordance with paragraph 1.

The supervisory body shall indicate the qualified status of the qualified service providers and the qualified trust services they provide in the trusted lists after the positive conclusion of the verification, not later than 30 days after the notification has been done in accordance with paragraph 1.

Justification

A month is not a precise timeframe since there can be a difference of more than 3 days.

Amendment  43

Proposal for a regulation

Article 18 – paragraph 3

Text proposed by the Commission

Amendment

3. Member States shall notify to the Commission, without undue delay, information on the body responsible for establishing, maintaining and publishing national trusted lists, and details of where such lists are published, the certificate used to sign or seal the trusted lists and any changes thereto.

3. Member States shall notify to the Commission, without undue delay, information on the body responsible for establishing, maintaining and publishing national trusted lists, and details of where such lists are published, the certificate that is used to validate the signature or seal applied to the trusted lists and any changes thereto.

Justification

You can not sign with a certificate or a seal you can only validate.

Amendment  44

Proposal for a regulation

Article 18 – paragraph 5

Text proposed by the Commission

Amendment

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of the information referred to in paragraph 1.

deleted

Justification

In the view of the rapporteur this should be in the competence of the supervisory body not the Commission.

Amendment  45

Proposal for a regulation

Article 19 – paragraph 1 – subparagraph 1

Text proposed by the Commission

Amendment

1. When issuing a qualified certificate, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity and, if applicable, any specific attributes of the natural or legal person to whom a qualified certificate is issued.

1. When issuing a qualified certificate, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity and, if applicable, any specific attributes of the entity, natural or legal person to whom a qualified certificate is issued.

Amendment  46

Proposal for a regulation

Article 19 – paragraph 2 – point d

Text proposed by the Commission

Amendment

(d) use trustworthy systems and products which are protected against modification and guarantee the technical security and reliability of the process supported by them;

(d) use trustworthy systems and products which are protected against unauthorised modification and guarantee the technical security and reliability of the process supported by them;

Justification

Systems need to be altered over time in order to keep them up to date, and in the view of the rapporteur this thus needs to be possible.

Amendment  47

Proposal for a regulation

Article 19 – paragraph 2 – point d a (new)

Text proposed by the Commission

Amendment

 

(da) the compliance referred to in point (b) may without prejudice to national identification schemes allow for the remote issuing of electronic identification through a previously conducted verification of physical appearance;

Justification

In the view of the rapporteur Member States should be allowed to issue electronic identification schemes based of previous verification.

Amendment  48

Proposal for a regulation

Article 19 – paragraph 2 – point i a (new)

Text proposed by the Commission

Amendment

 

(ia) make publicly available its data protection policy, indicating the data protection authority competent for its supervision.

Amendment  49

Proposal for a regulation

Article 20 – paragraph 4

Text proposed by the Commission

Amendment

4. If an electronic signature with a security assurance level below qualified electronic signature is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic signatures matching at least the same security assurance level shall be recognised and accepted.

4. If an electronic signature with a security level below the defined level for a qualified electronic signature is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic signatures matching at least the same security assurance level shall be recognised and accepted.

Justification

In the view of the rapporteur the security level should be defined trough implementing acts as specified in Articles 7 and 8.

Amendment  50

Proposal for a regulation

Article 20 – paragraph 5

Text proposed by the Commission

Amendment

5. Member States shall not request for cross-border access to a service online offered by a public sector body an electronic signature at a higher security assurance level than qualified electronic signature.

5. Member States shall not request for cross-border access to a service online offered by a public sector body an electronic signature at a higher security level than qualified electronic signature.

Justification

The word 'assurance' is unnecessary.

Amendment  51

Proposal for a regulation

Article 20 – paragraph 6

Text proposed by the Commission

Amendment

6. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of the different security levels of electronic signature referred to in paragraph 4.

deleted

Justification

In the view of the rapporteur such an important definition should not be left for delegated acts but dealt with within annex I.

Amendment  52

Proposal for a regulation

Article 28 – paragraph 4

Text proposed by the Commission

Amendment

4. If an electronic seal security assurance level below the qualified electronic seal is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic seals matching at a minimum the same security assurance level shall be accepted.

4. If an electronic seal security level below the qualified electronic seal is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic seals matching at a minimum the same security assurance level shall be accepted.

Justification

The word assurance is unnecessary and changed to ensure consistency with previous amendments.

Amendment  53

Proposal for a regulation

Article 28 – paragraph 5

Text proposed by the Commission

Amendment

5. Member States shall not request for accessing a service online offered by a public sector body an electronic seal with higher security assurance level than qualified electronic seals.

5. Member States shall not request for accessing a service online offered by a public sector body an electronic seal with higher security level than qualified electronic seals.

Justification

The word assurance is unnecessary and changed to ensure consistency with previous amendments.

Amendment  54

Proposal for a regulation

Article 28 – paragraph 6

Text proposed by the Commission

Amendment

6. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of different security assurance levels of electronic seals referred to in paragraph 4.

deleted

Justification

The rapporteur is of the view that this need to be settled within the regulation and not left for delegated acts but should be dealt with within annex III instead.

Amendment  55

Proposal for a regulation

Article 28 – paragraph 7

Text proposed by the Commission

Amendment

7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security assurance levels of electronic seals. Compliance with the security assurance level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic seal meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

7. The Commission shall, by means of implementing acts, establish reference numbers of standards for the defined security levels of electronic seals. Compliance with the defined security level in Annex III shall be presumed when an electronic seal meets those standards. The implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.

Justification

The paragraph is changed according to deletion of paragraph 6.

Amendment  56

Proposal for a regulation

Article 38

Text proposed by the Commission

Amendment

1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2. The power to adopt delegated acts referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall be conferred on the Commission for an indeterminate period of time from the entry into force of this Regulation.

2. The power to adopt delegated acts referred to in Articles 8a(5),15(5), 16(5),21(4), 23(3), 25(2), 27(2), 29(4), 30(2), 31, 35(3) and 37(3) shall be conferred on the Commission for an indeterminate period of time from the entry into force of this Regulation.

3. The delegation of power referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

3. The delegation of power referred to in Articles 8a(5), 15(5), 16(5), 21(4), 23(3), 25(2), 27(2), 29(4), 30(2), 31, 35(3) and 37(3) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

5. A delegated act adopted pursuant to Articles 8(3), 13(5), 15(5), , 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

5.A delegated act adopted pursuant to Articles 8a(5), 15(5), 16(5), 21(4), 23(3), 25(2), 27(2), 29(4), 30(2), 31, 35(3) and 37(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

Amendment  57

Proposal for a regulation

Annex I – paragraph 1 – point b – subparagraph 2 a (new)

Text proposed by the Commission

Amendment

 

Sensitive data within the meaning of Article 8 of Directive 95/46/CE shall not be processed.

Amendment  58

Proposal for a regulation

Annex III – paragraph 1 – point b – subparagraph 2 a (new)

Text proposed by the Commission

Amendment

 

Sensitive data within the meaning of Article 8 of Directive 95/46/CE shall not be processed.

Amendment  59

Proposal for a regulation

Annex IV – paragraph 1 – point b – subparagraph 2 a (new)

Text proposed by the Commission

Amendment

 

Sensitive data within the meaning of Article 8 of Directive 95/46/CE shall not be processed.

PROCEDURE

Title

Electronic identification and trust services for electronic transactions in the internal market

References

COM(2012)0238 – C7-0133/2012 – 2012/0146(COD)

Committee responsible

       Date announced in plenary

ITRE

14.6.2012

 

 

 

Opinion by

       Date announced in plenary

LIBE

14.6.2012

Rapporteur

       Date appointed

Jens Rohde

20.9.2012

Discussed in committee

25.4.2013

29.5.2013

 

 

Date adopted

8.7.2013

 

 

 

Result of final vote

+:

–:

0:

34

4

0

Members present for the final vote

Jan Philipp Albrecht, Edit Bauer, Emine Bozkurt, Salvatore Caronna, Philip Claeys, Carlos Coelho, Agustín Díaz de Mera García Consuegra, Ioan Enciu, Frank Engel, Cornelia Ernst, Tanja Fajon, Hélène Flautre, Nathalie Griesbeck, Sylvie Guillaume, Anna Hedh, Sophia in ‘t Veld, Teresa Jiménez-Becerril Barrio, Anthea McIntyre, Roberta Metsola, Claude Moraes, Georgios Papanikolaou, Carmen Romero López, Judith Sargentini, Birgit Sippel, Renate Sommer, Rui Tavares, Nils Torvalds, Kyriacos Triantaphyllides, Axel Voss, Renate Weber, Josef Weidenholzer, Cecilia Wikström, Tatjana Ždanoka, Auke Zijlstra

Substitute(s) present for the final vote

Anna Maria Corazza Bildt, Mariya Gabriel, Jens Rohde, Salvador Sedó i Alabart

PROCEDURE

Title

Electronic identification and trust services for electronic transactions in the internal market

References

COM(2012)0238 – C7-0133/2012 – 2012/0146(COD)

Date submitted to Parliament

4.6.2012

 

 

 

Committee responsible

       Date announced in plenary

ITRE

14.6.2012

 

 

 

Committee(s) asked for opinion(s)

       Date announced in plenary

ECON

14.6.2012

IMCO

14.6.2012

JURI

14.6.2012

LIBE

14.6.2012

Not delivering opinions

       Date of decision

ECON

11.9.2012

 

 

 

Associated committee(s)

       Date announced in plenary

IMCO

7.2.2013

 

 

 

Rapporteur(s)

       Date appointed

Marita Ulvskog

3.7.2012

 

 

 

Discussed in committee

18.12.2012

24.4.2013

19.6.2013

 

Date adopted

14.10.2013

 

 

 

Result of final vote

+:

–:

0:

37

4

1

Members present for the final vote

Amelia Andersdotter, Josefa Andrés Barea, Jean-Pierre Audy, Ivo Belet, Jan Březina, Reinhard Bütikofer, Maria Da Graça Carvalho, Giles Chichester, Jürgen Creutzmann, Pilar del Castillo Vera, Christian Ehler, Vicky Ford, Adam Gierek, Norbert Glante, Fiona Hall, Edit Herczog, Romana Jordan, Philippe Lamberts, Bogdan Kazimierz Marcinkiewicz, Marisa Matias, Angelika Niebler, Jaroslav Paška, Vittorio Prodi, Herbert Reul, Jens Rohde, Paul Rübig, Salvador Sedó i Alabart, Francisco Sosa Wagner, Evžen Tošenovský, Ioannis A. Tsoukalas, Claude Turmes, Marita Ulvskog, Alejo Vidal-Quadras

Substitute(s) present for the final vote

Antonio Cancian, Rachida Dati, Ioan Enciu, Françoise Grossetête, Roger Helmer, Jolanta Emilia Hibner, Werner Langen, Zofija Mazej Kukovič, Alajos Mészáros

Date tabled

6.11.2013