REPORT on the proposal for a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market
31.10.2013 - (COM(2012)0238 – C7‑0133/2012 – 2012/0146(COD)) - ***I
Committee on Industry, Research and Energy
Rapporteur: Marita Ulvskog
Rapporteur for the opinion (*):
Marielle Gallo, Committe on Internal Market and Consumer Protection
(*) Associated committee – Rule 50 of the Rules of Procedure
DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION
on the proposal for a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market
(COM(2012)0238 – C7‑0133/2012 – 2012/0146(COD))
(Ordinary legislative procedure: first reading)
The European Parliament,
– having regard to the Commission proposal to Parliament and the Council (COM(2012)0238),
– having regard to Article 294(2) and Article 114 of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C7‑0133/2012),
– having regard to Article 294(3) of the Treaty on the Functioning of the European Union,
– having regard to the opinion of the European Economic and Social Committee of 18 September 2012,[1]
– having regard to Rule 55 of its Rules of Procedure,
– having regard to the report of the Committee on Industry, Research and Energy and the opinions of the Committee on the Internal Market and Consumer Protection, the Committee on Legal Affairs and the Committee on Civil Liberties, Justice and Home Affairs (A7-0365/2013),
1. Adopts its position at first reading hereinafter set out;
2. Calls on the Commission to refer the matter to Parliament again if it intends to amend its proposal substantially or replace it with another text;
3. Instructs its President to forward its position to the Council, the Commission and the national parliaments.
Amendment 1 Proposal for a regulation Recital 1 | |
Text proposed by the Commission |
Amendment |
(1) Building trust in the online environment is key to economic development. Lack of trust makes consumers, businesses and administrations hesitate to carry out transactions electronically and to adopt new services. |
(1) Building trust in the online environment is key to economic and social development. Lack of trust, in particular because of a perceived lack of legal certainty, makes consumers, businesses and administrations hesitate to carry out transactions electronically and to adopt new services. |
Amendment 2 Proposal for a regulation Recital 1 a (new) | |
Text proposed by the Commission |
Amendment |
|
(1a) Ensuring that all citizens have access to the technology and skills that enable them to benefit equally from digital offerings and electronic services is vital in order to ensure equal opportunities and inclusion of all parts of society. |
Amendment 3 Proposal for a regulation Recital 2 | |
Text proposed by the Commission |
Amendment |
(2) This Regulation seeks to enhance trust in electronic transactions in the internal market by enabling secure and seamless electronic interactions to take place between businesses, citizens and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union. |
(2) This Regulation seeks to enhance trust in electronic transactions in the internal market by providing a common foundation for legally secure electronic interaction between businesses, citizens and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union. |
Justification | |
Again it is about legal certainty. | |
Amendment 4 Proposal for a regulation Recital 3 | |
Text proposed by the Commission |
Amendment |
(3) Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, essentially covered electronic signatures without delivering a comprehensive cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions. This Regulation enhances and expands the acquis of the Directive. |
(3) Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, essentially covered electronic signatures without delivering a comprehensive cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions. This Regulation addresses these lacunae. |
Justification | |
Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, essentially covered electronic signatures without delivering a comprehensive cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions. This Regulation addresses these lacunae. | |
Amendment 5 Proposal for a regulation Recital 11 | |
Text proposed by the Commission |
Amendment |
(11) One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States to access at least public services. This Regulation does not aim at intervening on electronic identity management systems and related infrastructures established in the Member States. The aim of this Regulation is to ensure that for the access to cross-border online services offered by the Member States, secure electronic identification and authentication is possible. |
(11) One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States to access at least public services. This Regulation does not aim at intervening on electronic identity management systems and related infrastructures established in the Member States. Rather, it aims to introduce different security levels to guarantee a minimum common set of security requirements. The aim of this Regulation is to ensure that for the access to cross-border online services offered by the Member States, secure electronic identification and authentication is possible, with full respect for technology neutrality. |
Justification | |
Unlike trust services, which are covered by a common set of security requirements, the Commission has no such provisions for electronic identification. The rapporteur takes the view that the introduction of different security levels (and consequently of a minimum level of security) is a prerequisite for the principle of mutual recognition and will help increase security in the digital world. | |
Amendment 6 Proposal for a regulation Recital 12 | |
Text proposed by the Commission |
Amendment |
(12) Member States should remain free to use or introduce means, for electronic identification purposes, for accessing online services. They should also be able to decide whether to involve the private sector in the provision of these means. Member States should not be obliged to notify their electronic identification schemes. The choice to either notify all, some or none of the electronic identification schemes used at national level to access at least public online services or specific services is up to the Member States. |
(12) Member States should remain free to use or introduce means, for electronic authentication or identification purposes, for accessing online services. They should also be able to decide whether to involve the private sector in the provision of these means. Member States should not be obliged to notify their electronic identification schemes. The choice to either notify all, some or none of the electronic identification schemes used at national level to access at least public online services or specific services is up to the Member States. |
Amendment 7 Proposal for a regulation Recital 13 | |
Text proposed by the Commission |
Amendment |
(13) Some conditions need to be set in the Regulation with regard to which electronic identification means have to be accepted and how the schemes should be notified. These should help Member States to build the necessary trust in each other's electronic identification schemes and to mutually recognise and accept electronic identification means falling under their notified schemes. The principle of mutual recognition and acceptance should apply if the notifying Member State meets the conditions of notification and the notification was published in the Official Journal of the European Union. However, the access to these online services and their final delivery to the applicant should be closely linked to the right to receive such services under the conditions set by national legislation. |
(13) Some conditions need to be set in the Regulation with regard to which electronic identification means have to be accepted and how the schemes should be notified. These should help Member States to build the necessary trust in each other's electronic identification schemes and to mutually recognise and accept electronic identification means falling under their notified schemes. The principle of mutual recognition and acceptance should apply if the notifying Member State meets the conditions of notification and the notification, including a description of the notified electronic identification scheme and the information on the different security levels, was published in the Official Journal of the European Union. However, the access to these online services and their final delivery to the applicant should be closely linked to the right to receive such services under the conditions set by national legislation. |
Justification | |
Unlike trust services, which are covered by a common set of security requirements, the Commission has no such provisions for electronic identification. The rapporteur takes the view that the introduction of different security levels (and consequently of a minimum level of security) is a prerequisite for the principle of mutual recognition and will help increase security in the digital world. | |
Amendment 8 Proposal for a regulation Recital 14 | |
Text proposed by the Commission |
Amendment |
(14) Member States should be able to decide to involve the private sector in the issuance of electronic identification means and to allow the private sector the use of electronic identification means under a notified scheme for identification purposes when needed for online services or electronic transactions. The possibility to use such electronic identification means would enable the private sector to rely on electronic identification and authentication already largely used in many Member States at least for public services and to make it easier for businesses and citizens to access their online services across borders. In order to facilitate the use of such electronic identification means across borders by the private sector, the authentication possibility provided by the Member States should be available to relying parties without discriminating between public or private sector. |
(14) Member States should be able to involve the private sector in issuing electronic authentication or identification means. Private sector parties should also be allowed to use electronic authentication and identification means under a notified scheme for authentication or identification purposes when needed for online services or electronic transactions. The possibility to use such means would enable the private sector to rely on electronic identification and/or authentication already largely used in many Member States at least for public services and to make it easier for businesses and citizens to access their online services across borders. In order to facilitate the use of such electronic authentication or identification means across borders by the private sector, the authentication possibility provided by the Member States should be available to relying parties without discriminating between public and private sector. |
Justification | |
The original formulation by the Commission makes it unclear who is a relying party (a private actor), and the distinction between the use of a relying party (certificate provider) and an issuer of a physical piece of equipment for interpreting the identifying data. | |
Amendment 9 Proposal for a regulation Recital 15 | |
Text proposed by the Commission |
Amendment |
(15) The cross border use of electronic identification means under a notified scheme requires Member States to cooperate in providing technical interoperability. This rules out any specific national technical rules requiring non-national parties for instance to obtain specific hardware or software to verify and validate the notified electronic identification. Technical requirements on users, on the other hand, stemming from the inherent specifications of whatever token is used (e.g. smartcards) are inevitable. |
(15) The cross border use of electronic identification means under a notified scheme requires Member States to cooperate in providing technical interoperability in accordance with the principle of technological neutrality. This rules out any specific national technical rules requiring non-national parties for instance to obtain specific hardware or software to verify and validate the notified electronic identification. Technical requirements on users, on the other hand, stemming from the inherent specifications of whatever token is used (e.g. smartcards) are inevitable. Nevertheless the process of building interoperability should respect the various approaches taken by Member States while developing their national electronic identification systems and should not require changes to the fundamental design of such systems. |
Amendment 10 Proposal for a regulation Recital 16 | |
Text proposed by the Commission |
Amendment |
(16) Cooperation of Member States should serve the technical interoperability of the notified electronic identification schemes with a view to foster a high level of trust and security appropriate to the degree of risk. The exchange of information and the sharing of best practices between Member States with a view to their mutual recognition should help such cooperation. |
(16) Cooperation of Member States should serve the technical interoperability of the notified electronic identification schemes with a view to foster a high level of trust and security appropriate to the degree of risk. The exchange of information and the sharing of best practices between Member States with a view to their mutual recognition should help such cooperation. Since certain e-services have greater cross-border potential, establishing interoperability for such e-services should be prioritized. E-services of cross border relevance are such services which are available not only to residents of a Member State, and where interoperable authentication means could be expected to boost cross border interactions. |
Amendment 11 Proposal for a regulation Recital 16 a (new) | |
Text proposed by the Commission |
Amendment |
|
(16a) The cross border use of electronic authentication means should not lead to disclosure of personal data that are not necessary for the service to be provided. In this regard, Member States should be encouraged to make better use of non -direct identification where the processing of personal data is limited to the disclosure of only personal data required for a specific purpose. |
Amendment 12 Proposal for a regulation Recital 17 | |
Text proposed by the Commission |
Amendment |
(17) This Regulation should also establish a general legal framework for the use of electronic trust services. However, it should not create a general obligation to use them. In particular, it should not cover the provision of services based on voluntary agreements under private law. Neither should it cover aspects related to the conclusion and validity of contracts or other legal obligations where there are requirements as regards form prescribed by national or Union law. |
(17) This Regulation should also establish a general legal framework for the use of electronic trust services. However, it should not create a general obligation to use them. In particular, it should not cover the provision of services based on voluntary agreements under private law. It should also be without prejudice to provisions on the form, formation or effect of contracts or to the form, creation or validity of other private-law obligations irrespective of whether they are founded on national or Union law, for example in accordance to the rules on consent and material and formal validity of contracts laid down in Regulation (EC) No 593/2008 of the European Parliament and the Council21a. Furthermore this Regulation should be without prejudice to the rules and restrictions in national or Union law on the use of documents, and should not apply to register procedures, particularly those relating to land registers and trade registers. |
|
______________ |
|
21a Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations (Rome I) (OJ L 177, 4.7.2008, p. 6). |
Amendment 13 Proposal for a regulation Recital 20 | |
Text proposed by the Commission |
Amendment |
(20) Because of the pace of technological change, this Regulation should adopt an approach which is open to innovations. |
(20) Because of the pace of technological change, this Regulation should adopt an approach which aims at stimulating innovations. |
Amendment 14 Proposal for a regulation Recital 21 | |
Text proposed by the Commission |
Amendment |
(21) This Regulation should be technology-neutral. The legal effects it grants should be achievable by any technical means provided that the requirements of this Regulation are met. |
(21) This Regulation should be technology-neutral with regard to both electronic identification systems and trust services. The legal effects it grants should be achievable by any technical means provided that the requirements of this Regulation are met. |
Amendment 15 Proposal for a regulation Recital 22 | |
Text proposed by the Commission |
Amendment |
(22) To enhance people's trust in the internal market and to promote the use of trust services and products, the notions of qualified trust services and qualified trust service provider should be introduced with a view to indicating requirements and obligations to ensure high-level security of whatever qualified trust services and products are used or provided. |
(22) To enhance the trust of small and medium-sized enterprises (SMEs) and consumers in the internal market and to promote the use of trust services and products, the notions of qualified trust services and qualified trust service provider should be introduced with a view to indicating requirements and obligations to ensure high-level security of whatever qualified trust services and products are used or provided. Both qualified and advanced electronic signatures should be legally equivalent to handwritten signatures. Nothing in this Regulation should limit the ability of any natural or legal person to demonstrate with evidence the non-reliability of any form of electronic signature. However, in the case of qualified electronic signatures, the burden of proof when questioning the identity of the signatory should rest with the contesting party. |
Justification | |
It should be made clear that even a non-qualified signature can have the same effect as a handwritten one. The only difference is the burden of proof. | |
Amendment 16 Proposal for a regulation Recital 23 | |
Text proposed by the Commission |
Amendment |
(23) In line with the obligations under the UN Convention on the Rights of Persons with Disabilities that has entered into force in the EU, persons with disabilities should be able to use trust services and end user products used in the provision of those services on equal bases with other consumers. |
(23) In line with the obligations under the UN Convention on the Rights of Persons with Disabilities that has entered into force in the EU, and with respect for and in full compliance with Union law on the accessibility of the websites of public sector bodies, persons with disabilities should be able to use trust services and electronic identification services and end user products used in the provision of those services on equal bases with other consumers. |
Amendment 17 Proposal for a regulation Recital 23 a (new) | |
Text proposed by the Commission |
Amendment |
|
(23a) Under Article 9 of the Treaty on the Functioning of the European Union, in defining and implementing its policies and activities, the Union is obliged to take into account requirements linked to the promotion of a high level of employment, the guarantee of adequate social protection, the fight against social exclusion, and a high level of education, training and protection of human health. |
Amendment 18 Proposal for a regulation Recital 23 b (new) | |
Text proposed by the Commission |
Amendment |
|
(23b) The concepts of accessibility and design for all should be mainstreamed when legislative measures on electronic identification are being pursued at Union level. |
Amendment 19 Proposal for a regulation Recital 24 | |
Text proposed by the Commission |
Amendment |
(24) A trust service provider is a controller of personal data and therefore has to comply with the obligations set out in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data22. In particular the collection of data should be minimised as much as possible taking into account the purpose of the service provided. |
(24) A trust service provider is a controller of personal data and therefore has to comply with the obligations set out in national provisions on data protection and in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data22. In particular the collection and the retention of data should be minimised as much as possible taking into account the purpose of the service provided and the trust service providers should provide users with information on the collection, communication and retention of their personal data and enable them to check their personal data and exercise their data protection rights. |
Amendment 20 Proposal for a regulation Recital 24 a (new) | |
Text proposed by the Commission |
Amendment |
|
(24a) A high level of data protection through appropriate and harmonised safeguards is all the more important for the use of electronic identification schemes and trust services, as both will require the processing of personal data. Such processing will be relied upon, amongst other things, for identifying and authenticating persons in the most reliable manner; moreover the lack of appropriate safeguards could lead to significant data protection risks such as identity theft, forgery or misuse of the electronic medium. |
Amendment 21 Proposal for a regulation Recital 24 b (new) | |
Text proposed by the Commission |
Amendment |
|
(24b) A trust service provider operates in a particularly sensitive environment where many other parties rely on the integrity of their services. In particular, it is presumed by its customers that it is always trustworthy. Therefore it is important to avoid conflicts of interest. In the interest of good governance within the context of electronic signatures and electronic identification, trust service providers should not in general be operated or owned by entities providing services that require their trust services. Oversight should be provided by a competent supervisory body. |
Justification | |
Separating the functionality of a trust service provider from that of a provider of services requiring trust means that there is less chance of a single interest over-taking or exercising undue influence on the trust service provider. This is an important principle in establishing adequate trust chains on the market for electronic signatures. | |
Amendment 22 Proposal for a regulation Recital 24 c (new) | |
Text proposed by the Commission |
Amendment |
|
(24c) Electronic identification schemes should comply with Directive 95/46/EC, which governs the processing of personal data carried out in the Member States pursuant to this Regulation and under the supervision of the Member States' competent authorities, in particular the independent public authorities designated by the Member States. |
Amendment 23 Proposal for a regulation Recital 24 d (new) | |
Text proposed by the Commission |
Amendment |
|
(24d) This Regulation respects the fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, in particular Article 8 thereof. |
Amendment 24 Proposal for a regulation Recital 25 | |
Text proposed by the Commission |
Amendment |
(25) Supervisory bodies should cooperate and exchange information with data protection authorities to ensure proper implementation of data protection legislation by service providers. The exchange of information should in particular cover security incidents and personal data breaches. |
(25) Trust service providers and national bodies responsible for accreditation or supervision should comply with the requirements laid down in Directive 95/46/EC. |
|
Member States should also ensure that trust service providers and national bodies responsible for accreditation or supervision cooperate and exchange information with data protection authorities to ensure proper implementation of data protection legislation by service providers. The exchange of information should in particular cover security incidents and personal data breaches, where provided by the applicable law. |
Amendment 25 Proposal for a regulation Recital 26 | |
Text proposed by the Commission |
Amendment |
(26) It should be incumbent on all trust service providers to apply good security practice appropriate to the risks related to their activities so as to boost users' trust in the single market. |
(26) It should be incumbent on all trust service providers to apply good security practice appropriate to the risks related to their activities so as to build users' trust in the services concerned. |
Amendment 26 Proposal for a regulation Recital 29 | |
Text proposed by the Commission |
Amendment |
(29) Notification of security breaches and security risk assessments is essential with a view to providing adequate information to concerned parties in the event of a breach of security or loss of integrity. |
(29) A breach of security may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm for the individuals concerned, including identity fraud. Therefore notification of security breaches without undue delay in accordance with Directive 95/46/EC and security risk assessments is essential with a view to providing adequate information to concerned parties in the event of a breach of security or loss of integrity especially to give them the opportunity to mitigate potential adverse effects. |
Amendment 27 Proposal for a regulation Recital 33 | |
Text proposed by the Commission |
Amendment |
(33) To ensure sustainability and durability of qualified trust services and to boost users‘ confidence in the continuity of qualified trust services, supervisory bodies should ensure that the data of qualified trust service providers are preserved and kept accessible for an appropriate period of time even if a qualified trust service provider ceases to exist. |
(33) To ensure sustainability and durability of qualified trust services and to boost users' confidence in the continuity of qualified trust services, supervisory bodies should ensure that the data collected by the qualified trust service providers are preserved and kept accessible for an appropriate period of time even if a qualified trust service provider ceases to exist. |
Amendment 28 Proposal for a regulation Recital 34 | |
Text proposed by the Commission |
Amendment |
(34) To facilitate the supervision of qualified trust services providers, for example when a provider is providing its services in the territory of another Member State and is not subject to supervision there, or when the computers of a provider are located in the territory of another Member State than the one where it is established, a mutual assistance system between supervisory bodies in the Member States should be set up. |
(34) To facilitate the supervision of qualified trust services providers and ensure that it is effective, as stipulated in this Regulation, for example when a provider is providing its services in the territory of another Member State and is not subject to supervision there, or when the computers of a provider are located in the territory of another Member State than the one where it is established, a mutual assistance system between supervisory bodies in the Member States should be set up. The system should also aim to simplify and reduce the administrative burden on trust service providers by having a one-stop-shop supervisory body. |
Amendment 29 Proposal for a regulation Recital 39 a (new) | |
Text proposed by the Commission |
Amendment |
|
(39a) In order to boost users’ confidence online and to make it easier to identify the qualified trust services providers which meet the requirements of this Regulation, an 'EU' qualified trustmark should be created. |
Justification | |
Parliament called for the creation of a trustmark in its resolution of 11 December 2012 on completing the Digital Single Market. Its aim in doing so was to boost users’ confidence online by creating an easily recognisable European label. Bearing in mind the aim of making trust services more secure online, qualified trust service providers who meet the requirements, especially those laid down in Article 19, should be able to benefit from this label and enjoy added value in e-commerce. | |
Amendment 30 Proposal for a regulation Recital 40 a (new) | |
Text proposed by the Commission |
Amendment |
|
(40a) The creation of remote electronic signatures, where the electronic signature creation environment is managed by a trust services provider on behalf of the signatory, is set to increase in the light of its multiple economic benefits. However, in order to ensure that such electronic signatures receive the same legal recognition as electronic signatures created in an entirely user‑managed environment, remote signature services providers should apply specific management and administrative security procedures, and use reliable systems and products, including secure electronic communication channels, in order to guarantee that the electronic signature creation environment is reliable and is used under the sole control of the signatory. Where a qualified electronic signature has been created using a remote electronic signature creation device, the requirements applicable to qualified trust services providers set out in this Regulation should apply. |
Justification | |
Although the server signature service is exposed to greater risks than other services, it is of benefit to users and is set to expand. The rapporteur therefore takes the view that express reference should be made to this service in order to ensure that the supervisory audits focus on the weaknesses inherent to this type of signature. | |
Amendment 31 Proposal for a regulation Recital 42 | |
Text proposed by the Commission |
Amendment |
(42) When a transaction requires a qualified electronic seal from a legal person, a qualified electronic signature from the authorised representative of the legal person should be equally acceptable. |
(42) When national or Union law requires a qualified electronic seal from a legal person, a qualified electronic signature from the authorised representative of the legal person should be equally acceptable. |
Amendment 32 Proposal for a regulation Recital 43 | |
Text proposed by the Commission |
Amendment |
(43) Electronic seals should serve as evidence that an electronic document was issued by a legal person, ensuring certainty of the document’s origin and integrity. |
(43) Valid electronic seals should serve as prima facie evidence of the authenticity and integrity of an electronic document associated with them. This should be without prejudice to national provisions on powers of attorney, representation and legal capacity. |
Amendment 33 Proposal for a regulation Recital 45 | |
Text proposed by the Commission |
Amendment |
(45) In order to enhance the cross-border use of electronic documents this Regulation should provide for the legal effect of electronic documents which should be considered as equal to paper documents dependent on the risk assessment and provided the authenticity and integrity of the documents are ensured. It also important for further development of cross-border electronic transactions in the internal market that original electronic documents or certified copies issued by relevant competent bodies in a Member State under their national law are accepted as such also in other Member States. This Regulation should not affect Member States’ right to determine what constitutes an original or a copy at a national level but ensures that these can be used as such also across borders. |
deleted |
Amendment 34 Proposal for a regulation Recital 46 a (new) | |
Text proposed by the Commission |
Amendment |
|
(46a) Member States should ensure that the possibilities and limitations of use of electronic identification are clearly communicated to the citizens. |
Amendment 35 Proposal for a regulation Recital 49 | |
Text proposed by the Commission |
Amendment |
(49) In order to complement certain detailed technical aspects of this Regulation in a flexible and rapid manner, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of interoperability of electronic identification; security measures required of trust service providers; recognised independent bodies responsible for auditing the service providers; trusted lists; requirements related to the security levels of electronic signatures; requirements of qualified certificates for electronic signatures their validation and their preservation; the bodies responsible for the certification of qualified electronic signature creation devices; and the requirements related to the security levels of electronic seals and to qualified certificates for electronic seals; the interoperability between delivery services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. |
(49) In order to complement certain detailed technical aspects of this Regulation in a flexible and rapid manner, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of interoperability of electronic identification; trusted lists; requirements of qualified certificates for electronic signatures their validation and their preservation; the bodies responsible for the certification of qualified electronic signature creation devices; and to qualified certificates for electronic seals; the interoperability between delivery services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. |
Amendment 36 Proposal for a regulation Recital 51 | |
Text proposed by the Commission |
Amendment |
(51) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission, in particular for specifying reference numbers of standards which use would give a presumption of compliance with certain requirements laid down in this Regulation or defined in delegated acts. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers. |
(51) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission, in particular for specifying reference numbers of standards which use would give a presumption of compliance with certain requirements laid down in this Regulation or defined in delegated acts. Those powers should be exercised, after a transparent stakeholder consultation, in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers. |
Amendment 37 Proposal for a regulation Recital 51 a (new) | |
Text proposed by the Commission |
Amendment |
|
(51a) The standardisation work carried out by international and European organisations enjoys international recognition. This work is undertaken in cooperation with the industries and stakeholders concerned, and is funded by the Union and national authorities, among others. With a view to ensuring a high level of security in electronic identification and in electronic trust services, particularly in the Commission’s drafting of delegated and implementing acts, due account should be paid to standards drawn up by organisations such as the European Committee for Standardisation (CEN), the European Telecommunications Standards Institute (ETSI), the European Committee for Electrotechnical Standardisation (CENELEC) or the International Organisation for Standardisation (ISO). |
Amendment 38 Proposal for a regulation Article 1 | |
Text proposed by the Commission |
Amendment |
1. This Regulation lays down rules for electronic identification and electronic trust services for electronic transactions with a view to ensuring the proper functioning of the internal market. |
1. This Regulation lays down rules for cross-border electronic identification and trust services for electronic transactions with a view to ensuring the proper functioning of the internal market. |
2. This Regulation lays down the conditions under which Member States shall recognise and accept electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another Member State. |
2. This Regulation lays down the conditions under which Member States shall recognise and accept electronic identification means for natural and legal persons falling under a notified electronic identification scheme of another Member State. |
3. This Regulation establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services and website authentication. |
3. This Regulation establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services and website authentication. |
4. This Regulation ensures that trust services and products which comply with this Regulation are permitted to circulate freely in the internal market. |
4. This Regulation ensures that qualified and non-qualified trust services and products which comply with this Regulation are permitted to circulate freely in the internal market. |
Amendment 39 Proposal for a regulation Article 2 | |
Text proposed by the Commission |
Amendment |
1. This Regulation applies to electronic identification provided by, on behalf or under the responsibility of Member States and to trust service providers established in the Union. |
1. This Regulation applies to notified electronic identification schemes mandated, recognised or issued by or on behalf of Member Sates, and to trust service providers established in the Union. |
2. This Regulation does not apply to the provision of electronic trust services based on voluntary agreements under private law. |
2. This Regulation applies to both qualified and non-qualified trust service providers established in the Union. This Regulation does not apply to the trust services which are provided to a closed group of parties and which are used exclusively within that group. |
3. This Regulation does not apply to aspects related to the conclusion and validity of contracts or other legal obligations where there are requirements as regards form prescribed by national or Union law. |
3. This Regulation does not apply to aspects related to the conclusion and validity of contracts or other legal obligations where there are requirements as regards form prescribed by national or Union law. |
Amendment 40 Proposal for a regulation Article 3 – point 1 | |
Text proposed by the Commission |
Amendment |
(1) ‘electronic identification’ means the process of using person identification data in electronic form unambiguously representing a natural or legal person; |
(1) ‘electronic identification’ means the process of using identification data in electronic form representing a natural or legal person either: |
|
(a) to fully identify a person, or |
|
(b) to confirm only those identification data necessary to grant access to a specific service. |
Amendment 41 Proposal for a regulation Article 3 – point 2 | |
Text proposed by the Commission |
Amendment |
(2) ‘electronic identification means’ means a material or immaterial unit containing data as referred to in point 1 of this Article, and which is used to access services online as referred to in Article 5; |
(2) ‘electronic identification means’ means a material or immaterial unit containing data as referred to in point 1 of this Article, and which is used to access electronic services as referred to in Article 5; |
Amendment 42 Proposal for a regulation Article 3 – point 4 | |
Text proposed by the Commission |
Amendment |
(4) ‘authentication’ means an electronic process that allows the validation of the electronic identification of a natural or legal person; or of the origin and integrity of an electronic data; |
(4) ‘authentication’ means an electronic process that allows the validation of the electronic identification of a natural or legal person; or of the origin and integrity of electronic data; |
Amendment 43 Proposal for a regulation Article 3 – point 4 a (new) | |
Text proposed by the Commission |
Amendment |
|
(4a) 'relying party' means a natural or legal person to whom the holder of an electronic authentication means verifies attributes; |
Justification | |
The draft already referred to relying parties in Article (1) (d) without a proper definition. | |
Amendment 44 Proposal for a regulation Article 3 – point 7 – point b | |
Text proposed by the Commission |
Amendment |
(b) it is capable of identifying the signatory; |
(b) it is capable of guaranteeing the legal validity of the identity of the signatory; |
Justification | |
The use of the term ‘identifying’ could prove confusing given that the regulation concerns electronic identification. This particular point is a definition of an advanced electronic signature, which relates to the ‘trust services’ part of the proposal (Chapter III). | |
Amendment 45 Proposal for a regulation Article 3 – point 7 – point c | |
Text proposed by the Commission |
Amendment |
(c) it is created using electronic signature creation data that the signatory can, with high level of confidence, use under his sole control; and |
(c) it is created using an electronic signature creation device that the signatory can use under his sole control; and |
Justification | |
Wording changed to bring the text into line with the terminology used in Articles 22 and 23. The expression ‘high level of confidence’ is legally meaningless. | |
Amendment 46 Proposal for a regulation Article 3 – point 7 – point d | |
Text proposed by the Commission |
Amendment |
(d) it is linked to the data to which it relates in such a way that any subsequent change in the data is detectable; |
(d) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable; |
Amendment 47 Proposal for a regulation Article 3 – point 8 | |
Text proposed by the Commission |
Amendment |
(8) ‘qualified electronic signature’ means an advanced electronic signature which is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures; |
(8) ‘qualified electronic signature’ means an advanced electronic signature which is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures issued by a qualified trust provider; |
Amendment 48 Proposal for a regulation Article 3 – point 10 | |
Text proposed by the Commission |
Amendment |
(10) ‘certificate’ means an electronic attestation which links electronic signature or seal validation data of a natural or a legal person respectively to the certificate and confirms those data of that person; |
(10) 'certificate' means an electronic attestation which links electronic signature or seal validation data with the identification data of an entity or a natural or a legal person respectively and confirms those data of that person; |
Amendment 49 Proposal for a regulation Article 3 – point 11 | |
Text proposed by the Commission |
Amendment |
(11) ‘qualified certificate for electronic signature’ means an attestation which is used to support electronic signatures, is issued by a qualified trust service provider and meet the requirements laid down in Annex I; |
(11) ‘qualified certificate for electronic signature’ means a certificate which is used to support electronic signatures, is issued by a qualified trust service provider and meet the requirements laid down in Annex I; |
Amendment 50 Proposal for a regulation Article 3 – point 12 | |
Text proposed by the Commission |
Amendment |
(12) ‘trust service’ means any electronic service consisting in the creation, verification, validation, handling and preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication, and electronic certificates, including certificates for electronic signature and for electronic seals; |
(12) 'trust service' means an electronic service consisting in the creation, verification, validation or preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication, and electronic certificates, including certificates for electronic signature and for electronic seals; |
Amendment 51 Proposal for a regulation Article 3 – point 13 | |
Text proposed by the Commission |
Amendment |
(13) ‘qualified trust service’ means a trust service that meets the applicable requirements provided for in this Regulation; |
(13) ‘qualified trust service’ means a trust service that meets the applicable requirements laid down in this Regulation; |
Amendment 52 Proposal for a regulation Article 3 – point 14 | |
Text proposed by the Commission |
Amendment |
(14) ‘trust service provider’ means a natural or a legal person who provides one or more trust services; |
(14) 'trust service provider' means a natural or a legal person who provides one or more trust services as defined in this Regulation; |
Justification | |
Removes ambiguity about trust services in, for instances, the financial sector. | |
Amendment 53 Proposal for a regulation Article 3 – point 19 | |
Text proposed by the Commission |
Amendment |
(19) ‘creator of a seal’ means a legal person who creates an electronic seal; |
(19) ‘creator of a seal’ means a natural or legal person who creates an electronic seal; |
Amendment 54 Proposal for a regulation Article 3 – point 20 | |
Text proposed by the Commission |
Amendment |
(20) ‘electronic seal’ means data in electronic form which are attached to or logically associated with other electronic data to ensure the origin and the integrity of the associated data; |
(20) ‘electronic seal’ means data in electronic form which are attached to or logically associated with other electronic data to ensure the authenticity and the integrity of the associated data; |
Amendment 55 Proposal for a regulation Article 3 – point 21 – point c | |
Text proposed by the Commission |
Amendment |
(c) it is created using electronic seal creation data that the creator of the seal can, with a high level of confidence under its control, use for electronic seal creation; and |
(c) it is created using an electronic seal creation device that the creator of the seal can, with a high level of confidence under its control, use for electronic seal creation; and |
Justification | |
Wording changed to bring the text into line with the terminology used in Articles 22 and 23. | |
Amendment 56 Proposal for a regulation Article 3 – point 21 – point d | |
Text proposed by the Commission |
Amendment |
(d) it is linked to the data to which it relates in such a way that any subsequent change in the data is detectable; |
(d) it is linked to the data the origin and integrity of which it certifies in such a way that any subsequent change in the data is detectable; |
Amendment 57 Proposal for a regulation Article 3 – point 22 | |
Text proposed by the Commission |
Amendment |
22) ‘qualified electronic seal’ means an advanced electronic seal which is created by a qualified electronic seal creation device, and which is based on a qualified certificate for electronic seal; |
22) ‘qualified electronic seal’ means an advanced electronic seal which is created by a qualified electronic seal creation device, and which is based on a qualified certificate for electronic seal issued by a qualified trust service provider; |
Amendment 58 Proposal for a regulation Article 3 – point 27 | |
Text proposed by the Commission |
Amendment |
(27) ‘electronic document’ means a document in any electronic format; |
(27) ‘electronic document’ means a separate set of structured data in any electronic format; |
Amendment 59 Proposal for a regulation Article 3 – point 31 a (new) | |
Text proposed by the Commission |
Amendment |
|
(31a) 'breach of security' means a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, data transmitted, stored or otherwise processed. |
Amendment 60 Proposal for a regulation Article 4 | |
Text proposed by the Commission |
Amendment |
1. There shall be no restriction on the provision of trust services in the territory of a Member State by a trust service provider established in another Member States for reasons which fall within the fields covered by this Regulation. |
1. There shall be no restriction on the provision of trust services in the territory of a Member State by a trust service provider established in another Member States for reasons which fall within the fields covered by this Regulation. Member States shall ensure that trust services originating from another Member States are admissible as evidence in legal proceedings. |
2. Products which comply with this Regulation shall be permitted to circulate freely in the internal market. |
2. Products which comply with this Regulation shall circulate freely and securely in the internal market. |
Amendment 61 Proposal for a regulation Article 5 | |
Text proposed by the Commission |
Amendment |
Mutual recognition and acceptance |
Mutual recognition |
When an electronic identification using an electronic identification means and authentication is required under national legislation or administrative practice to access a service online, any electronic identification means issued in another Member State falling under a scheme included in the list published by the Commission pursuant to the procedure referred to in Article 7 shall be recognised and accepted for the purposes of accessing this service. |
When an electronic identification using an electronic identification means and authentication is required under Union or national legislation or administrative practice to access a service online in one Member State or provided online by Union institutions, bodies, offices and agencies, that electronic identification means issued in another Member State or by Union institutions, bodies, offices and agencies under a scheme included in the list published by the Commission pursuant to Article 7, and with a security level equal to or higher than the security level required to access the service, shall be recognised in the Member State or by Union institutions, bodies, offices and agencies for the purposes of accessing that service online, not later than six months after the list, including that scheme, is published. |
Amendment 62 Proposal for a regulation Article 6 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Electronic identification schemes shall be eligible for notification pursuant to Article 7 if all the following conditions are met: |
1. Electronic identification schemes shall be eligible for notification pursuant to Article 7 if all the following conditions are met: |
(a) the electronic identification means are issued by, on behalf of or under the responsibility of the notifying Member State; |
(a) the electronic authentication means are either issued by the Member State, or issued by another entity as mandated by the Member State or issued independently but recognised by the notifying Member State; |
(b) the electronic identification means can be used to access at least public services requiring electronic identification in the notifying Member State; |
(b) the electronic identification means under that scheme can be used to access at least one service provided by a public sector body requiring electronic identification in the notifying Member State; |
|
(ba) the electronic identification scheme meets the requirements of the interoperability model under Article 8, |
(c) the notifying Member State ensures that the person identification data are attributed unambiguously to the natural or legal person referred to in Article 3 point 1; |
(c) the notifying Member State ensures that the person identification data are attributed to the natural or legal person as referred to in Article 3 point 1; |
(d) the notifying Member State ensures the availability of an authentication possibility online, at any time and free of charge so that any relying party can validate the person identification data received in electronic form. Member States shall not impose any specific technical requirements on relying parties established outside of their territory intending to carry out such authentication. When either the notified identification scheme or authentication possibility is breached or partly compromised, Member States shall suspend or revoke without delay the notified identification scheme or authentication possibility or the compromised parts concerned and inform the other Member States and the Commission pursuant to Article 7; |
(d) the notifying Member State ensures the availability of an authentication possibility online, at any time and, in the case of access to a service online provided by a public sector body, free of charge so that any relying party established outside the territory of that Member State can validate the person identification data received in electronic form. Member States shall not impose disproportionate technical requirements on relying parties established outside of their territory intending to carry out such authentication. When either the notified identification scheme or authentication possibility is breached or partly compromised, Member States shall suspend or revoke without delay the notified identification scheme or authentication possibility or the compromised parts concerned and inform the other Member States and the Commission pursuant to Article 7; |
(e) the notifying Member State takes liability for: |
(e) the notifying Member State takes liability for: |
- (i) the unambiguous attribution of the person identification data referred to in point (c), and |
- (i) the attribution of the person identification data referred to in point (c), and |
- (ii) the authentication possibility specified in point (d). |
- (ii) the authentication possibility specified in point (d). |
Amendment 63 Proposal for a regulation Article 7 – paragraphs 1 and 2 | |
Text proposed by the Commission |
Amendment |
1. Member States which notify an electronic identification scheme shall forward to the Commission the following information and without undue delay, any subsequent changes thereof: |
1. Member States which notify an electronic identification scheme shall forward to the Commission the following information and without undue delay, any subsequent changes thereof: |
(a) a description of the notified electronic identification scheme; |
(a) a description of the notified electronic identification scheme and its security assurance level; |
(b) the authorities responsible for the notified electronic identification scheme; |
(b) the authorities responsible for the notified electronic identification scheme; |
(c) information on by whom the registration of the unambiguous person identifiers is managed; |
(c) information on which entity or entities manage the registration of the appropriate attributes identifiers; |
|
(ca) a description of how the requirements of the interoperability framework referred to in Article 8 are met; |
(d) a description of the authentication possibility; |
(d) a description of the authentication possibility and any technical requirements imposed on relying parties; |
(e) arrangements for suspension or revocation of either the notified identification scheme or authentication possibility or the compromised parts concerned. |
(e) arrangements for suspension or revocation of either the notified authentication scheme or the compromised parts concerned. |
2. Six months after the entry into force of the Regulation, the Commission shall publish in the Official Journal of the European Union the list of the electronic identification schemes which were notified pursuant to paragraph 1 and the basic information thereon. |
2. Six months after the entry into force of the Regulation, the Commission shall publish in the Official Journal of the European Union as well as on a publicly available website the list of the electronic identification schemes which were notified pursuant to paragraph 1 and the basic information thereon. |
Amendment 64 Proposal for a regulation Article 7 a (new) | |
Text proposed by the Commission |
Amendment |
|
Article 7a |
|
Security breach |
|
1. When either the electronic identification scheme notified pursuant to Article 7(1) or the authentication possibility referred to in point (d) of Article 6(1) is breached or partly compromised in a way that would affect the reliability of that scheme for cross-border transactions, the notifying Member State shall without undue delay suspend or revoke the cross-border function of that electronic identification scheme or that authentication possibility or the compromised parts concerned and inform other Member States and the Commission thereof. |
|
2. When the breach or compromise referred to in paragraph 1 has been remedied, the notifying Member State shall re-establish the authentication and shall inform other Member States and the Commission as soon as possible. |
|
3. If the breach or compromise referred to in paragraph 1 is not remedied within three months of the suspension or revocation, the notifying Member State shall notify the withdrawal of the electronic identification scheme to the other Member States and to the Commission. The Commission shall publish without undue delay in the Official Journal of the European Union the corresponding amendments to the list referred to in Article 7(2). |
Amendment 65 Proposal for a regulation Article 7 b (new) | |
Text proposed by the Commission |
Amendment |
|
Article 7b |
|
Liability |
|
1. The notifying Member State shall be liable with regard to electronic identification means issued by it or on its behalf for any direct damage caused by non-compliance with obligations under Article 6, unless it can show that it has not acted negligently. |
|
2. The issuer of an electronic identification means recognized and notified by a Member State pursuant to the procedure referred to in Article 7 shall be liable for failure to ensure |
|
– (i) the unambiguous attribution of the personal identification data, and |
|
– (ii) the authentication possibility, |
|
unless he can show that he has not acted negligently. |
Justification | |
An important issue such as liability should, in analogy to the trust services section, be regulated separately from the notification procedure where it does not fit in. The proposed article takes account of both public as well as private e-ID schemes. | |
Amendment 66 Proposal for a regulation Article 8 | |
Text proposed by the Commission |
Amendment |
Coordination |
Coordination and interoperability |
1. Member States shall cooperate in order to ensure the interoperability of electronic identification means falling under a notified scheme and to enhance their security. |
1. Member States shall cooperate in order to ensure the interoperability of electronic identification means. The interoperability between national electronic identification infrastructures shall be ensured through an interoperability model. |
|
1a. The national electronic identification schemes notified pursuant to Article 7 shall be interoperable. |
|
1b. The interoperability framework shall meet the following criteria: |
|
(a) it shall be technology neutral and shall not discriminate between any specific national technical solutions for electronic identification within the Member State concerned; |
|
(b) it shall facilitate the implementation of the principle of privacy by design. |
|
1c. Member States and the Commission shall in particular prioritize interoperability for such e-services with the greatest cross-border relevance by: |
|
(a) exchanging best practices concerning the electronic identification means falling within a notified scheme; |
|
(b) providing and regularly updating best practices on trust and security of the electronic identification means; |
|
(c) providing and regularly updating the promotion of the use of electronic identification means. |
2. The Commission shall, by means of implementing acts, establish the necessary modalities to facilitate the cooperation between the Member States referred to in paragraph 1 with a view to fostering a high level of trust and security appropriate to the degree of risk. Those implementing acts shall concern, in particular, the exchange of information, experiences and good practice on electronic identification schemes, the peer review of notified electronic identification schemes and the examination of relevant developments arising in the electronic identification sector by the competent authorities of the Member States. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
2. The Commission shall, by means of implementing acts, establish the necessary modalities to facilitate the cooperation between the Member States referred to in paragraph 1 with a view to fostering a high level of trust and security appropriate to the degree of risk. Those implementing acts shall concern, in particular, the exchange of information, experiences and good practice on electronic identification schemes, the independent, third-party auditing of notified electronic identification schemes and the examination of relevant developments arising in the electronic identification sector by the competent authorities of the Member States. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the facilitation of cross border interoperability of electronic identification means by setting of minimum technical requirements. |
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the facilitation of cross border interoperability of electronic identification means by setting technologically neutral minimum requirements for the different security levels which shall not require changes to the fundamental design of national electronic identification schemes. |
|
3a. With regard to the cross-border exchange of personal data necessary to ensure the interoperability of electronic identification means, the provisions of Article 11(2) shall apply mutatis mutandis. |
Amendment 67 Proposal for a regulation Article 9 | |
Text proposed by the Commission |
Amendment |
1. A trust service provider shall be liable for any direct damage caused to any natural or legal person due to failure to comply with the obligations laid down in Article 15(1), unless the trust service provider can prove that he has not acted negligently. |
1. A trust service provider shall be liable for direct damage caused to any natural or legal person due to failure to comply with the obligations laid down in Article 15(1), unless the trust service provider can prove that he has not acted negligently. |
2. A qualified trust service provider shall be liable for any direct damage caused to any natural or legal person due to failure to meet the requirements laid down in this Regulation, in particular in Article 19, unless the qualified trust service provider can prove that he has not acted negligently. |
2. A qualified trust service provider shall be liable for any direct damage caused to any natural or legal person due to failure to meet the requirements laid down in this Regulation, in particular in Article 19, unless the qualified trust service provider can prove that he has not acted negligently. |
|
2a. The law applicable to trust services, particularly with regard to disputes, shall be that of the Member State in which the person receiving the service is established, unless otherwise agreed by both the service provider and the recipient. |
Amendment 68 Proposal for a regulation Article 10 – title | |
Text proposed by the Commission |
Amendment |
Trust services providers from third countries |
Qualified trust services providers from third countries |
Justification | |
As this article introduces only provisions covering qualified trust service providers, the title should be amended accordingly. | |
Amendment 69 Proposal for a regulation Article 10 - paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Qualified trust services and qualified certificates provided by qualified trust service providers established in a third country shall be accepted as qualified trust services and qualified certificates provided by a qualified trust service providers established in the territory of the Union if the qualified trust services or qualified certificates originating from the third country are recognised under an agreement between the Union and third countries or international organisations in accordance with Article 218 TFUE. |
1. Qualified trust services and qualified certificates provided by qualified trust service providers established in a third country shall be accepted as qualified trust services and qualified certificates provided by a qualified trust service provider established in the territory of the Union if: |
|
(a) the qualified trust service provider fulfils the requirements laid down in this Regulation and has been accredited under an accreditation scheme established in a Member State; or |
|
(b) the qualified trust service provider established within the Union which fulfils the requirements laid down in this Regulation guarantees the compliance with the requirements laid down in this Regulation; or |
|
(c) the qualified trust services or qualified certificates originating from a third country are recognised under an agreement between the Union and that third country or international organisation in accordance with Article 218 TFEU. |
Amendment 70 Proposal for a regulation Article 10 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. With reference to paragraph 1, such agreements shall ensure that the requirements applicable to qualified trust services and qualified certificates provided by qualified trust service providers established in the territory of the Union are met by the trust service providers in the third countries or international organisations, especially with regard to the protection of personal data, security and supervision. |
2. With reference to paragraph 1, such agreements shall ensure that the requirements applicable to qualified trust services and qualified certificates provided by qualified trust service providers established in the territory of the Union are met by the trust service providers in the third countries or international organisations, especially the security of the trust services provided and the supervision of qualified trust service providers. |
|
The third country in question shall afford adequate protection of personal data, in accordance with Article 25(2) of Directive 95/46/EC. |
Justification | |
The rapporteur wishes to refer to the provision of EU personal data protection law which specifies that the adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations. | |
Amendment 71 Proposal for a regulation Article 11 | |
Text proposed by the Commission |
Amendment |
1. Trust service providers and supervisory bodies shall ensure fair and lawful processing in accordance with Directive 95/46/EC when processing personal data. |
1. Trust service providers and supervisory bodies shall ensure fair and lawful processing in accordance with Directive 95/46/EC and applicable national law when processing personal data. |
2. Trust service providers shall process personal data according to Directive 95/46/EC. Such processing shall be strictly limited to the minimum data needed to issue and maintain a certificate or to provide a trust service. |
2. Trust service providers shall process personal data according to Directive 95/46/EC. Such processing shall be strictly limited to the minimum data needed to issue and maintain a certificate or to provide a trust service. |
3. Trust service providers shall guarantee the confidentiality and integrity of data related to a person to whom the trust service is provided. |
3. Trust service providers shall guarantee the confidentiality and integrity of data related to a person to whom the trust service is provided, in particular by ensuring that the data used for trust service generation cannot be tracked. |
4. Without prejudice to the legal effect given to pseudonyms under national law, Member States shall not prevent trust service providers indicating in electronic signature certificates a pseudonym instead of the signatory’s name. |
4. Without prejudice to the legal effect given to pseudonyms under national law, Member States shall not prevent trust service providers indicating in electronic signature certificates a pseudonym instead of the signatory’s name. |
|
4a. Processing of personal data by or on behalf of the trust service provider, where strictly necessary to ensure network and information security for the purpose of complying with the requirements of Articles 11, 15, 16 and 19, shall be considered a legitimate interest within the meaning of point (f) of Article 7 of Directive 95/46/EC. |
Amendment 72 Proposal for a regulation Article 12 | |
Text proposed by the Commission |
Amendment |
Trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities whenever possible. |
Trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities in accordance with Union law. |
Amendment 73 Proposal for a regulation Article 12 – paragraph 1 a (new) | |
Text proposed by the Commission |
Amendment |
|
1a. The Commission shall establish and award trust marks to distinguish products and services accessible for persons with disabilities. |
Amendment 74 Proposal for a regulation Article 12 – paragraph 1 b (new) | |
Text proposed by the Commission |
Amendment |
|
1b. Union standards organizations are responsible for the development of assessment criteria for products and services accessible for persons with disabilities. |
Amendment 75 Proposal for a regulation Article 13 | |
Text proposed by the Commission |
Amendment |
1. Member States shall designate an appropriate body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. Supervisory bodies shall be given all supervisory and investigatory powers that are necessary for the exercise of their tasks. |
1. Member States shall designate a supervisory body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. The name and address of the supervisory body shall be communicated to the Commission. Supervisory bodies shall be given adequate resources and powers necessary for the exercise of their tasks. |
2. The supervisory body shall be responsible for the performance of the following tasks: |
2. The supervisory body shall perform the following tasks: |
(a) monitoring trust service providers established in the territory of the designating Member State to ensure that they fulfil the requirements laid down in Article 15; |
(a) supervising trust service providers and qualified trust service providers established in the territory of the designating Member State in order to ensure that they meet the requirements laid down in this Regulation; |
(b) undertaking supervision of qualified trust service providers established in the territory of the designating Member State and of the qualified trust services they provide in order to ensure that they and the qualified trust services provided by them meet the applicable requirements laid down in this Regulation; |
|
(c) ensuring that relevant information and data referred to in point (g) of Article 19(2), and recorded by qualified trust service providers are preserved and kept accessible after the activities of a qualified trust service provider have ceased, for an appropriate time with a view to guaranteeing continuity of the service. |
(c) ensuring that relevant information and data referred to in point (g) of Article 19(2), and recorded by qualified trust service providers are preserved and kept accessible after the activities of a qualified trust service provider have ceased, for an appropriate time, in particular taking into account the validity period of the services, with a view to guaranteeing continuity of the service. |
3. Each supervisory body shall submit a yearly report on the last calendar year's supervisory activities to the Commission and Member States by the end of the first quarter of the following year. It shall include at least: |
3. Each supervisory body shall make publically available a yearly report on the last calendar year's supervisory activities by the end of the first quarter of the following year. It shall include at least: |
(a) information on its supervisory activities; |
(a) information on its supervisory activities; |
(b) a summary of breach notifications received from trust service providers in accordance with Article 15(2); |
(b) a summary of all breach notifications received from trust service providers in accordance with Article 15(2); |
(c) statistics on the market and usage of qualified trust services, including information on qualified trust service providers themselves, the qualified trust services they provide, the products they use and the general description of their customers. |
|
4. Member States shall notify to the Commission and other Member States the names and the addresses of their respective designated supervisory bodies. |
|
5. The Commission shall be empowered to adopt delegated acts, in accordance with Article 38, concerning the definition of procedures applicable to the tasks referred to in paragraph 2. |
|
6. The Commission may, by means of implementing acts, define the circumstances, formats and procedures for the report referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
6. The Commission may, by means of implementing acts, define the formats for the report referred to in paragraph 3. The Commission shall ensure that stakeholder input is duly taken into account. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Amendment 76 Proposal for a regulation Article 13 a (new) | |
Text proposed by the Commission |
Amendment |
|
Article 13a |
|
Cooperation with data protection authorities |
|
Member States shall provide that the supervisory bodies referred to in Article 13 shall cooperate with Member States' data protection authorities designated pursuant to Article 28 of Directive 95/46/EC in order to enable them to ensure compliance with national data protection rules adopted pursuant to Directive 95/46/EC. |
Amendment 77 Proposal for a regulation Article 14 | |
Text proposed by the Commission |
Amendment |
1. Supervisory bodies shall cooperate with a view to exchange good practice and provide each other, within the shortest possible time, with relevant information and mutual assistance so that activities can be carried out in a consistent manner. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out inspections related to the security audits as referred to in Articles 15, 16 and 17. |
1. Supervisory bodies shall cooperate with a view to exchanging good practice. They shall provide each other, within the shortest possible time, with relevant information, and upon justified requests, provide each other with mutual assistance so that activities can be carried out in a consistent manner. Requests for mutual assistance may cover, in particular, information requests and supervisory measures, such as requests to carry out inspections related to the security audits as referred to in Articles 15, 16 and 17. |
2. A supervisory body to which a request for assistance is addressed may not refuse to comply with it unless: |
2. A supervisory body to which a request for assistance is addressed may refuse that request under any of the following conditions: |
(a) it is not competent to deal with the request; or |
(a) the supervisory body is not competent to deal with the request; or |
(b) compliance with the request would be incompatible with this Regulation. |
(b) if the requested assistance would go beyond the tasks and powers of the supervisory body set out in this Regulation and applicable legislation. |
3. Where appropriate, supervisory bodies may carry out joint investigations in which staff from other Member States’ supervisory bodies is involved. |
3. Where appropriate, supervisory bodies may carry out joint actions. |
The supervisory body of the Member State where the investigation is to take place, in compliance with its own national law, may devolve investigative tasks to the assisted supervisory body’s staff. Such powers may be exercised only under the guidance and in the presence of staff from the host supervisory body. The assisted supervisory body’s staff shall be subject to the host supervisory body’s national law. The host supervisory body shall assume responsibility for the assisted supervisory body staff’s actions. |
The supervisory body of the Member State where the investigation is to take place, in compliance with its own national law, may devolve investigative tasks to the assisted supervisory body’s staff. Such powers may be exercised only under the guidance and in the presence of staff from the host supervisory body. The assisted supervisory body’s staff shall be subject to the host supervisory body’s national law. The host supervisory body shall assume responsibility for the assisted supervisory body staff’s actions. |
4. The Commission may, by means of implementing acts, specify the formats and procedures for the mutual assistance provided for in this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
|
Amendment 78 Proposal for a regulation Article 15 | |
Text proposed by the Commission |
Amendment |
1. Trust service providers who are established in the territory of the Union shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. Having regard to state of the art, these measures shall ensure that the level of security is appropriate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of adverse effects of any incidents. |
1. Trust service providers who are established in the territory of the Union shall take appropriate technical and organisational measures in accordance with existing industry best practise to manage the risks posed to the security and resilience of the trust services they provide. Having regard to technological developments, these measures shall fully respect data protection rights and ensure a level of security appropriate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders, of adverse effects of any incidents. Trust service providers shall also take appropriate measures to remedy any new security risks and restore the normal security level of the service. |
Without prejudice to Article 16(1), any trust service provider may submit the report of a security audit carried out by a recognised independent body to the supervisory body to confirm that appropriate security measures have been taken. |
Without prejudice to Article 16(1), any trust service provider shall, without undue delay and not later than six months following the commencement of its activities, submit the report of a compliance audit carried out by an independent body whose competence to carry out the audit has been demonstrated to confirm that appropriate security measures have been taken. |
2. Trust service providers shall, without undue delay and where feasible not later than 24 hours after having become aware of it, notify the competent supervisory body, the competent national body for information security and other relevant third parties such as data protection authorities of any breach of security or loss of integrity that has a significant impact on the trust service provided and on the personal data maintained therein. |
2. Trust service providers shall without undue delay and where feasible not later than 24 hours after having become aware of it, notify the competent supervisory body and, where appropriate, other relevant bodies such as the competent national body for information security or the data protection authorities of any breach of security or loss of integrity that has a significant impact on the trust service provided and on the personal data maintained therein. Where such notification cannot be made within 24 hours, an explanation of the reasons for the delay should accompany the notification. |
Where appropriate, in particular if a breach of security or loss of integrity concerns two or more Member States, the supervisory body concerned shall inform supervisory bodies in other Member States and the European Network and Information Security Agency (ENISA). |
Where appropriate, in particular if a breach of security or loss of integrity concerns two or more Member States, the supervisory body concerned shall inform supervisory bodies in those Member States and the European Network and Information Security Agency (ENISA). |
The supervisory body concerned may also inform the public or require the trust service provider to do so, where it determines that disclosure of the breach is in the public interest. |
The supervisory body concerned, in consultation with the trust service provider, shall inform the public or require the trust service provider to do so, where it determines that disclosure of the breach is in the public interest in order to allow them to take the necessary precautions. Publication shall normally be as soon as reasonably practicable; however the trust service provider may request a delay so that vulnerabilities can be remedied. If the supervisory body grants that request, it may be for no longer than 45 days. |
3. The supervisory body shall provide to ENISA and to the Commission once a year with a summary of breach notifications received from trust service providers. |
3. The supervisory body shall provide to the European Network and Information Security Agency (ENISA) and to the Commission once a year with a summary of breach notifications received from trust service providers. |
4. In order to implement paragraphs 1 and 2, the competent supervisory body shall have the power to issue binding instructions to trust service providers. |
4. In order to implement paragraphs 1 and 2, the competent supervisory body shall have the power to issue binding instructions to trust service providers. The supervisory body shall coordinate these binding instructions with other relevant regulatory bodies that supervise the trust service provider's activities other than the trust service provision. All such instructions shall be published. |
5. The Commission shall be empowered to adopt delegated acts, in accordance with Article 38, concerning the further specification of the measures referred to in paragraph 1. |
|
6. The Commission may, by means of implementing acts, define the circumstances, formats and procedures, including deadlines, applicable for the purpose of paragraphs 1 to 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
6. The Commission may, by means of implementing acts, define the further specification of the measures referred to in paragraph 1 and formats applicable for the purpose of paragraphs 1 to 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Amendment 79 Proposal for a regulation Article 16 | |
Text proposed by the Commission |
Amendment |
1. Qualified trust service providers shall be audited by a recognised independent body once a year to confirm that they and the qualified trust services provided by them fulfil the requirements set out in this Regulation, and shall submit the resulting security audit report to the supervisory body. |
1. Qualified trust service providers shall be audited annually by an independent body whose competence to carry out the audit has been demonstrated to confirm that they and the qualified trust services provided by them fulfil the requirements set out in this Regulation, and shall submit the resulting compliance audit report to the supervisory body. Such audit shall also be carried out following any significant technological or organizational changes. If, after three years, the annual audit reports raise no concerns, the audits referred to in this paragraph shall be carried out every two years only. |
2. Without prejudice to paragraph 1, the supervisory body may at any time audit the qualified trust service providers to confirm that they and the qualified trust services provided by them still meet the conditions set out in this Regulation, either on its own initiative or in response to a request from the Commission. The supervisory body shall inform the data protection authorities of the results of its audits, in case personal data protection rules appear to have been breached. |
2. Without prejudice to paragraph 1, the supervisory body may at any time audit the qualified trust service providers to confirm that they and the qualified trust services provided by them meet the conditions set out in this Regulation. Where personal data protection rules as set out in Directive 95/46/EC appear to have been breached, the supervisory body shall inform the data protection authorities of the results of its audits. |
3. The supervisory body shall have the power to issue binding instructions to qualified trust service providers to remedy any failure to fulfil the requirements indicated in the security audit report. |
3. The supervisory body shall have the power to issue binding instructions to qualified trust service providers to remedy any failure to fulfil the requirements set out in this Regulation. |
4. With reference to paragraph 3, if the qualified trust service provider does not remedy any such failure within a time limit set by the supervisory body, it shall lose its qualified status and be informed by the supervisory body that its status will be changed accordingly in the trusted lists referred to in Article 18. |
4. With reference to paragraph 3, if the qualified trust service provider does not remedy any such failure within a time limit and in accordance with the procedure specified set by the supervisory body, it shall lose its qualified status and be informed by the supervisory body that its status will be changed accordingly in the trusted lists referred to in Article 18. |
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the specification of the conditions under which the independent body carrying out the audit referred to in paragraph 1 of this Article and in Article 15(1) and in Article 17(1) shall be recognised. |
|
6. The Commission may, by means of implementing acts, define the circumstances, procedures and formats applicable for the purpose of paragraphs 1, 2 and 4. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
6. The Commission may, by means of implementing acts, define the formats applicable for the purpose of paragraphs 1, 2 and 4. The Commission shall ensure that stakeholder input is duly taken into account, in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Amendment 80 Proposal for a regulation Article 16 a (new) | |
Text proposed by the Commission |
Amendment |
|
Article 16a |
|
Supervision of trust service providers |
|
In order to facilitate supervision by the supervisory body referred to in point (a) of Article 13(2), trust service providers shall notify the supervisory body of their intention to start offering a trust service and shall inform it of the technical and organisational measures they have taken to manage the risks linked to the security of the trust services they provide in accordance with Article 15(1). |
Justification | |
Correction by the rapporteur to Amendment 35, in which the word ‘qualified’ was written by mistake. Justification for Amendment 35: the rapporteur wishes to introduce this new article in order to facilitate the work of the supervisory body in respect of trust service providers (meaning non-qualified trust service providers) and to guarantee a minimum legal value for non-qualified trust services. | |
Amendment 81 Proposal for a regulation Article 17 | |
Text proposed by the Commission |
Amendment |
1. Qualified trust service providers shall notify the supervisory body of their intention to start providing a qualified trust service and shall submit to the supervisory body a security audit report carried out by a recognised independent body, as provided for in Article 16(1). Qualified trust service providers may start to provide the qualified trust service after they have submitted the notification and security audit report to the supervisory body. |
1. Qualified trust service providers shall notify the supervisory body of their intention to provide a qualified trust service and shall submit to the supervisory body a security audit report carried out by an independent body whose competence to carry out the audit has been demonstrated, as provided for in Article 16(1). Qualified trust service providers may start to provide the qualified trust service after they have submitted the security audit report to the supervisory body, and only once they have obtained the qualified status. |
2. Once the relevant documents are submitted to the supervisory body according to paragraph 1, the qualified service providers shall be included in the trusted lists referred to in Article 18 indicating that the notification has been submitted. |
2. Once the relevant documents are submitted to the supervisory body according to paragraph 1 and the supervisory body confirms compliance, the qualified service providers shall be included in the trusted lists referred to in Article 18 indicating that the qualified status has been confirmed. |
3. The supervisory body shall verify the compliance of the qualified trust service provider and of the qualified trust services provided by it with the requirements of the Regulation. |
3. The supervisory body shall verify the compliance of the qualified trust service provider and of the qualified trust services provided by it with the requirements of the Regulation. |
The supervisory body shall indicate the qualified status of the qualified service providers and the qualified trust services they provide in the trusted lists after the positive conclusion of the verification, not later than one month after the notification has been done in accordance with paragraph 1. |
The supervisory body shall indicate the qualified status of the qualified service providers and the qualified trust services they provide in the trusted lists after the positive conclusion of the verification process without undue delay and not later than one month after such conclusion. |
If the verification is not concluded within one month, the supervisory body shall inform the qualified trust service provider specifying the reasons of the delay and the period by which the verification shall be concluded. |
If the verification is not concluded within one month, the supervisory body shall inform the qualified trust service provider specifying the reasons of the delay and the period by which the verification shall be concluded. Provided that the trust service provider has supplied the relevant documents, the verification may not exceed three months. |
4. A qualified trust service which has been subject to the notification referred to in paragraph 1 cannot be refused for the fulfilment of an administrative procedure or formality by the concerned public sector body for not being included in the lists referred to in paragraph 3. |
|
5. The Commission may, by means of implementing acts, define the circumstances, formats and procedures for the purpose of paragraphs 1, 2 and.3 Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
5. The Commission may, by means of implementing acts, define the formats for the purpose of paragraphs 1, 2 and.3 Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Amendment 82 Proposal for a regulation Article 18 | |
Text proposed by the Commission |
Amendment |
1. Each Member State shall establish, maintain and publish trusted lists with information related to the qualified trust service providers for which it is competent together with information related to the qualified trust services provided by them. |
1. Each Member State shall establish, maintain and publish trusted lists with information related to the qualified trust service providers for which it is competent together with information related to the qualified trust services provided by them. |
2. Member States shall establish, maintain and publish, in a secure manner, electronically signed or sealed trusted lists provided for in paragraph 1 in a form suitable for automated processing. |
2. Member States shall establish, maintain and publish, in a secure manner, electronically signed or sealed trusted lists provided for in paragraph 1 in a form suitable for automated processing of both the list itself and the individual certificates. |
3. Member States shall notify to the Commission, without undue delay, information on the body responsible for establishing, maintaining and publishing national trusted lists, and details of where such lists are published, the certificate used to sign or seal the trusted lists and any changes thereto. |
3. Member States shall notify to the Commission, without undue delay, information on the body responsible for establishing, maintaining and publishing national trusted lists, and details of where such lists are published, the certificate used to sign or seal the trusted lists and any changes thereto. |
4. The Commission shall make available to the public, through a secure channel, the information, referred to in paragraph 3 in electronically signed or sealed form suitable for automated processing. |
4. The Commission shall make available to the public, through a secure channel, the information, referred to in paragraph 3 in electronically signed or sealed form suitable for automated processing. |
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of the information referred to in paragraph 1. |
|
6. The Commission may, by means of implementing acts, define the technical specifications and formats for trusted lists applicable for the purposes of paragraphs 1 to 4. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
6. The Commission may, by means of implementing acts, specify the information referred to in paragraph 1 and define the technical specifications and formats for trusted lists applicable for the purposes of paragraphs 1 to 4. The Commission shall ensure that stakeholder input is duly taken into account, in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Amendment 83 Proposal for a regulation Article 18 a (new) | |
Text proposed by the Commission |
Amendment |
|
Article 18a |
|
EU trustmark for qualified trust services |
|
1. Qualified trust service providers may use an EU trustmark to present and advertise the qualified trust services which they offer that meet the requirements laid down in this Regulation. |
|
2. By using the EU trustmark for the qualified trust services referred to in paragraph 1, qualified trust service providers shall be responsible for ensuring that the services meet all applicable requirements laid down in this Regulation. |
|
3. By means of implementing acts, the Commission shall lay down specific, binding criteria relating to the presentation, composition, size and design of the EU trustmark for qualified trust services. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Justification | |
Parliament called for the creation of a trustmark in its resolution of 11 December 2012 on completing the Digital Single Market. Its aim in doing so was to boost users’ confidence online by creating an easily recognisable European label. Bearing in mind the aim of making trust services more secure online, qualified trust service providers who meet the requirements, especially those laid down in Article 19, should be able to benefit from this label and enjoy added value in e-commerce. | |
Amendment 84 Proposal for a regulation Article 19 | |
Text proposed by the Commission |
Amendment |
1. When issuing a qualified certificate, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity and, if applicable, any specific attributes of the natural or legal person to whom a qualified certificate is issued. |
1. When issuing a qualified certificate, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity and, if applicable, any specific attributes of the natural or legal person to whom a qualified certificate is issued. |
Such information shall be verified by the qualified service provider or by an authorised third party acting under the responsibility of the qualified service provider: |
Such information shall be verified by the qualified service provider or by an authorised third party acting under the responsibility of the qualified service provider: |
(a) by a physical appearance of the natural person or of an authorised representative of the legal person, or |
(a) by a physical appearance of the natural person or of an authorised representative of the legal person, or |
(b) remotely, using electronic identification means under a notified scheme issued in compliance with point (a). |
(b) remotely, using electronic identification means under a notified scheme issued in compliance with point (a). |
2. Qualified trust service providers providing qualified trust services shall: |
2. Qualified trust service providers providing qualified trust services shall: |
(a) employ staff who possess the necessary expertise, experience, and qualifications and apply administrative and management procedures which correspond to European or international standards and have received appropriate training regarding security and personal data protection rules; |
(a) employ staff who possess the necessary expertise, experience, and qualifications and apply administrative and management procedures which correspond to European or international standards and have received appropriate training regarding security and personal data protection rules; |
(b) bear the risk of liability for damages by maintaining sufficient financial resources or by an appropriate liability insurance scheme; |
(b) bear the risk of liability for damages by maintaining sufficient financial resources or by an appropriate liability insurance scheme; |
(c) before entering into a contractual relationship, inform any person seeking to use a qualified trust service of the precise terms and conditions regarding the use of that service; |
(c) before entering into a contractual relationship, inform any person seeking to use a qualified trust service of the precise terms and conditions regarding the use of that service as well as the limitations of liability, in a clear and transparent manner; |
(d) use trustworthy systems and products which are protected against modification and guarantee the technical security and reliability of the process supported by them; |
(d) use systems and products which are protected against unauthorized modification and guarantee the technical security and reliability of the process supported by them; |
(e) use trustworthy systems to store data provided to them, in a verifiable form so that: |
(e) use systems to store data provided to them, in a verifiable form so that: |
– they are publicly available for retrieval only where the consent of the person to whom the data has been issued has been obtained, |
– they are publicly available for retrieval only where national or Union law allows for this and where the consent of the person to whom the data has been issued has been obtained, |
– only authorised persons can make entries and changes, |
– only authorised persons can make entries and changes, |
– information can be checked for authenticity; |
– information can be checked for authenticity; |
(f) take measures against forgery and theft of data; |
(f) take measures against forgery and theft of data; |
(g) record for an appropriate period of time all relevant information concerning data issued and received by the qualified trust service provider, in particular for the purpose of providing evidence in legal proceedings. Such recording may be done electronically; |
(g) record for an appropriate period of time, regardless of whether the qualified trust service provider has ceased to provide qualified trust services, relevant information concerning data issued and received by the qualified trust service provider, in particular for the purpose of providing evidence in legal proceedings. The retention of this information shall be strictly limited to the time period necessary. Such recording may be done electronically; |
(h) have an up-to-date termination plan to ensure continuity of service in accordance with arrangements issued by the supervisory body under point (c) of Article 13(2); |
(h) have an up-to-date termination plan to ensure continuity of service in accordance with arrangements issued by the supervisory body under point (c) of Article 13(2); |
(i) ensure lawful processing of personal data in accordance with Article 11. |
(i) ensure lawful processing of personal data in accordance with Article 11. |
3. Qualified trust service providers issuing qualified certificates shall register in their certificate database the revocation of the certificate within ten minutes after such revocation has taken effect. |
3. Qualified trust service providers issuing qualified certificates shall register in their certificate database the revocation of the certificate without undue delay. |
4. With regard to paragraph 3, qualified trust service providers issuing qualified certificates shall provide to any relying party information on the validity or revocation status of qualified certificates issued by them. This information shall be made available at any time at least on a certificate basis in an automated manner which is reliable, free of charge and efficient. |
4. With regard to paragraph 3, qualified trust service providers issuing qualified certificates shall provide to any relying party information on the validity or revocation status of qualified certificates issued by them. This information shall be made available at any time at least on a certificate basis in an automated manner. |
5. The Commission may, by means of implementing acts, establish reference numbers of standards for trustworthy systems and products. Compliance with the requirements laid down in Article 19 shall be presumed where trustworthy systems and products meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
5. The Commission may, by means of implementing acts, establish reference numbers of standards for systems and products. The Commission shall ensure that stakeholder input is duly taken into account, in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in Article 19 shall be achieved through the compliance of systems and products with those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Amendment 85 Proposal for a regulation Article 20 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form. |
1. An electronic signature shall have legal effect and may be admissible as evidence in legal proceedings. It shall be presumed that the qualified electronic signature offers a higher level of security than other types of electronic signatures. |
Justification | |
Given the difficulties to translate the French version into English of Rapporteur's amendment 43, the Rapporteur decided to table a new amendment in English to rephrase this paragraph. | |
Amendment 86 Proposal for a regulation Article 20 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. A qualified electronic signature shall have the equivalent legal effect of a handwritten signature. |
2. A qualified electronic signature shall satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data. |
Justification | |
The wording of Directive 1999/93/EC appears to better take into account different national forms and procedural requirements. | |
Amendment 87 Proposal for a regulation Article 20 – paragraph 2 a (new) | |
Text proposed by the Commission |
Amendment |
|
2a. A valid qualified electronic signature shall serve as prima facie evidence of the authenticity and integrity of the electronic document associated with it. |
Justification | |
The term ‘valid’ refers to Article 25(1) of the proposal for a regulation. Only if a signature has been positively validated can it have a specific evidentiary value. | |
Amendment 88 Proposal for a regulation Article 20 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. Qualified electronic signatures shall be recognised and accepted in all Member States. |
3. Qualified electronic signatures shall be recognised and accepted in Member States and Union institutions. |
Amendment 89 Proposal for a regulation Article 20 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. If an electronic signature with a security assurance level below qualified electronic signature is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic signatures matching at least the same security assurance level shall be recognised and accepted. |
4. If an electronic signature with a security assurance level below qualified electronic signature is required, by a Member State or by institutions, bodies, offices and agencies of the Union for completing a transaction offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic signatures matching at least the same security assurance level shall be recognised and accepted for access to that online service. |
Amendment 90 Proposal for a regulation Article 20 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. Member States shall not request for cross-border access to a service online offered by a public sector body an electronic signature at a higher security assurance level than qualified electronic signature. |
5. Member States shall not request for cross-border access to a service online offered by a public sector body an electronic signature at a higher security level than qualified electronic signature. |
Justification | |
The word ‘assurance’ is superfluous here. | |
Amendment 91 Proposal for a regulation Article 20 – paragraph 6 | |
Text proposed by the Commission |
Amendment |
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of the different security levels of electronic signature referred to in paragraph 4. |
deleted |
Justification | |
As the definition of the different security levels of electronic signature is a key element of the Regulation, the rapporteur takes the view that decisions on this matter should not be taken by means of delegated acts. | |
Amendment 92 Proposal for a regulation Article 20 – paragraph 7 | |
Text proposed by the Commission |
Amendment |
7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security levels of electronic signature. Compliance with the security level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security levels of electronic signature. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the security level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
This modification is relevant for each article throughout the text which mentions the use of standards. | |
Amendment 93 Proposal for a regulation Article 21 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid down in Annex I. |
deleted |
Justification | |
An implementing act appears more appropriate, therefore it has been merged with the following paragraph. | |
Amendment 94 Proposal for a regulation Article 21 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic signature. Compliance with the requirements laid down in Annex I shall be presumed where a qualified certificate for electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
5. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic signature. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in Annex I shall be presumed where a qualified certificate for electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
This modification is relevant for each article throughout the text which mentions the use of standards. | |
Amendment 95 Proposal for a regulation Article 22 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified electronic signature creation devices. Compliance with the requirements laid down in Annex II shall be presumed where a qualified electronic signature creation device meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified electronic signature creation devices. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in Annex II shall be presumed where a qualified electronic signature creation device meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Amendment 96 Proposal for a regulation Article 23 | |
Text proposed by the Commission |
Amendment |
1. Qualified electronic signature creation devices may be certified by appropriate public or private bodies designated by Member States provided that they have been submitted to a security evaluation process carried out in accordance with one of the standards for the security assessment of information technology products included in a list that shall be established by the Commission by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
1. Qualified electronic signature creation devices shall be certified by appropriate public or private bodies designated by Member States provided that they have been submitted to a security evaluation process carried out in accordance with one of the standards for the security assessment of information technology products included in a list that shall be established by the Commission by means of implementing acts. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
2. Member States shall notify to the Commission and other Member States the names and addresses of the public or private body designated by them as referred to in paragraph 1. |
2. Member States shall notify to the Commission and other Member States the names and addresses of the public or private body designated by them as referred to in paragraph 1. |
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the establishment of specific criteria to be met by the designated bodies referred to in paragraph 1. |
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the establishment of specific criteria to be met by the designated bodies referred to in paragraph 1 for the purpose of carrying out the certification under paragraph 1. |
Justification | |
In accordance with Article 290 TFEU, the objectives, content, scope and duration of the delegation of power shall be explicitly defined in the legislative acts. The amendment adds a necessary clarification to the delegation. | |
Amendment 97 Proposal for a regulation Article 24 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. The Commission may, by means of implementing acts, define circumstances, formats and procedures applicable for the purpose of paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
3. The Commission may, by means of implementing acts, define formats and procedures applicable for the purpose of paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Amendment 98 Proposal for a regulation Article 25 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. The Commission may, by means of implementing acts, establish reference numbers of standards for the validation of qualified electronic signatures. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation of qualified electronic signatures meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
3. The Commission may, by means of implementing acts, establish reference numbers of standards for the validation of qualified electronic signatures. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation of qualified electronic signatures meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Amendment 99 Proposal for a regulation Article 26 - paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified validation service referred to in paragraph 1. Compliance with the requirements laid down in point (b) of paragraph 1 shall be presumed where the validation service for qualified electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified validation service referred to in paragraph 1. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in point (b) of paragraph 1 shall be presumed where the validation service for qualified electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Amendment 100 Proposal for a regulation Article 27 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. The Commission may, by means of implementing acts, establish reference numbers of standards for the preservation of qualified electronic signatures. Compliance with the requirements laid down in paragraph 1 shall be presumed where the arrangements for the preservation of qualified electronic signatures meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
3. The Commission may, by means of implementing acts, establish reference numbers of standards for the preservation of qualified electronic signatures. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in paragraph 1 shall be presumed where the arrangements for the preservation of qualified electronic signatures meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Amendment 101 Proposal for a regulation Article 28 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. A qualified electronic seal shall enjoy the legal presumption of ensuring the origin and integrity of the data to which it is linked. |
2. A valid qualified electronic seal shall serve at least as prima facie evidence for the authenticity and integrity of the electronic document associated with it. This shall be without prejudice to national law on powers of attorney and representation. |
Amendment 102 Proposal for a regulation Article 28 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. A qualified electronic seal shall be recognised and accepted in all Member States. |
3. A qualified electronic seal shall be recognised in all Member States. |
Justification | |
The difference between "recognised" and "accepted" is unclear. This paragraph is, in contrast to the corresponding provisions on electronic signatures, not deleted as the concept of an (electronic) seal does not exist in all Member States. | |
Amendment 103 Proposal for a regulation Article 28 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. If an electronic seal security assurance level below the qualified electronic seal is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic seals matching at a minimum the same security assurance level shall be accepted. |
4. If an electronic seal security level below the qualified electronic seal is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic seals matching at a minimum the same security assurance level shall be accepted for the purpose of access to that online service. |
Justification | |
The word ‘assurance’ is superfluous here. | |
Amendment 104 Proposal for a regulation Article 28 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. Member States shall not request for accessing a service online offered by a public sector body an electronic seal with higher security assurance level than qualified electronic seals. |
5. Member States shall not request for cross-border access to a service online offered by a public sector body an electronic seal with higher security level than qualified electronic seals. |
Justification | |
The word ‘assurance’ is superfluous here. | |
Amendment 105 Proposal for a regulation Article 28 – paragraph 6 | |
Text proposed by the Commission |
Amendment |
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of different security assurance levels of electronic seals referred to in paragraph 4. |
deleted |
Justification | |
As the definition of the different security levels of electronic seals is a key element of the Regulation, the rapporteur takes the view that decisions on this matter should not be taken by means of delegated acts. | |
Amendment 106 Proposal for a regulation Article 28 – paragraph 7 | |
Text proposed by the Commission |
Amendment |
7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security assurance levels of electronic seals. Compliance with the security assurance level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic seal meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security assurance levels of electronic seals. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the security assurance level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic seal meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
This modification is relevant for each article throughout the text which mentions the use of standards. | |
Amendment 107 Proposal for a regulation Article 29 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. Qualified certificates for electronic seal shall not be subject to any mandatory requirements exceeding the requirements laid down in Annex III. |
2. Qualified certificates for electronic seal for cross-border use shall not be subject to any mandatory requirements exceeding the requirements laid down in Annex III. |
Amendment 108 Proposal for a regulation Article 29 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic seal. Compliance with the requirements laid down in Annex III shall be presumed where a qualified certificate for electronic seal meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
5. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic seal The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in Annex III shall be presumed where a qualified certificate for electronic seal meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Amendment 109 Proposal for a regulation Article 30 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Article 22 shall apply mutatis mutandis to requirements for qualified electronic seal creation devices. |
1. Article 22 shall apply mutatis mutandis to requirements for qualified electronic seal and/or stamp creation devices. |
Amendment 110 Proposal for a regulation Article 30 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. Article 23 shall apply mutatis mutandis to the certification of qualified electronic seal creation devices. |
2. Article 23 shall apply mutatis mutandis to the certification of qualified electronic seal and/or stamp creation devices. |
Amendment 111 Proposal for a regulation Article 30 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. Article 24 shall apply mutatis mutandis to the publication of a list of certified qualified electronic seal creation devices. |
3. Article 24 shall apply mutatis mutandis to the publication of a list of certified qualified electronic seal and/or stamp creation devices. |
Amendment 112 Proposal for a regulation Article 31 | |
Text proposed by the Commission |
Amendment |
Articles 25, 26 and 27 shall apply mutatis mutandis to the validation and preservation of qualified electronic seals. |
Articles 25, 26 and 27 shall apply mutatis mutandis to the validation and preservation of qualified electronic seals and/or stamps. |
Amendment 113 Proposal for a regulation Article 32 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. Qualified electronic time stamp shall enjoy a legal presumption of ensuring the time it indicates and the integrity of the data to which the time is bound. |
2. A qualified electronic time stamp shall constitute at least prima facie evidence of the correctness of the time it indicates and the integrity of the document with which it is associated. |
Amendment 114 Proposal for a regulation Article 33 | |
Text proposed by the Commission |
Amendment |
1. A qualified electronic time stamp shall meet the following requirements: |
1. A qualified electronic time stamp shall meet the following requirements: |
(a) it is accurately linked to Coordinated Universal Time (UTC) in such a manner as to preclude any possibility of the data being changed undetectably; |
(a) it is accurately linked to Coordinated Universal Time (UTC) in such a manner as to preclude any possibility of the data being changed undetectably; |
(b) it is based on an accurate time source; |
(b) it is based on an accurate time source; |
(c) it is issued by a qualified trust service provider; |
(c) it is issued by a qualified trust service provider; |
(d) it is signed using an advanced electronic signature or an advanced electronic seal of the qualified trust service provider, or by some equivalent method. |
(d) it is signed using an advanced electronic signature or an advanced electronic seal of the qualified trust service provider. |
2. The Commission may, by means of implementing acts, establish reference numbers of standards for the accurate linkage of time to data and an accurate time source. Compliance with the requirements laid down in paragraph 1 shall be presumed where an accurate linkage of time to data and an accurate time source meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
2. The Commission may, by means of implementing acts, establish reference numbers of standards for the accurate linkage of time to data and an accurate time source. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in paragraph 1 shall be presumed where an accurate linkage of time to data and an accurate time source meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
The Commission shall publish those acts in the Official Journal of the European Union. |
The Commission shall publish those acts in the Official Journal of the European Union. |
Amendment 115 Proposal for a regulation Article 34 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. A document bearing a qualified electronic signature or a qualified electronic seal of the person who is competent to issue the relevant document, shall enjoy legal presumption of its authenticity and integrity provided the document does not contain any dynamic features capable of automatically changing the document. |
2. A document bearing a qualified electronic signature or a qualified electronic seal shall have the equivalent legal effect of a paper document bearing a handwritten signature or a physical seal, where this exists under national law, provided the document does not contain any dynamic features capable of automatically changing the document. |
Amendment 116 Proposal for a regulation Article 34 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. When an original document or a certified copy is required for the provision of a service online offered by a public sector body, at least electronic documents issued by the persons who are competent to issue the relevant documents and that are considered to be originals or certified copies in accordance with national law of the Member State of origin, shall be accepted in other Member States without additional requirements. |
deleted |
Justification | |
Art. 34 (3) would call into question the tried and tested instrument of the endorsement (apostille) for the recognition of foreign documents, which is also to be the subject of new regulation by the Commission. | |
Amendment 117 Proposal for a regulation Article 34 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. The Commission may, by means of implementing acts, define formats of electronic signatures and seals that shall be accepted whenever a signed or sealed document is requested by a Member State for the provision of a service online offered by a public sector body referred to in paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
deleted |
Amendment 118 Proposal for a regulation Article 35 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Data sent or received using an electronic delivery service shall be admissible as evidence in legal proceedings with regard to the integrity of the data and the certainty of the date and time at which the data were sent to or received by a specified addressee. |
1. Data sent or received using an electronic delivery service shall be admissible as evidence in legal proceedings. |
Amendment 119 Proposal for a regulation Article 35 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. Data sent or received using a qualified electronic delivery service shall enjoy legal presumption of the integrity of the data and the accuracy of the date and time of sending or receiving the data indicated by the qualified electronic delivery system. |
2. Data sent or received using a qualified electronic delivery service shall constitute at least prima facie evidence of the authenticity of the data and the correctness of the date and time of sending or receiving the data indicated by the qualified electronic delivery system. |
Amendment 120 Proposal for a regulation Article 35 – paragraph 2 a (new) | |
Text proposed by the Commission |
Amendment |
|
2a. This Article shall be without prejudice to Regulation (EC) No 1348/2000. |
Amendment 121 Proposal for a regulation Article 35 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the specification of mechanisms for sending or receiving data using electronic delivery services, which shall be used with a view to fostering interoperability between electronic delivery services. |
deleted |
Amendment 122 Proposal for a regulation Article 36 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. The Commission may, by means of implementing acts, establish reference numbers of standards for processes for sending and receiving data. Compliance with the requirements laid down in paragraph 1 shall be presumed where the process for sending and receiving data meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
2. The Commission may, by means of implementing acts, establish reference numbers of standards for processes for sending and receiving data. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in paragraph 1 shall be presumed where the process for sending and receiving data meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Amendment 123 Proposal for a regulation Article 37 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for website authentication. Compliance with the requirements laid down in Annex IV shall be presumed where a qualified certificate for website authentication meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
4. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for website authentication. The Commission shall ensure that stakeholder input is duly taken into account, preferably in the form of an impact assessment, when defining standards to be used for the purposes of this Regulation. Compliance with the requirements laid down in Annex IV shall be presumed where a qualified certificate for website authentication meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
This modification is relevant for every article which mentions the use of standards throughout the text. | |
Amendment 124 Proposal for a regulation Article 38 | |
Text proposed by the Commission |
Amendment |
1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article. |
1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article. |
2. The power to adopt delegated acts referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall be conferred on the Commission for an indeterminate period of time from the entry into force of this Regulation. |
2. The power to adopt delegated acts referred to in Articles 8(3), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall be conferred on the Commission for a period of five years beginning on the date of the entry into force of this Regulation. The Commission shall draw up a report in respect of the delegation of power not later than six months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period. |
3. The delegation of power referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force. |
3. The delegation of power referred to in Articles 8(3), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force. |
4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. |
4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. The Commission may not adopt a delegated act under this Regulation without prior consultation with the relevant stakeholders. |
5. A delegated act adopted pursuant to Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council. |
5. A delegated act adopted pursuant to Articles 8(3), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council. |
Amendment 125 Proposal for a regulation Article 39 – paragraph 1 a (new) | |
Text proposed by the Commission |
Amendment |
|
1a. Implementing acts may not be adopted under this Regulation without prior consultation of industry and the relevant stakeholders. |
Amendment 126 Proposal for a regulation Article 39 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. Where reference is made to this paragraph, Article 5 of Regulation 182/2011 shall apply. |
2. Where reference is made to this paragraph, Article 4 of Regulation 182/2011 shall apply. |
Amendment 127 Proposal for a regulation Article 40 | |
Text proposed by the Commission |
Amendment |
The Commission shall report to the European Parliament and to the Council on the application of this Regulation. The first report shall be submitted no later than four years after the entry into force of this Regulation. Subsequent reports shall be submitted every four years thereafter. |
1. The Commission shall report to the European Parliament and to the Council on the application of this Regulation. The first report shall be submitted no later than two years after the entry into force of this Regulation. Subsequent reports shall be submitted every four years thereafter accompanied, if necessary by appropriate legislative proposals. |
|
1a. That report should evaluate whether the scope of this Regulation needs to be changed for the purposes of adaptation to developments in technology, in the market and in the legal context in the Member States and internationally; generally, the report must indicate whether the Regulation has made it possible to attain its stated objectives with regard to building trust in the online environment. |
Amendment 128 Proposal for a regulation Annex II – point 1 – point c | |
Text proposed by the Commission |
Amendment |
(c) the electronic signature creation data used for electronic signature generation cannot, with reasonable assurance, be derived and the electronic signature is protected against forgery using currently available technology; |
(c) the electronic signature creation data used for electronic signature generation cannot be derived and the electronic signature is protected against forgery using currently available technology; |
Amendment 129 Proposal for a regulation Annex III – subparagraph 1 a (new) | |
Text proposed by the Commission |
Amendment |
|
Sensitive data within the meaning of Article 8 of Directive 95/46/CE shall not be processed. |
Amendment 130 Proposal for a regulation Annex IV – subparagraph 1 a (new) | |
Text proposed by the Commission |
Amendment |
|
Sensitive data within the meaning of Article 8 of Directive 95/46/CE shall not be processed. |
Amendment 131 Proposal for a regulation Annex IV – point c | |
Text proposed by the Commission |
Amendment |
(c) a set of data unambiguously representing the legal person to whom the certificate is issued, including at least name and registration number as stated in the official records; |
(c) a set of data unambiguously representing the natural or legal person to whom the certificate is issued, including at least name and registration number as the case may be, as stated in the official records; |
Amendment 132 Proposal for a regulation Annex IV – point d | |
Text proposed by the Commission |
Amendment |
(d) elements of the address, including at least city and Member State, of the legal person to whom the certificate is issued as stated in the official records; |
(d) elements of the address, including at least city and Member State, of the natural or legal person to whom the certificate is issued as stated in the official records; |
- [1] OJ C 351, 15.11.2012, p. 73.
EXPLANATORY STATEMENT
There is no comprehensive EU cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions that encompasses electronic identification, authentication and trust services. The existing EU legislation, namely Directive 1999/93/EC on a Community framework for electronic signatures, essentially covers electronic signatures only.
The Digital Agenda for Europe identifies existing barriers to Europe’s digital development and foresees legislation on trust services such as e-signatures and the mutual recognition of electronic identification and authentication, establishing a clear legal framework so as to eliminate fragmentation and the lack of interoperability, enhance digital citizenship and prevent cybercrime. Legislation ensuring the mutual recognition of electronic identification and authentication across the EU is also a key action in the Single Market Act, as well as the Roadmap for Stability and Growth. The European Parliament has repeatedly stressed the importance of the security of electronic services.
The Commission proposal consists of two parts. The first focuses on the mutual recognition and acceptance at EU level of notified electronic identification schemes. The second part purports to establish a common framework for trust services such as electronic signatures.
The Rapporteur welcomes the Commission's proposal as a good starting point and supports the efforts to establish a legal framework at EU level. The rapporteur however considers that both the objectives and the content of the proposed Regulation could be further clarified and it is important that the legislators consider the full extent of the proposal carefully. In its current form the Commission proposal is too vaguely defined in order to be properly evaluated by the legislator. In particular the definition of trust services needs to be further elaborated. The “universe” of trust service providers will vary depending on the definition chosen and thus so will the actors falling under the Regulation. The Rapporteur narrows the definition of trust services.
The Commission considers a Regulation to be the most appropriate legal instrument due to the direct applicability which in turn would reduce legal fragmentation and provide greater legal certainty. While this harmonised approach could be considered to benefit all the stakeholders, the Rapporteur will continue to evaluate if a more gradual approach would have been more constructive and if certain prioritisation of cross-border services to be tackled by the proposed Regulation could have been beneficial for the overall result.
The proposed Regulation empowers the Commission in many provisions to adopt delegated acts or implementing measures. The Rapporteur shares the view that such further acts and measures might contribute to the uniform application of the Regulation and may allow for further alignment of national practices based on experience gained after the Regulation applies but the Rapporteur also has reservations to an approach that relies upon them so heavily. The Rapporteur would advise a critical look on the proposed implementing acts and proposes therefore amendments that will restrict the proposed acts strictly to technical implementation of the legal act in question in a uniform manner.
Concerning the delegated acts the Rapporteur would like to further assess the necessity and scope of these acts and proposes a more selective approach. The Rapporteur proposes deletion of certain delegated acts until the Commission further specifies their intended scope and purpose. To the greatest extent possible obligations should be specified in the basic act itself rather than through delegated acts. Due to the complexity of these acts, the Rapporteur reserves the possibility to further consider also these acts and propose possible further modifications by amendments to the draft report later on.
The Rapporteur is aware of the economic and social potential of this proposal but is also aware of the challenges, often very technical in their nature, that need to be addressed in order to achieve to a legislative text that delivers its full potential. With regards to electronic identification schemes it is important to build interoperability without substantially altering the national solutions chosen for electronic identification. Therefore the mutual standards for ensuring technical interoperability should be technologically neutral so as to respect the various choices made by Member States.
Furthermore, another challenge will be to strike the right balance between the security elements that are essential in order to build trust and adoption by the citizens and the cost and other consequences they represent to involved players on the provider side. In this context it is important also to look into liability questions.
Finally, the Rapporteur considers that trust services provided, and end user products used in the provision of those services under the proposed Regulation, should be made accessible for persons with disabilities. Physical use of the devices should be accessible to any person with or without physical disabilities. The Rapporteur considers that in this the digital age effective barrier-free participation of persons with disabilities in the European digital single market should be mainstreamed.
OPINION of the Committee on the Internal Market and Consumer Protection (*) (23.7.2013)
for the Committee on Industry, Research and Energy
on the proposal for a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market
(COM(2012)0238 – C7‑0133/2012 – 2012/0146(COD))
Rapporteur (*): Marielle Gallo(*) Associated committee – Rule 50 of the Rules of Procedure
SHORT JUSTIFICATION
The proposal for a regulation concerns the mutual recognition of notified electronic identification schemes, on the one hand, and electronic trust services, on the other.
It aims to expand the existing legal framework and, above all, to provide for a comprehensive transnational and cross‑sector framework for electronic transactions underpinned by legal certainty and a reliable level of security. The proposal is also consonant with the Single Market Act I as it constitutes one of the 12 key measures to boost growth and strengthen confidence in the single market.
The rapporteur would like to make the following comments:
The rapporteur supports the Commission proposal and the choice of a regulation rather than a directive; Directive 1999/93/EC, which covered only electronic signatures, has not lived up to expectations.
The rapporteur agrees with the general objectives of the proposal, which are to expand the European digital single market. The proposal therefore considerably reinforces the legal certainty of trust services, which is a prerequisite for increasing electronic transactions, in particular cross‑border electronic transactions.
The regulation will bring added value not only to national authorities, owing to the expansion of e‑government, but also to businesses, which will have more opportunities, for example, to access public procurement procedures online. There will also be added value for private individuals, who will no longer need to travel and incur the attendant costs, for example when registering at a university far from home.
Bearing in mind that trust services are a lucrative market which is set to expand further over the next decade, the rapporteur supports the approach taken in the proposal of attempting to ensure technological neutrality.
However, the rapporteur would also add that the issue of digital identity is a complex one. If an approach favouring interoperable national digital identities is an imperative, then it should not come at the expense of information system security requirements or of the fundamental principles of respect for and the protection of privacy, which is essential for boosting users’ confidence in the digital world.
The rapporteur therefore proposes introducing different security levels, a prerequisite for the principle of mutual recognition. This would also guarantee a minimum level of security, thereby boosting online security.
The rapporteur also takes the view that provisions on liability should concern only qualified trust service providers, just like in Directive 1999/93/EC.
The rapporteur welcomes the oversight provisions under Section 2 of Chapter III of the proposal. However, in order to facilitate the work of the supervisory bodies and to guarantee a minimum level of consistency as regards the legal effects of non‑qualified service providers offering trust services, the rapporteur wishes to make it an obligation for non‑qualified trust services providers to notify their intention to launch a trust service.
Given that the proposal lays down numerous supervision and security requirements for qualified trust service providers, the rapporteur proposes a new article to establish a ‘European Union’ qualified trustmark. Qualified trust service providers that meet the requirements of the regulation could use this label when presenting and advertising their qualified trust service. It would also help eligible qualified service providers to distinguish themselves from their competitors.
Lastly, the rapporteur takes the view that there are too many delegated acts in the proposal and has therefore included a number of amendments in order to limit their number.
AMENDMENTS
The Committee on the Internal Market and Consumer Protection calls on the Committee on Industry, Research and Energy, as the committee responsible, to incorporate the following amendments in its report:
Amendment 1 Proposal for a regulation Recital 11 | |
Text proposed by the Commission |
Amendment |
(11) One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States to access at least public services. This Regulation does not aim at intervening on electronic identity management systems and related infrastructures established in the Member States. The aim of this Regulation is to ensure that for the access to cross-border online services offered by the Member States, secure electronic identification and authentication is possible. |
(11) One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States to access at least public services. This Regulation does not aim at intervening on electronic identity management systems and related infrastructures established in the Member States. Rather, it aims to introduce different security levels to guarantee a minimum common set of security requirements. The aim of this Regulation is to ensure that for the access to cross-border online services offered by the Member States, secure electronic identification and authentication is possible, with full respect to technology neutrality. |
Justification | |
Unlike trust services, which are covered by a common set of security requirements, the Commission has no such provisions for electronic identification. The rapporteur takes the view that the introduction of different security levels (and consequently of a minimum level of security) is a prerequisite for the principle of mutual recognition and will help increase security in the digital world. | |
Amendment 2 Proposal for a regulation Recital 13 | |
Text proposed by the Commission |
Amendment |
(13) Some conditions need to be set in the Regulation with regard to which electronic identification means have to be accepted and how the schemes should be notified. These should help Member States to build the necessary trust in each other's electronic identification schemes and to mutually recognise and accept electronic identification means falling under their notified schemes. The principle of mutual recognition and acceptance should apply if the notifying Member State meets the conditions of notification and the notification was published in the Official Journal of the European Union. However, the access to these online services and their final delivery to the applicant should be closely linked to the right to receive such services under the conditions set by national legislation. |
(13) Some conditions need to be set in the Regulation with regard to which electronic identification means have to be accepted and how the schemes should be notified. These should help Member States to build the necessary trust in each other's electronic identification schemes and to mutually recognise and accept electronic identification means falling under their notified schemes. The principle of mutual recognition and acceptance should apply if the notifying Member State meets the conditions of notification and the notification, including the description of the notified electronic identification scheme and the information on the different security levels, was published in the Official Journal of the European Union. However, the access to these online services and their final delivery to the applicant should be closely linked to the right to receive such services under the conditions set by national legislation. |
Justification | |
Unlike trust services, which are covered by a common set of security requirements, the Commission has no such provisions for electronic identification. The rapporteur takes the view that the introduction of different security levels (and consequently of a minimum level of security) is a prerequisite for the principle of mutual recognition and will help increase security in the digital world. | |
Amendment 3 Proposal for a regulation Recital 16 | |
Text proposed by the Commission |
Amendment |
(16) Cooperation of Member States should serve the technical interoperability of the notified electronic identification schemes with a view to foster a high level of trust and security appropriate to the degree of risk. The exchange of information and the sharing of best practices between Member States with a view to their mutual recognition should help such cooperation. |
(16) Cooperation of Member States should serve the technical interoperability of the notified electronic identification schemes with a view to foster a high level of trust and security appropriate to the degree of risk. The exchange of information and the sharing of best practices between Member States with a view to their mutual recognition should help such cooperation. To ensure efficiency, interoperability and security safeguards should be addressed prior to notification. |
Amendment 4 Proposal for a regulation Recital 17 | |
Text proposed by the Commission |
Amendment |
(17) This Regulation should also establish a general legal framework for the use of electronic trust services. However, it should not create a general obligation to use them. In particular, it should not cover the provision of services based on voluntary agreements under private law. Neither should it cover aspects related to the conclusion and validity of contracts or other legal obligations where there are requirements as regards form prescribed by national or Union law. |
(17) This Regulation should also establish a general legal framework for the use of electronic trust services. However, it should not create a general obligation to use them. In particular, it should not cover the provision of services based on voluntary agreements under private law. It should also be without prejudice to provisions on the form, formation or effect of contracts or to the form, creation or validity of other private-law obligations irrespective of whether they are founded on national or Union law, for example Articles 10 and 11 of Regulation (EC) No 593/2008. Furthermore this Regulation should be without prejudice to the rules and restrictions in national or Union law on the use of documents, and should not apply to register procedures, particularly those relating to land registers and trade registers. |
Amendment 5 Proposal for a regulation Recital 20 | |
Text proposed by the Commission |
Amendment |
(20) Because of the pace of technological change, this Regulation should adopt an approach which is open to innovations. |
(20) Because of the pace of technological change, this Regulation should adopt an approach which aims at stimulating innovations. |
Amendment 6 Proposal for a regulation Recital 22 | |
Text proposed by the Commission |
Amendment |
(22) To enhance people's trust in the internal market and to promote the use of trust services and products, the notions of qualified trust services and qualified trust service provider should be introduced with a view to indicating requirements and obligations to ensure high-level security of whatever qualified trust services and products are used or provided. |
(22) To enhance trust of small and medium enterprises (SMEs) and consumers in the internal market and to promote the use of trust services and products, the notions of qualified trust services and qualified trust service provider should be introduced with a view to indicating requirements and obligations to ensure high-level security of whatever qualified trust services and products are used or provided. Both qualified and advanced electronic signatures may be legally equivalent to handwritten signatures. Nothing in this Regulation shall limit the ability of any natural or legal person to demonstrate with evidence the non-reliability of any form of electronic signature. However, in case of qualified electronic signature the burden of proof when questioning the identity of the signatory shall rest with the contesting party. |
Justification | |
It should be made clear that even a non-qualified signature can have the same effect as a handwritten one. The only difference is the burden of proof. | |
Amendment 7 Proposal for a regulation Recital 23 | |
Text proposed by the Commission |
Amendment |
(23) In line with the obligations under the UN Convention on the Rights of Persons with Disabilities that has entered into force in the EU, persons with disabilities should be able to use trust services and end user products used in the provision of those services on equal bases with other consumers. |
(23) In line with the obligations under the UN Convention on the Rights of Persons with Disabilities that has entered into force in the EU, and with respect to and in full compliance with Union legislation on accessibility of public sector bodies' websites, persons with disabilities should be able to use trust services, electronic identification services and end user products used in the provision of those services on equal bases with other consumers. |
Amendment 8 Proposal for a regulation Recital 29 | |
Text proposed by the Commission |
Amendment |
(29) Notification of security breaches and security risk assessments is essential with a view to providing adequate information to concerned parties in the event of a breach of security or loss of integrity. |
(29) Notification to the competent supervisory body by trust services providers of security breaches and security risk assessments is essential with a view to providing adequate information to concerned parties in the event of a breach of security or loss of integrity. |
Amendment 9 Proposal for a regulation Recital 34 | |
Text proposed by the Commission |
Amendment |
(34) To facilitate the supervision of qualified trust services providers, for example when a provider is providing its services in the territory of another Member State and is not subject to supervision there, or when the computers of a provider are located in the territory of another Member State than the one where it is established, a mutual assistance system between supervisory bodies in the Member States should be set up. |
(34) To facilitate the supervision of qualified trust services providers and ensure that it is effective, as stipulated in this Regulation, for example when a provider is providing its services in the territory of another Member State and is not subject to supervision there, or when the computers of a provider are located in the territory of another Member State than the one where it is established, a mutual assistance system between supervisory bodies in the Member States should be set up. The system should also aim to simplify and reduce the administrative burden on trust service providers by having a one-stop-shop supervisory body. |
Amendment 10 Proposal for a regulation Recital 39 a (new) | |
Text proposed by the Commission |
Amendment |
|
(39a) In order to boost users’ confidence online and to make it easier to identify the qualified trust services providers which meet the requirements of this Regulation, an 'EU' qualified trustmark should be created. |
Justification | |
Parliament called for the creation of a trustmark in its resolution of 11 December 2012 on completing the Digital Single Market. Its aim in doing so was to boost users’ confidence online by creating an easily recognisable European label. Bearing in mind the aim of making trust services more secure online, qualified trust service providers who meet the requirements, especially those laid down in Article 19, should be able to benefit from this label and enjoy added value in e-commerce. | |
Amendment 11 Proposal for a regulation Recital 40 a (new) | |
Text proposed by the Commission |
Amendment |
|
(40a) The creation of remote electronic signatures, where the electronic signature creation environment is managed by a trust services provider on behalf of the signatory, is set to increase in the light of its multiple economic benefits. However, in order to ensure that such electronic signatures receive the same legal recognition as electronic signatures created in an entirely user‑managed environment, remote signature services providers should apply specific management and administrative security procedures, and use reliable systems and products, including secure electronic communication channels, in order to guarantee that the electronic signature creation environment is reliable and is used under the sole control of the signatory. Where a qualified electronic signature has been created using a remote electronic signature creation device, the requirements applicable to qualified trust services providers set out in this Regulation will apply. |
Justification | |
Although the server signature service is exposed to greater risks than other services, it is of benefit to users and is set to expand. The rapporteur therefore takes the view that express reference should be made to this service in order to ensure that the supervisory audits focus on the weaknesses inherent to this type of signature. | |
Amendment 12 Proposal for a regulation Recital 42 | |
Text proposed by the Commission |
Amendment |
(42) When a transaction requires a qualified electronic seal from a legal person, a qualified electronic signature from the authorised representative of the legal person should be equally acceptable. |
(42) When national or Union law requires a qualified electronic seal from a legal person, a qualified electronic signature from the authorised representative of the legal person should be equally acceptable. |
Amendment 13 Proposal for a regulation Recital 43 | |
Text proposed by the Commission |
Amendment |
(43) Electronic seals should serve as evidence that an electronic document was issued by a legal person, ensuring certainty of the document’s origin and integrity. |
(43) Valid electronic seals should serve as prima facie evidence for the authenticity and integrity of an electronic document associated with them. This should be without prejudice to national provisions on power of attorney, representation and legal capacity. |
Amendment 14 Proposal for a regulation Recital 45 | |
Text proposed by the Commission |
Amendment |
(45) In order to enhance the cross-border use of electronic documents this Regulation should provide for the legal effect of electronic documents which should be considered as equal to paper documents dependent on the risk assessment and provided the authenticity and integrity of the documents are ensured. It also important for further development of cross-border electronic transactions in the internal market that original electronic documents or certified copies issued by relevant competent bodies in a Member State under their national law are accepted as such also in other Member States. This Regulation should not affect Member States’ right to determine what constitutes an original or a copy at a national level but ensures that these can be used as such also across borders. |
deleted |
Amendment 15 Proposal for a regulation Recital 46 a (new) | |
Text proposed by the Commission |
Amendment |
|
(46a) Member States should ensure that the possibilities and limitations of use of electronic identification are clearly communicated to the citizens. |
Amendment 16 Proposal for a regulation Recital 49 | |
Text proposed by the Commission |
Amendment |
(49) In order to complement certain detailed technical aspects of this Regulation in a flexible and rapid manner, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of interoperability of electronic identification; security measures required of trust service providers; recognised independent bodies responsible for auditing the service providers; trusted lists; requirements related to the security levels of electronic signatures; requirements of qualified certificates for electronic signatures their validation and their preservation; the bodies responsible for the certification of qualified electronic signature creation devices; and the requirements related to the security levels of electronic seals and to qualified certificates for electronic seals; the interoperability between delivery services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. |
(49) In order to complement certain detailed technical aspects of this Regulation in a flexible and rapid manner, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of interoperability of electronic identification; recognised independent bodies responsible for auditing the service providers; requirements of qualified certificates for electronic signatures their validation and their preservation; the bodies responsible for the certification of qualified electronic signature creation devices; and the requirements related to qualified certificates for electronic seals. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. |
Justification | |
Recital 49 needs to be modified in line with the amendments introduced by the rapporteur on delegated acts. | |
Amendment 17 Proposal for a regulation Recital 51 a (new) | |
Text proposed by the Commission |
Amendment |
|
(51a) The standardisation work carried out by international and European organisations enjoys international recognition. This work is undertaken in cooperation with the industries and stakeholders concerned, and is funded by the Union and national authorities, among others. With a view to ensuring a high level of security in electronic identification and in electronic trust services, particularly in the Commission’s drafting of delegated and implementing acts, due account should be paid to standards drawn up by organisations such as the European Committee for Standardisation (CEN), the European Telecommunications Standards Institute (ETSI), the European Committee for Electrotechnical Standardisation (CENELEC) or the International Organisation for Standardisation (ISO). |
Amendment 18 Proposal for a regulation Article 1 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. This Regulation lays down rules for electronic identification and electronic trust services for electronic transactions with a view to ensuring the proper functioning of the internal market. |
1. This Regulation lays down rules for electronic identification and trust services for electronic transactions with a view to ensuring the proper functioning of the internal market, guaranteeing a high level of security for identification means and trust services and boosting public trust in the digital world. |
Justification | |
Article 3(12) refers to trust services rather than electronic trust services. | |
Amendment 19 Proposal for a regulation Article 1 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. This Regulation establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services and website authentication. |
3. This Regulation establishes a legal framework for electronic signatures, electronic seals, electronic validation and verification, electronic time stamps, electronic documents, electronic delivery services and website authentication. |
Amendment 20 Proposal for a regulation Article 1 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. This Regulation ensures that trust services and products which comply with this Regulation are permitted to circulate freely in the internal market. |
4. This Regulation ensures that both qualified and non-qualified trust services and products which comply with this Regulation are permitted to circulate freely in the internal market. |
Justification | |
Article 3 defines ‘trust services’ and ‘products’ (see also the wording of Article 4). | |
Amendment 21 Proposal for a regulation Article 2 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. This Regulation applies to electronic identification provided by, on behalf or under the responsibility of Member States and to trust service providers established in the Union. |
1. This Regulation applies to electronic identification mandated, recognised or issued by or on behalf of Member States. |
Amendment 22 Proposal for a regulation Article 2 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. This Regulation does not apply to the provision of electronic trust services based on voluntary agreements under private law. |
2. This Regulation applies to both qualified and non qualified trust service providers established in the Union. This Regulation does not apply to trust services which are chosen by a closed group of parties and which are used exclusively within that group. |
Amendment 23 Proposal for a regulation Article 2 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
(3) This Regulation does not apply to aspects related to the conclusion and validity of contracts or other legal obligations where there are requirements as regards form prescribed by national or Union law. |
(3) This Regulation shall be without prejudice to provisions of national or Union law on the formation or validity of contracts or other private law obligations. |
Justification | |
The wording proposed by the Commission is too imprecise for a regulation. | |
Amendment 24 Proposal for a regulation Article 2 – paragraph 3 a (new) | |
Text proposed by the Commission |
Amendment |
|
(3a) This Regulation shall be without prejudice to rules and restrictions in national or Union law on the use of documents. It shall not apply to register procedures, particularly those relating to land registers and trade registers. |
Amendment 25 Proposal for a regulation Article 3 – point 1 | |
Text proposed by the Commission |
Amendment |
(1) ‘electronic identification’ means the process of using person identification data in electronic form unambiguously representing a natural or legal person; |
(1) 'electronic identification' means the process of using person identification data in electronic form representing a natural or legal person either unambiguously or to the degree necessary for the specific purpose; |
Justification | |
The principle of data minimization should be integrated in this proposal. While some services require unambiguous identification others might not require the transfer of all data. A practical example would be a simple age verification for which other personal details are not required. | |
Amendment 26 Proposal for a regulation Article 3 – point 4 | |
Text proposed by the Commission |
Amendment |
(4) ‘authentication’ means an electronic process that allows the validation of the electronic identification of a natural or legal person; or of the origin and integrity of an electronic data; |
(4) ‘authentication’ means an electronic process that allows the validation of the electronic identification of a natural or legal person; or of the origin and integrity of electronic data; |
Amendment 27 Proposal for a regulation Article 3 – point 7 – point b | |
Text proposed by the Commission |
Amendment |
(b) it is capable of identifying the signatory; |
(b) it is capable of guaranteeing the legal validity of the identity of the signatory; |
Justification | |
The use of the term ‘identifying’ could prove confusing given that the regulation concerns electronic identification. This particular point is a definition of an advanced electronic signature, which relates to the ‘trust services’ part of the proposal (Chapter III). | |
Amendment 28 Proposal for a regulation Article 3 – point 7 – point c | |
Text proposed by the Commission |
Amendment |
(c) it is created using electronic signature creation data that the signatory can, with high level of confidence, use under his sole control; and |
(c) it is created using an electronic signature creation device that the signatory can use under his sole control; and |
Justification | |
Wording changed to bring the text into line with the terminology used in Articles 22 and 23. The expression ‘high level of confidence’ is legally meaningless. | |
Amendment 29 Proposal for a regulation Article 3 – point 7 – point d | |
Text proposed by the Commission |
Amendment |
(d) it is linked to the data to which it relates in such a way that any subsequent change in the data is detectable; |
(d) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable; |
Amendment 30 Proposal for a regulation Article 3 – point 8 | |
Text proposed by the Commission |
Amendment |
(8) ‘qualified electronic signature’ means an advanced electronic signature which is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures; |
(8) ‘qualified electronic signature’ means an advanced electronic signature which is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures issued by a qualified trust provider; |
Amendment 31 Proposal for a regulation Article 3 – point 10 | |
Text proposed by the Commission |
Amendment |
(10) ‘certificate’ means an electronic attestation which links electronic signature or seal validation data of a natural or a legal person respectively to the certificate and confirms those data of that person; |
(10) 'certificate' means an electronic attestation which links electronic signature or seal validation data with the identification data of an entity, or a natural or a legal person respectively and confirms those data of that person; |
Amendment 32 Proposal for a regulation Article 3 – point 11 | |
Text proposed by the Commission |
Amendment |
(11) ‘qualified certificate for electronic signature’ means an attestation which is used to support electronic signatures, is issued by a qualified trust service provider and meet the requirements laid down in Annex I; |
(11) ‘qualified certificate for electronic signature’ means a certificate which is used to support electronic signatures, is issued by a qualified trust service provider and meet the requirements laid down in Annex I; |
Amendment 33 Proposal for a regulation Article 3 – point 12 | |
Text proposed by the Commission |
Amendment |
(12) ‘trust service’ means any electronic service consisting in the creation, verification, validation, handling and preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication, and electronic certificates, including certificates for electronic signature and for electronic seals; |
(12) 'trust service' means an electronic service consisting in the creation, verification, validation or preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication, and electronic certificates, including certificates for electronic signature and for electronic seals; |
Amendment 34 Proposal for a regulation Article 3 – point 13 | |
Text proposed by the Commission |
Amendment |
(13) ‘qualified trust service’ means a trust service that meets the applicable requirements provided for in this Regulation; |
(13) ‘qualified trust service’ means a trust service that meets the applicable requirements laid down in this Regulation; |
Amendment 35 Proposal for a regulation Article 3 – point 19 | |
Text proposed by the Commission |
Amendment |
(19) ‘creator of a seal’ means a legal person who creates an electronic seal; |
(19) ‘creator of a seal’ means a natural or legal person who creates an electronic seal; |
Amendment 36 Proposal for a regulation Article 3 – point 20 | |
Text proposed by the Commission |
Amendment |
(20) ‘electronic seal’ means data in electronic form which are attached to or logically associated with other electronic data to ensure the origin and the integrity of the associated data; |
(20) ‘electronic seal’ means data in electronic form which are attached to or logically associated with other electronic data to ensure the authenticity and the integrity of the associated data; |
Amendment 37 Proposal for a regulation Article 3 – point 21 – point c | |
Text proposed by the Commission |
Amendment |
(c) it is created using electronic seal creation data that the creator of the seal can, with a high level of confidence under its control, use for electronic seal creation; and |
(c) it is created using an electronic seal creation device that the creator of the seal can, with a high level of confidence under its control, use for electronic seal creation; and |
Justification | |
Wording changed to bring the text into line with the terminology used in Articles 22 and 23. | |
Amendment 38 Proposal for a regulation Article 3 – point 21 – point d | |
Text proposed by the Commission |
Amendment |
(d) it is linked to the data to which it relates in such a way that any subsequent change in the data is detectable; |
(d) it is linked to the data the origin and integrity of which it attests in such a way that any subsequent change in the data is detectable; |
Amendment 39 Proposal for a regulation Article 3 – point 22 | |
Text proposed by the Commission |
Amendment |
22) ‘qualified electronic seal’ means an advanced electronic seal which is created by a qualified electronic seal creation device, and which is based on a qualified certificate for electronic seal; |
22) ‘qualified electronic seal’ means an advanced electronic seal which is created by a qualified electronic seal creation device, and which is based on a qualified certificate for electronic seal issued by a qualified trust service provider; |
Amendment 40 Proposal for a regulation Article 3 – point 27 | |
Text proposed by the Commission |
Amendment |
(27) ‘electronic document’ means a document in any electronic format; |
(27) ‘electronic document’ means a separate set of structured data in any electronic format; |
Amendment 41 Proposal for a regulation Article 4 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. There shall be no restriction on the provision of trust services in the territory of a Member State by a trust service provider established in another Member States for reasons which fall within the fields covered by this Regulation. |
1. There shall be no restriction on the provision of trust services in the territory of a Member State by a trust service provider established in another Member States for reasons which fall within the fields covered by this Regulation. Member States shall ensure that trust services originating from another Member States are admissible as evidence in legal proceedings. |
Amendment 42 Proposal for a regulation Article 4 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. Products which comply with this Regulation shall be permitted to circulate freely in the internal market. |
2. Products which comply with this Regulation shall circulate freely and securely in the internal market. |
Amendment 43 Proposal for a regulation Article 5 - title | |
Text proposed by the Commission |
Amendment |
Mutual recognition and acceptance |
Mutual recognition |
Amendment 44 Proposal for a regulation Article 5 | |
Text proposed by the Commission |
Amendment |
When an electronic identification using an electronic identification means and authentication is required under national legislation or administrative practice to access a service online, any electronic identification means issued in another Member State falling under a scheme included in the list published by the Commission pursuant to the procedure referred to in Article 7 shall be recognised and accepted for the purposes of accessing this service. |
When an electronic identification using an electronic identification means and authentication is required under Union or national legislation or administrative practice to access a service online in one Member State or provided online by Union institutions, bodies, offices and agencies, this electronic identification means issued in another Member State or by Union institutions, bodies, offices and agencies under a scheme included in the list published by the Commission pursuant to Article 7, and with a security level equal to or higher than the security level required to access the service, shall be recognised in the Member State or by Union institutions, bodies, offices and agencies for the purposes of accessing that service online, not later than six months after the list, including that scheme, is published. |
Amendment 45 Proposal for a regulation Article 6 – paragraph 1 – point a | |
Text proposed by the Commission |
Amendment |
(a) the electronic identification means are issued by, on behalf of or under the responsibility of the notifying Member State; |
(a) the electronic identification means are mandated, recognised or issued by or on behalf the notifying Member State; |
Amendment 46 Proposal for a regulation Article 6 – paragraph 1 – point b | |
Text proposed by the Commission |
Amendment |
(b) the electronic identification means can be used to access at least public services requiring electronic identification in the notifying Member State; |
(b) the electronic identification means can be used to access at least public services which accept electronic identification in the notifying Member State; |
Amendment 47 Proposal for a regulation Article 6 – paragraph 1 – point c | |
Text proposed by the Commission |
Amendment |
(c) the notifying Member State ensures that the person identification data are attributed unambiguously to the natural or legal person referred to in Article 3 point1; |
(c) the notifying Member State ensures that the person identification data are attributed to the natural or legal person referred to in Article 3 point1 either unambiguously or to the degree necessary for the specific purpose; |
Justification | |
The principle of data minimization should be integrated in the proposal. While some services require unambiguous identification others might not require the transfer of all data. A practical example would be a simple age verification for which other personal details are not required. | |
Amendment 48 Proposal for a regulation Article 6 – paragraph 1 – point d | |
Text proposed by the Commission |
Amendment |
(d) the notifying Member State ensures the availability of an authentication possibility online, at any time and free of charge so that any relying party can validate the person identification data received in electronic form. Member States shall not impose any specific technical requirements on relying parties established outside of their territory intending to carry out such authentication. When either the notified identification scheme or authentication possibility is breached or partly compromised, Member States shall suspend or revoke without delay the notified identification scheme or authentication possibility or the compromised parts concerned and inform the other Member States and the Commission pursuant to Article 7; |
(d) the notifying Member State ensures the availability of an authentication online, at any time so that any relying party established outside of the territory of that Member State can validate the person identification data received in electronic form. Such authentication shall be provided free of charge where access to a service is provided online by a public sector body. Member States shall not impose any disproportionate specific technical requirements on relying parties intending to carry out such authentication. |
Amendment 49 Proposal for a regulation Article 6 – paragraph 1 – point e – introductory part | |
Text proposed by the Commission |
Amendment |
(e) the notifying Member State takes liability for: |
(e) the notifying Member State ensures: |
Justification | |
Liability of Member States should be addressed separately. See subsequent amendments. | |
Amendment 50 Proposal for a regulation Article 6 – paragraph 1 – point e – point i | |
Text proposed by the Commission |
Amendment |
(i) the unambiguous attribution of the person identification data referred to in point (c), and |
(i) the attribution of the person identification data referred to in point (c), and |
Amendment 51 Proposal for a regulation Article 6 – paragraph 1 – point e – subpoint ii | |
Text proposed by the Commission |
Amendment |
ii) the authentication possibility specified in point (d). |
ii) the authentication arrangements specified in point (d). |
Amendment 52 Proposal for a regulation Article 7 – paragraph 1 – point a | |
Text proposed by the Commission |
Amendment |
(a) a description of the notified electronic identification scheme; |
(a) a description of the notified electronic identification scheme and, in particular, information on the different security levels; |
Justification | |
Unlike trust services, which are covered by a common set of security requirements, the Commission has no such provisions for electronic identification. The rapporteur takes the view that the introduction of different security levels (and consequently of a minimum level of security) is a prerequisite for the principle of mutual recognition and will help increase security in the digital world. | |
Amendment 53 Proposal for a regulation Article 7 – paragraph 1 – point c | |
Text proposed by the Commission |
Amendment |
(c) information on by whom the registration of the unambiguous person identifiers is managed; |
(c) information on who is responsible for managing the registration of the person identifiers; |
Amendment 54 Proposal for a regulation Article 7 – paragraph 1 – point d | |
Text proposed by the Commission |
Amendment |
(d) a description of the authentication possibility; |
(d) a description of the authentication arrangements and in particular the minimum levels of security required and any technical requirements imposed on relying parties; |
Justification | |
Unlike trust services, which are covered by a common set of security requirements, the Commission has no such provisions for electronic identification. The rapporteur takes the view that the introduction of different security levels (and consequently of a minimum level of security) is a prerequisite for the principle of mutual recognition and will help increase security in the digital world. | |
Amendment 55 Proposal for a regulation Article 7 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. Six months after the entry into force of the Regulation, the Commission shall publish in the Official Journal of the European Union the list of the electronic identification schemes which were notified pursuant to paragraph 1 and the basic information thereon. |
2. Six months after the entry into force of the Regulation, the Commission shall publish in the Official Journal of the European Union as well as on a publicly available website the list of the electronic identification schemes which were notified pursuant to paragraph 1 and the basic information thereon. |
Justification | |
Publication on publicly available website would ensure user friendliness. | |
Amendment 56 Proposal for a regulation Article 7 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. If the Commission receives a notification after the period referred to in paragraph 2 expired, it shall amend the list within three months. |
3. If the Commission receives a notification after the period referred to in paragraph 2 expired, it shall amend the list within one month. |
Justification | |
The time limit proposed by the Commission does not seem justified in this case. | |
Amendment 57 Proposal for a regulation Article 7 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. The Commission may, by means of implementing acts, define the circumstances, formats and procedures of the notification referred to in paragraphs 1 and 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
4. The Commission may, by means of implementing acts, define the formats and procedures of the notification referred to in paragraphs 1 and 3. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Amendment 58 Proposal for a regulation Article 7 a (new) | |
Text proposed by the Commission |
Amendment |
|
Article 7a |
|
Security breach |
|
1. When either the electronic identification scheme notified pursuant to Article 7(1) or the authentication referred to in point (d) of Article 6(1) is breached or partly compromised in a way that would affect the reliability of that scheme for cross-border transactions, the notifying Member State shall without undue delay suspend or revoke the cross-border function of that electronic identification scheme or that authentication or the compromised parts concerned and inform other Member States and the Commission thereof. |
|
2. When the breach or compromise referred to in paragraph 1 has been remedied, the notifying Member State shall re-establish the authentication and shall inform other Member States and the Commission as soon as possible. |
|
3. If the breach or compromise referred to in paragraph 1 is not remedied within three months of the suspension or revocation, the notifying Member State shall notify the withdrawal of the electronic identification scheme to other Member States and to the Commission. The Commission shall publish without undue delay in the Official Journal of the European Union the corresponding amendments to the list referred to in Article 7(2). |
Amendment 59 Proposal for a regulation Article 7 b (new) | |
Text proposed by the Commission |
Amendment |
|
Article 7b |
|
Liability |
|
1. The notifying Member State shall be liable for any damage caused to a natural or legal person which could reasonably be expected to arise under normal circumstances as a result of its failure to comply with its obligations under points (c) and (d) of Article 6(1), unless it can show that it has acted with due diligence. |
|
2. The party issuing the electronic identification means shall be liable for any damage caused to any natural or legal person which could reasonably be expected to arise under normal circumstances as a result of its failure to ensure, consistent with the application of the identity assurance levels within national schemes: |
|
(i) the attribution of the person identification data referred to in point (ca) of Article 6(1), and |
|
(ii) the correct operation of the authentication referred to in point (d) of Article 6(1), unless it can show that he has acted with due diligence. |
|
3. Paragraphs 1 and 2 are without prejudice to the liability under national legislation of parties to a transaction in which electronic identification means falling under the notified scheme are used. |
Amendment 60 Proposal for a regulation Article 8 – title | |
Text proposed by the Commission |
Amendment |
Coordination |
Coordination and interoperability |
Amendment 61 Proposal for a regulation Article 8 – paragraph 1 a (new) | |
Text proposed by the Commission |
Amendment |
|
1a. Member States and the Commission shall in particular prioritize interoperability for such e-services with the greatest cross border relevance by: |
|
(a) exchanging best practices concerning the electronic identification means falling under a notified scheme; |
|
(b) providing and regularly update best practices on trust and security of the electronic identification means; |
|
(c) providing and regularly update on the promotion of the use of electronic identification means. |
Amendment 62 Proposal for a regulation Article 8 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the facilitation of cross border interoperability of electronic identification means by setting of minimum technical requirements. |
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the facilitation of cross border interoperability of electronic identification means by setting of minimum, technology-neutral, technical requirements. |
Amendment 63 Proposal for a regulation Article 9 – title | |
Text proposed by the Commission |
Amendment |
Liability |
Liability of qualified trust service providers |
Justification | |
The rapporteur takes the view that only qualified trust service providers should be subject to the liability scheme, as in Directive 1999/93/EC. Non-qualified service providers should be covered by the general scheme of civil and contractual liability defined in the national law of each Member State. | |
Amendment 64 Proposal for a regulation Article 9 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. A trust service provider shall be liable for any direct damage caused to any natural or legal person due to failure to comply with the obligations laid down in Article 15(1), unless the trust service provider can prove that he has not acted negligently. |
deleted |
Justification | |
The rapporteur takes the view that only qualified trust service providers should be subject to the liability scheme, as in Directive 1999/93/EC. Non-qualified service providers should be covered by the general system of civil and contractual liability defined in national law. | |
Amendment 65 Proposal for a regulation Article 9 - paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. A qualified trust service provider shall be liable for any direct damage caused to any natural or legal person due to failure to meet the requirements laid down in this Regulation, in particular in Article 19, unless the qualified trust service provider can prove that he has not acted negligently. |
2. A qualified trust service provider shall be liable for: |
|
(a) any damage caused to any natural or legal person which could reasonably be expected to arise under normal circumstances as a result of its failure to meet the requirements laid down in this Regulation, in particular in Article 19, unless the qualified trust service provider can prove that it has acted with due diligence; |
|
(b) point (a) shall apply mutatis mutandis where the qualified trust service provider has guaranteed, pursuant to point (b) of Article 10(1), the compliance with the requirements of this Regulation of a qualified trust service provider established in a third country, unless the qualified trust service provider established in the Union can prove that the former has acted with due diligence. |
Amendment 66 Proposal for a regulation Article 9 – paragraph 2 a (new) | |
Text proposed by the Commission |
Amendment |
|
2a. In the event of loss attributable to a qualified trust service provider as a result of failure to comply with the requirements set out in Article 19, the court with jurisdiction and the applicable law shall be those of the country in which the loss was suffered. |
Justification | |
The rapporteur wishes to specify the applicable law. | |
Amendment 67 Proposal for a regulation Article 10 – title | |
Text proposed by the Commission |
Amendment |
Trust services providers from third countries |
Qualified trust services providers from third countries |
Justification | |
As this article introduces only provisions covering qualified trust service providers, the title should be amended accordingly. | |
Amendment 68 Proposal for a regulation Article 10 - paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Qualified trust services and qualified certificates provided by qualified trust service providers established in a third country shall be accepted as qualified trust services and qualified certificates provided by a qualified trust service providers established in the territory of the Union if the qualified trust services or qualified certificates originating from the third country are recognised under an agreement between the Union and third countries or international organisations in accordance with Article 218 TFUE. |
1. Qualified trust services and qualified certificates provided by qualified trust service providers established in a third country shall be accepted as qualified trust services and qualified certificates provided by a qualified trust service provider established in the territory of the Union if: |
|
(a) the qualified trust service provider fulfils the requirements laid down in this Regulation and has been accredited under an accreditation scheme established in a Member State; or |
|
(b) the qualified trust service provider established within the Union which fulfils the requirements laid down in this Regulation guarantees the compliance with the requirements laid down in this Regulation; or |
|
(c) the qualified trust services or qualified certificates originating from a third country are recognised under an agreement between the Union and that third country or international organisation in accordance with Article 218 TFEU. |
Amendment 69 Proposal for a regulation Article 10 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. With reference to paragraph 1, such agreements shall ensure that the requirements applicable to qualified trust services and qualified certificates provided by qualified trust service providers established in the territory of the Union are met by the trust service providers in the third countries or international organisations, especially with regard to the protection of personal data, security and supervision. |
2. With reference to paragraph 1, such agreements shall ensure that the requirements applicable to qualified trust services and qualified certificates provided by qualified trust service providers established in the territory of the Union are met by the trust service providers in the third countries or international organisations, especially the security of the trust services provided and the supervision of qualified trust service providers. |
|
The third country in question shall afford adequate protection of personal data, in accordance with Article 25(2) of Directive 95/46/EC. |
Justification | |
The rapporteur wishes to refer to the provision of EU personal data protection law which specifies that the adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations. | |
Amendment 70 Proposal for a regulation Article 11 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Trust service providers and supervisory bodies shall ensure fair and lawful processing in accordance with Directive 95/46/EC when processing personal data. |
1. Trust service providers and supervisory bodies shall ensure fair and lawful processing in accordance with Directive 95/46/EC when processing personal data, adhering to the principles of data minimization. |
Amendment 71 Proposal for a regulation Article 11 – paragraph 4 a (new) | |
Text proposed by the Commission |
Amendment |
|
4a. Processing of personal data by or on behalf of the trust service provider, where strictly necessary to ensure network and information security for the purpose of complying with the requirements of Articles 11, 15, 16 and 19 of this Regulation, shall be considered a legitimate interest in the meaning of point (f) of Article 7 of Directive 95/46/EC. |
Justification | |
Processing of personal data might be necessary in case of a breach or in order to take appropriate counter measures and should be applied where this is absolutely necessary and be a "legitimate interest" under the Data Protection Directive and thus be lawful. | |
Amendment 72 Proposal for a regulation Article 12 | |
Text proposed by the Commission |
Amendment |
Trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities whenever possible. |
Trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities in accordance with Union law. |
Amendment 73 Proposal for a regulation Article 13 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Member States shall designate an appropriate body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. Supervisory bodies shall be given all supervisory and investigatory powers that are necessary for the exercise of their tasks. |
1. Member States shall designate a supervisory body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. The designated supervisory body, its addresses and the names of responsible persons shall be communicated to the Commission. Supervisory bodies shall be given adequate resources necessary for the exercise of their tasks. |
Justification | |
The primary powers of the supervisory bodies have been established in this Regulation, however it is important that these authorities can function properly. Furthermore, "investigatory powers" might imply powers that are usually limited to law enforcement authorities, which would go beyond what is necessary. | |
Amendment 74 Proposal for a regulation Article 13 – paragraph 3 – point c | |
Text proposed by the Commission |
Amendment |
(c) statistics on the market and usage of qualified trust services, including information on qualified trust service providers themselves, the qualified trust services they provide, the products they use and the general description of their customers. |
(c) statistics on the market and usage of qualified trust services. |
Justification | |
The rapporteur takes the view that this information is not useful and should not therefore be included in the body of the regulation. | |
Amendment 75 Proposal for a regulation Article 13 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. The Commission shall be empowered to adopt delegated acts, in accordance with Article 38, concerning the definition of procedures applicable to the tasks referred to in paragraph 2. |
deleted |
Justification | |
Under Article 290, a legislative act may delegate to the Commission the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of the legislative act. The proposed delegation would go beyond mere supplementing or amending of non-essential elements of the proposed Regulation. | |
Amendment 76 Proposal for a regulation Article 13 – paragraph 6 | |
Text proposed by the Commission |
Amendment |
6. The Commission may, by means of implementing acts, define the circumstances, formats and procedures for the report referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
6. The Commission may, by means of implementing acts, define the formats and procedures for the report referred to in paragraph 3. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Amendment 77 Proposal for a regulation Article 14 – paragraph 2 – point b | |
Text proposed by the Commission |
Amendment |
(b) compliance with the request would be incompatible with this Regulation. |
(b) compliance with the request would be incompatible with this Regulation and applicable legislation. |
Amendment 78 Proposal for a regulation Article 14 – paragraph 3 – subparagraph 1 | |
Text proposed by the Commission |
Amendment |
3. Where appropriate, supervisory bodies may carry out joint investigations in which staff from other Member States’ supervisory bodies is involved. |
3. Where appropriate, supervisory bodies may carry out joint supervisory actions. |
Justification | |
The word "investigation" appears to be closely linked to law enforcement authorities. Furthermore, formulation "joint actions" implies that staff from other Member State' bodies is involved, thus is considered redundant. | |
Amendment 79 Proposal for a regulation Article 14 – paragraph 3 – subparagraph 2 | |
Text proposed by the Commission |
Amendment |
The supervisory body of the Member State where the investigation is to take place, in compliance with its own national law, may devolve investigative tasks to the assisted supervisory body's staff. Such powers may be exercised only under the guidance and in the presence of staff from the host supervisory body. The assisted supervisory body's staff shall be subject to the host supervisory body's national law. The host supervisory body shall assume responsibility for the assisted supervisory body staff's actions. |
deleted |
Justification | |
The purpose of this paragraph is not entirely clear. If a Member State allows to devolve powers to public bodies of other Member States then there is no need for a EU legal base for this. However, if a Member State has the power to do so then it naturally also has the powers to set the specific conditions and procedures. With a view to the lack of added value and the subsidiarity principle this paragraph should be deleted. | |
Amendment 80 Proposal for a regulation Article 14 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. The Commission may, by means of implementing acts, specify the formats and procedures for the mutual assistance provided for in this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
deleted |
Justification | |
The article does not necessarily require an implementing act as the tasks of supervisory bodies are clearly set out. | |
Amendment 81 Proposal for a regulation Article 15 – paragraph 1 – subparagraph 1 | |
Text proposed by the Commission |
Amendment |
1. Trust service providers who are established in the territory of the Union shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. Having regard to state of the art, these measures shall ensure that the level of security is appropriate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of adverse effects of any incidents. |
1. Trust service providers who are established in the territory of the Union shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. Having regard to the technological development, these measures shall fully respect the data protection rights and ensure a level of security appropriate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of adverse effects of any significant incidents. |
Justification | |
Referring to technological development seems more appropriate and better describes the ongoing process of adapting to new technologies. Also, state of the art could be mistaken for "best technology available" which would take out cost as a factor and put a disproportionate burden on service providers, which is probably not the aim of the provision. Finally, only significant incidents should be reported to avoid disproportionate burden and information overflow for users. | |
Amendment 82 Proposal for a regulation Article 15 – paragraph 1 – subparagraph 2 | |
Text proposed by the Commission |
Amendment |
Without prejudice to Article 16(1), any trust service provider may submit the report of a security audit carried out by a recognised independent body to the supervisory body to confirm that appropriate security measures have been taken. |
Without prejudice to Article 16(1), any trust service provider shall, without undue delay and not later than six months following the commencement of its activities, submit the report of a compliance audit carried out by a recognised independent body to the supervisory body to confirm that appropriate security measures have been taken. |
Justification | |
With a view to the reliability and safety requirements of trust services, a mandatory compliance audit should always be carried out. | |
Amendment 83 Proposal for a regulation Article 15 – paragraph 2 – subparagraph 2 | |
Text proposed by the Commission |
Amendment |
Where appropriate, in particular if a breach of security or loss of integrity concerns two or more Member States, the supervisory body concerned shall inform supervisory bodies in other Member States and the European Network and Information Security Agency (ENISA). |
Where appropriate, in particular if a breach of security or loss of integrity concerns two or more Member States, the supervisory body concerned shall inform supervisory bodies in these Member States and the European Network and Information Security Agency (ENISA). |
Amendment 84 Proposal for a regulation Article 15 – paragraph 2 – subparagraph 3 | |
Text proposed by the Commission |
Amendment |
The supervisory body concerned may also inform the public or require the trust service provider to do so, where it determines that disclosure of the breach is in the public interest. |
The supervisory body concerned, in consultation with the trust service provider, may also inform the public or require the trust service provider to do so, where it determines that disclosure of the breach is in the public interest. |
Justification | |
While the ultimate decision to notify the public should rest with the public authority, a consultation with the service provider should take place as well. The provider might be better placed to assess the impact of the breach on users and the consequences for incident investigation / remedies. | |
Amendment 85 Proposal for a regulation Article 15 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. In order to implement paragraphs 1 and 2, the competent supervisory body shall have the power to issue binding instructions to trust service providers. |
4. In order to ensure compliance with paragraphs 1 and 2, the competent supervisory body shall have the power to issue binding instructions to trust service providers. |
Amendment 86 Proposal for a regulation Article 15 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. The Commission shall be empowered to adopt delegated acts, in accordance with Article 38, concerning the further specification of the measures referred to in paragraph 1. |
deleted |
Justification | |
Merged with following paragraph. | |
Amendment 87 Proposal for a regulation Article 16 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Qualified trust service providers shall be audited by a recognised independent body once a year to confirm that they and the qualified trust services provided by them fulfil the requirements set out in this Regulation, and shall submit the resulting security audit report to the supervisory body. |
1. Qualified trust service providers shall be audited by a recognised independent body every two years and following any significant technological or organizational changes to confirm that they and the qualified trust services provided by them fulfil the requirements set out in this Regulation, and shall submit the resulting compliance audit report to the supervisory body. |
Justification | |
The report should not only limit to the security requirements but also include all requirements for qualified trust service providers stemming from this Regulation. Furthermore, an issuance of the report every 2 years should constitute a sufficient and proportionate measure, taking account of the administrative and financial burden introduced by it. However, in case of significant changes an audit should be conducted to ensure the changes do not affect compliance. | |
Amendment 88 Proposal for a regulation Article 16 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. Without prejudice to paragraph 1, the supervisory body may at any time audit the qualified trust service providers to confirm that they and the qualified trust services provided by them still meet the conditions set out in this Regulation, either on its own initiative or in response to a request from the Commission. The supervisory body shall inform the data protection authorities of the results of its audits, in case personal data protection rules appear to have been breached. |
2. Without prejudice to paragraph 1, in case of substantiated doubts, the supervisory body may at any time audit the qualified trust service providers to confirm that they and the qualified trust services provided by them still meet the conditions set out in this Regulation, either on its own initiative or in response to a request from a supervisory body in another Member State. The supervisory body shall inform the data protection authorities of the results of its audits, in case personal data protection rules appear to have been breached. |
Justification | |
It should be clarified that such audits cannot be conducted arbitrarily but should be based on substantiated indications of non-compliance. The reference to "on request from the Commission" has been deleted since supervisory bodies are in a better position to assess the necessity of such an audit. | |
Amendment 89 Proposal for a regulation Article 16 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. The supervisory body shall have the power to issue binding instructions to qualified trust service providers to remedy any failure to fulfil the requirements indicated in the security audit report. |
3. The supervisory body shall have the power to issue binding instructions to qualified trust service providers to remedy any failure to fulfil the requirements set out in this Regulation. |
Justification | |
The original wording would mean the supervisory body would only have the power to issue binding instructions based on the security audit. It is unclear why these powers should be limited to this source of information. | |
Amendment 90 Proposal for a regulation Article 16 – paragraph 6 | |
Text proposed by the Commission |
Amendment |
6. The Commission may, by means of implementing acts, define the circumstances, procedures and formats applicable for the purpose of paragraphs 1, 2 and 4. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
6. The Commission may, by means of implementing acts, define the procedures and formats applicable for the purpose of paragraphs 1, 2 and 4. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Amendment 91 Proposal for a regulation Article 16 a (new) | |
Text proposed by the Commission |
Amendment |
|
Article 16a |
|
Supervision of trust service providers |
|
In order to facilitate supervision by the supervisory body referred to in point (a) of Article 13(2), trust service providers shall notify the supervisory body of their intention to start offering a trust service and shall inform it of the technical and organisational measures they have taken to manage the risks linked to the security of the trust services they provide in accordance with Article 15(1). |
Justification | |
Correction by the rapporteur to Amendment 35, in which the word ‘qualified’ was written by mistake. Justification for Amendment 35: the rapporteur wishes to introduce this new article in order to facilitate the work of the supervisory body in respect of trust service providers (meaning non-qualified trust service providers) and to guarantee a minimum legal value for non-qualified trust services. | |
Amendment 92 Proposal for a regulation Article 17 | |
Text proposed by the Commission |
Amendment |
1. Qualified trust service providers shall notify the supervisory body of their intention to start providing a qualified trust service and shall submit to the supervisory body a security audit report carried out by a recognised independent body, as provided for in Article 16(1). Qualified trust service providers may start to provide the qualified trust service after they have submitted the notification and security audit report to the supervisory body. |
1. Where trust service providers intend to provide a qualified trust service, they shall submit to the supervisory body a notification of their intention together with a security audit report carried out by a recognised independent body, as provided for in Article 16(1). |
2. Once the relevant documents are submitted to the supervisory body according to paragraph 1, the qualified service providers shall be included in the trusted lists referred to in Article 18 indicating that the notification has been submitted. |
2. Once the relevant documents are submitted in accordance with paragraph 1, the supervisory body shall verify the compliance of the trust service provider and of the trust services to be provided by it with the requirements of this Regulation. |
3. The supervisory body shall verify the compliance of the qualified trust service provider and of the qualified trust services provided by it with the requirements of the Regulation. |
3. If the verification process confirms compliance with this Regulation, the supervisory body shall grant qualified status to the trust service provider and indicate such status in the trusted list referred to in Article 18, not later than one month after notification has been submitted in accordance with paragraph 1. |
The supervisory body shall indicate the qualified status of the qualified service providers and the qualified trust services they provide in the trusted lists after the positive conclusion of the verification, not later than one month after the notification has been done in accordance with paragraph 1. |
|
If the verification is not concluded within one month, the supervisory body shall inform the qualified trust service provider specifying the reasons of the delay and the period by which the verification shall be concluded. |
If the verification is not concluded within one month, the supervisory body shall inform the qualified trust service provider specifying the reasons for the delay and the period by which the verification shall be concluded. The total period shall not exceed three months. |
4. A qualified trust service which has been subject to the notification referred to in paragraph 1 cannot be refused for the fulfilment of an administrative procedure or formality by the concerned public sector body for not being included in the lists referred to in paragraph 3. |
4. A trust service which has been subject to the notification and has been granted qualified status in accordance with the procedure laid down in this Article cannot be refused for the fulfilment of an administrative procedure or formality by the concerned public sector body for not being included in the lists referred to in paragraph 3. |
5. The Commission may, by means of implementing acts, define the circumstances, formats and procedures for the purpose of paragraphs 1, 2 and.3 Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
|
Amendment 93 Proposal for a regulation Article 18 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. Member States shall establish, maintain and publish, in a secure manner, electronically signed or sealed trusted lists provided for in paragraph 1 in a form suitable for automated processing. |
2. Member States shall establish, maintain and publish, in a secure manner, electronically signed or sealed trusted lists provided for in paragraph 1 in a form suitable for automated processing of both the list itself as well as the individual certificates. |
Justification | |
Clarification has been introduced to ensure that applications can process the certificates, what is necessary for validation in practice. | |
Amendment 94 Proposal for a regulation Article 18 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of the information referred to in paragraph 1. |
deleted |
Justification | |
The information on qualified trust service providers should be defined in an implementing act rather than a delegated act. | |
Amendment 95 Proposal for a regulation Article 18 a (new) | |
Text proposed by the Commission |
Amendment |
|
Article 18a |
|
EU trustmark for qualified trust services |
|
1. Qualified trust service providers may use an EU trustmark to present and advertise the qualified trust services they offer that meet the requirements laid down in this Regulation. |
|
2. By using the EU trustmark for qualified trust services referred to in paragraph 1, qualified trust service providers shall be responsible for ensuring that the services meet all applicable requirements laid down in this Regulation. |
|
3. By means of implementing acts, the Commission shall lay down specific, binding criteria relating to the presentation, composition, size and design of the EU trustmark for qualified trust services. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Justification | |
Parliament called for the creation of a trustmark in its resolution of 11 December 2012 on completing the Digital Single Market. Its aim in doing so was to boost users’ confidence online by creating an easily recognisable European label. Bearing in mind the aim of making trust services more secure online, qualified trust service providers who meet the requirements, especially those laid down in Article 19, should be able to benefit from this label and enjoy added value in e-commerce. | |
Amendment 96 Proposal for a regulation Article 19 – paragraph 1 – subparagraph 1 | |
Text proposed by the Commission |
Amendment |
When issuing a qualified certificate, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity and, if applicable, any specific attributes of the natural or legal person to whom a qualified certificate is issued. |
When issuing a qualified certificate, a qualified trust service provider shall verify, by appropriate means and in accordance with national and Union law, the identity and, if applicable, any specific attributes of the natural or legal person to whom a qualified certificate is issued. |
Justification | |
Clarification. | |
Amendment 97 Proposal for a regulation Article 19 – paragraph 2 – point c | |
Text proposed by the Commission |
Amendment |
(c) before entering into a contractual relationship, inform any person seeking to use a qualified trust service of the precise terms and conditions regarding the use of that service; |
(c) before entering into a contractual relationship, inform any person seeking to use a qualified trust service of the precise terms and conditions regarding the use of that service, including any limitation on its use; |
Amendment 98 Proposal for a regulation Article 19 – paragraph 2 – point d | |
Text proposed by the Commission |
Amendment |
(d) use trustworthy systems and products which are protected against modification and guarantee the technical security and reliability of the process supported by them; |
(d) use systems and products which are protected against unauthorized modification and guarantee the technical security and reliability of the process supported by them; |
Justification | |
While trustworthy might imply a higher standard, the system ultimately has to comply with the requirements of this paragraph. It is unclear whether "trustworthy" constitutes an additional requirement in itself. To clarify, authorized modifications should be possible. | |
Amendment 99 Proposal for a regulation Article 19 – paragraph 2 – point e – introductory part | |
Text proposed by the Commission |
Amendment |
(e) use trustworthy systems to store data provided to them, in a verifiable form so that: |
(e) use systems to store data provided to them, in a verifiable form so that: |
Justification | |
While trustworthy might imply a higher standard, the system ultimately has to comply with the requirements of this paragraph. It is unclear whether "trustworthy" constitutes an additional requirement in itself. | |
Amendment 100 Proposal for a regulation Article 19 – paragraph 2 – point e – indent 1 | |
Text proposed by the Commission |
Amendment |
– they are publicly available for retrieval only where the consent of the person to whom the data has been issued has been obtained, |
– they are publicly available for retrieval only where national or Union law allows for this or where the consent of the person to whom the data relates has been obtained, |
Amendment 101 Proposal for a regulation Article 19 – paragraph 2 – point g | |
Text proposed by the Commission |
Amendment |
(g) record for an appropriate period of time all relevant information concerning data issued and received by the qualified trust service provider, in particular for the purpose of providing evidence in legal proceedings. Such recording may be done electronically; |
(g) record for an appropriate period of time, regardless of whether the qualified trust service provider has ceased to provide qualified trust services, all relevant information concerning data issued and received by the qualified trust service provider, in particular for the purpose of providing evidence in legal proceedings. Such recording may be done electronically; |
Justification | |
It is important that relevant information is still accessible even if the service provider has ceased its activities. | |
Amendment 102 Proposal for a regulation Article 19 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. Qualified trust service providers issuing qualified certificates shall register in their certificate database the revocation of the certificate within ten minutes after such revocation has taken effect. |
3. Qualified trust service providers issuing qualified certificates shall register the revocation of the certificate in their certificate database on the same working day that such revocation has taken effect, and if such revocation has taken effect on a weekend or public holiday, on the next working day. |
Amendment 103 Proposal for a regulation Article 19 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. With regard to paragraph 3, qualified trust service providers issuing qualified certificates shall provide to any relying party information on the validity or revocation status of qualified certificates issued by them. This information shall be made available at any time at least on a certificate basis in an automated manner which is reliable, free of charge and efficient. |
4. With regard to paragraph 3, qualified trust service providers issuing qualified certificates shall provide to any relying party information on the validity or revocation status of qualified certificates issued by them. This information shall be made available at any time at least on a certificate basis in an automated manner. |
Justification | |
It is unclear what "efficient" and "reliable" mean exactly. "Available at any time" already implies reliability. Furthermore, in contrast to public sector services, private sector solutions cannot be always free of charge. Parties using such services should be free to choose their underlying business model. | |
Amendment 104 Proposal for a regulation Article 19 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. The Commission may, by means of implementing acts, establish reference numbers of standards for trustworthy systems and products. Compliance with the requirements laid down in Article 19 shall be presumed where trustworthy systems and products meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
5. The Commission may, by means of implementing acts, establish reference numbers of standards for trustworthy systems and products. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in Article 19 shall be presumed where trustworthy systems and products meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
This modification is relevant for each article throughout the text which mentions the use of standards. | |
Amendment 105 Proposal for a regulation Article 20 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form. |
1. An electronic signature shall have legal effect and may be admissible as evidence in legal proceedings. It shall be taken into account that the qualified electronic signature offers a higher level of security than other types of electronic signatures. |
Justification | |
Given the difficulties to translate the French version into English of Rapporteur's amendment 43, the Rapporteur decided to table a new amendment in English to rephrase this paragraph. | |
Amendment 106 Proposal for a regulation Article 20 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. A qualified electronic signature shall have the equivalent legal effect of a handwritten signature. |
2. A qualified electronic signature shall satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data; |
Justification | |
The wording of Directive 1999/93/EC appears to better take into account different national forms and procedural requirements. | |
Amendment 107 Proposal for a regulation Article 20 – paragraph 2 a (new) | |
Text proposed by the Commission |
Amendment |
|
2a. A valid qualified electronic signature shall serve as prima facie evidence for the authenticity and integrity of the electronic document associated with it. |
Justification | |
The term ‘valid’ refers to Article 25(1) of the proposal for a regulation. Only if a signature has been positively validated can it have a specific evidentiary value. | |
Amendment 108 Proposal for a regulation Article 20 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. Qualified electronic signatures shall be recognised and accepted in all Member States. |
3. Qualified electronic signatures shall be recognised and accepted in Member States and institutions of the Union. |
Amendment 109 Proposal for a regulation Article 20 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. If an electronic signature with a security assurance level below qualified electronic signature is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic signatures matching at least the same security assurance level shall be recognised and accepted. |
4. If an electronic signature with a security assurance level below qualified electronic signature is required, by a Member State or by institutions, bodies, offices and agencies of the Union for completing a transaction offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic signatures matching at least the same security assurance level shall be recognised and accepted for access to that online service. |
Amendment 110 Proposal for a regulation Article 20 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. Member States shall not request for cross-border access to a service online offered by a public sector body an electronic signature at a higher security assurance level than qualified electronic signature. |
5. Member States shall not request for cross-border access to a service online offered by a public sector body an electronic signature at a higher security level than qualified electronic signature. |
Justification | |
The word ‘assurance’ is superfluous here. | |
Amendment 111 Proposal for a regulation Article 20 – paragraph 6 | |
Text proposed by the Commission |
Amendment |
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of the different security levels of electronic signature referred to in paragraph 4. |
deleted |
Justification | |
As the definition of the different security levels of electronic signature is a key element of the Regulation, the rapporteur takes the view that decisions on this matter should not be taken by means of delegated acts. | |
Amendment 112 Proposal for a regulation Article 20 – paragraph 7 | |
Text proposed by the Commission |
Amendment |
7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security levels of electronic signature. Compliance with the security level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security levels of electronic signature. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the security level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
This modification is relevant for each article throughout the text which mentions the use of standards. | |
Amendment 113 Proposal for a regulation Article 21 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid down in Annex I. |
deleted |
Justification | |
An implementing act appears more appropriate, therefore it has been merged with the following paragraph. | |
Amendment 114 Proposal for a regulation Article 21 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic signature. Compliance with the requirements laid down in Annex I shall be presumed where a qualified certificate for electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
5. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic signature. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in Annex I shall be presumed where a qualified certificate for electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
This modification is relevant for each article throughout the text which mentions the use of standards. | |
Amendment 115 Proposal for a regulation Article 22 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified electronic signature creation devices. Compliance with the requirements laid down in Annex II shall be presumed where a qualified electronic signature creation device meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified electronic signature creation devices. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in Annex II shall be presumed where a qualified electronic signature creation device meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
This modification is relevant for each article throughout the text which mentions the use of standards. | |
Amendment 116 Proposal for a regulation Article 23 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Qualified electronic signature creation devices may be certified by appropriate public or private bodies designated by Member States provided that they have been submitted to a security evaluation process carried out in accordance with one of the standards for the security assessment of information technology products included in a list that shall be established by the Commission by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
1. Qualified electronic signature creation devices must be certified by public or private certification bodies designated by Member States following a security evaluation process carried out in accordance with one of the standards for the security assessment of information technology products included in a list that shall be established by the Commission by means of implementing acts. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
The certification process is crucial in ensuring the security of electronic services. If it is not made mandatory, it is unlikely that providers will take the trouble to have their services certified. However, parties wishing to make use of validation services provided by a trust service provider needs to know whether signature creation devices are trustworthy. Mandatory certification by a certification body would thus appear to be indispensable. | |
Amendment 117 Proposal for a regulation Article 25 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. The Commission may, by means of implementing acts, establish reference numbers of standards for the validation of qualified electronic signatures. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation of qualified electronic signatures meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
3. The Commission may, by means of implementing acts, establish reference numbers of standards for the validation of qualified electronic signatures. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation of qualified electronic signatures meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
This modification is relevant for each article throughout the text which mentions the use of standards. | |
Amendment 118 Proposal for a regulation Article 26 – paragraph 1 – point b | |
Text proposed by the Commission |
Amendment |
(b) allows relying parties to receive the result of the validation process in an automated manner which is reliable, efficient and bearing the advanced electronic signature or advanced electronic seal of the provider of the qualified validation service. |
(b) allows relying parties to receive the result of the validation process in an automated manner bearing the advanced electronic signature or advanced electronic seal of the provider of the qualified validation service. |
Justification | |
It is unclear what is meant by "efficient and reliable". In any case, this should be left to the business model of the service provider as it lies in their very own interest to offer efficient and reliable services to users. | |
Amendment 119 Proposal for a regulation Article 26 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified validation service referred to in paragraph 1. Compliance with the requirements laid down in point (b) of paragraph 1 shall be presumed where the validation service for qualified electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
2. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified validation service referred to in paragraph 1. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in point (b) of paragraph 1 shall be presumed where the validation service for qualified electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
This modification is relevant for each article throughout the text which mentions the use of standards. | |
Amendment 120 Proposal for a regulation Article 27 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. The Commission may, by means of implementing acts, establish reference numbers of standards for the preservation of qualified electronic signatures. Compliance with the requirements laid down in paragraph 1 shall be presumed where the arrangements for the preservation of qualified electronic signatures meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
3. The Commission may, by means of implementing acts, establish reference numbers of standards for the preservation of qualified electronic signatures. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in paragraph 1 shall be presumed where the arrangements for the preservation of qualified electronic signatures meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
This modification is relevant for each article throughout the text which mentions the use of standards. | |
Amendment 121 Proposal for a regulation Article 28 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. A qualified electronic seal shall enjoy the legal presumption of ensuring the origin and integrity of the data to which it is linked. |
2. A valid qualified electronic seal shall serve at least as prima facie evidence for the authenticity and integrity of the electronic document associated with it. This shall be without prejudice to national provisions on power of attorney and representation. |
Amendment 122 Proposal for a regulation Article 28 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. A qualified electronic seal shall be recognised and accepted in all Member States. |
3. A qualified electronic seal shall be recognised in all Member States. |
Justification | |
The difference between "recognised" and "accepted" is unclear. This paragraph is, in contrast to the corresponding provisions on electronic signatures, not deleted as the concept of an (electronic) seal does not exist in all Member States. | |
Amendment 123 Proposal for a regulation Article 28 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. If an electronic seal security assurance level below the qualified electronic seal is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic seals matching at a minimum the same security assurance level shall be accepted. |
4. If an electronic seal security level below the qualified electronic seal is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic seals matching at a minimum the same security assurance level shall be accepted for access to that online service. |
Justification | |
The word ‘assurance’ is superfluous here. | |
Amendment 124 Proposal for a regulation Article 28 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. Member States shall not request for accessing a service online offered by a public sector body an electronic seal with higher security assurance level than qualified electronic seals. |
5. Member States shall not request for cross-border access to a service online offered by a public sector body an electronic seal with higher security level than qualified electronic seals. |
Justification | |
The word ‘assurance’ is superfluous here. | |
Amendment 125 Proposal for a regulation Article 28 – paragraph 6 | |
Text proposed by the Commission |
Amendment |
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of different security assurance levels of electronic seals referred to in paragraph 4. |
deleted |
Justification | |
As the definition of the different security levels of electronic seals is a key element of the Regulation, the rapporteur takes the view that decisions on this matter should not be taken by means of delegated acts. | |
Amendment 126 Proposal for a regulation Article 28 – paragraph 7 | |
Text proposed by the Commission |
Amendment |
7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security assurance levels of electronic seals. Compliance with the security assurance level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic seal meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security assurance levels of electronic seals. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the security assurance level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic seal meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
This modification is relevant for each article throughout the text which mentions the use of standards. | |
Amendment 127 Proposal for a regulation Article 29 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic seal. Compliance with the requirements laid down in Annex III shall be presumed where a qualified certificate for electronic seal meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
5. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for electronic seal. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in Annex III shall be presumed where a qualified certificate for electronic seal meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
This modification is relevant for each article throughout the text which mentions the use of standards. | |
Amendment 128 Proposal for a regulation Article 32 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. Qualified electronic time stamp shall enjoy a legal presumption of ensuring the time it indicates and the integrity of the data to which the time is bound. |
2. A qualified electronic time stamp shall constitute at least prima facie evidence of the correctness of the time it indicates and the integrity of the document with which it is associated. |
Amendment 129 Proposal for a regulation Article 33 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. The Commission may, by means of implementing acts, establish reference numbers of standards for the accurate linkage of time to data and an accurate time source. Compliance with the requirements laid down in paragraph 1 shall be presumed where an accurate linkage of time to data and an accurate time source meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
2. The Commission may, by means of implementing acts, establish reference numbers of standards for the accurate linkage of time to data and an accurate time source. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in paragraph 1 shall be presumed where an accurate linkage of time to data and an accurate time source meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
This modification is relevant for each article throughout the text which mentions the use of standards. | |
Amendment 130 Proposal for a regulation Article 34 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. An electronic document shall be considered as equivalent to a paper document and admissible as evidence in legal proceedings, having regard to its assurance level of authenticity and integrity. |
1. An electronic document shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic format. |
Amendment 131 Proposal for a regulation Article 34 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. A document bearing a qualified electronic signature or a qualified electronic seal of the person who is competent to issue the relevant document, shall enjoy legal presumption of its authenticity and integrity provided the document does not contain any dynamic features capable of automatically changing the document. |
2. A document bearing a qualified electronic signature or a qualified electronic seal, shall have the equivalent legal effect of a paper document bearing a handwritten signature or a physical seal, where this exists under national law, provided the document does not contain any dynamic features capable of automatically changing the document. |
Amendment 132 Proposal for a regulation Article 34 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. When an original document or a certified copy is required for the provision of a service online offered by a public sector body, at least electronic documents issued by the persons who are competent to issue the relevant documents and that are considered to be originals or certified copies in accordance with national law of the Member State of origin, shall be accepted in other Member States without additional requirements. |
deleted |
Justification | |
Art. 34 (3) would call into question the tried and tested instrument of the endorsement (apostille) for the recognition of foreign documents, which is also to be the subject of new regulation by the Commission. | |
Amendment 133 Proposal for a regulation Article 34 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. The Commission may, by means of implementing acts, define formats of electronic signatures and seals that shall be accepted whenever a signed or sealed document is requested by a Member State for the provision of a service online offered by a public sector body referred to in paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
deleted |
Amendment 134 Proposal for a regulation Article 35 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Data sent or received using an electronic delivery service shall be admissible as evidence in legal proceedings with regard to the integrity of the data and the certainty of the date and time at which the data were sent to or received by a specified addressee. |
1. Data sent or received using an electronic delivery service shall be admissible as evidence in legal proceedings. |
Amendment 135 Proposal for a regulation Article 35 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. Data sent or received using a qualified electronic delivery service shall enjoy legal presumption of the integrity of the data and the accuracy of the date and time of sending or receiving the data indicated by the qualified electronic delivery system. |
2. Data sent or received using a qualified electronic delivery service shall constitute at least prima facie evidence of the authenticity of the data and the correctness of the date and time of sending or receiving the data indicated by the qualified electronic delivery system. |
Amendment 136 Proposal for a regulation Article 35 – paragraph 2 a (new) | |
Text proposed by the Commission |
Amendment |
|
2a. This Article shall be without prejudice to Regulation (EC) No 1348/2000. |
Amendment 137 Proposal for a regulation Article 35 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the specification of mechanisms for sending or receiving data using electronic delivery services, which shall be used with a view to fostering interoperability between electronic delivery services. |
deleted |
Amendment 138 Proposal for a regulation Article 36 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. The Commission may, by means of implementing acts, establish reference numbers of standards for processes for sending and receiving data. Compliance with the requirements laid down in paragraph 1 shall be presumed where the process for sending and receiving data meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
2. The Commission may, by means of implementing acts, establish reference numbers of standards for processes for sending and receiving data. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in paragraph 1 shall be presumed where the process for sending and receiving data meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
This modification is relevant for each article throughout the text which mentions the use of standards. | |
Amendment 139 Proposal for a regulation Article 37 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for website authentication. Compliance with the requirements laid down in Annex IV shall be presumed where a qualified certificate for website authentication meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
4. The Commission may, by means of implementing acts, establish reference numbers of standards for qualified certificates for website authentication. The Commission shall ensure, that stakeholder input is duly considered, preferably in form of an impact assessment, when defining standards to be used for the purpose of this Regulation. Compliance with the requirements laid down in Annex IV shall be presumed where a qualified certificate for website authentication meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
This modification is relevant for each article throughout the text which mentions the use of standards. | |
Amendment 140 Proposal for a regulation Article 38 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. The power to adopt delegated acts referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall be conferred on the Commission for an indeterminate period of time from the entry into force of this Regulation. |
2. The power to adopt delegated acts referred to in Articles 8(3), 16(5), 23(3), 25(2), 27(2), 29(4), 30(2), 31 and 37(3) shall be conferred on the Commission for an indeterminate period of time from the entry into force of this Regulation. |
Amendment 141 Proposal for a regulation Article 38 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. The delegation of power referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) may be revoked at any time by the European Parliament or by the Council. The revocation decision shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated act already in force. |
3. The delegation of power referred to in Articles 8(3), 16(5), 23(3), 25(2), 27(2), 29(4), 30(2), 31 and 37(3) may be revoked at any time by the European Parliament or by the Council. The revocation decision shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated act already in force. |
Amendment 142 Proposal for a regulation Article 38 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. A delegated act adopted pursuant to Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council. |
5. A delegated act adopted pursuant to Articles 8(3), 16(5), 23(3), 25(2), 27(2), 29(4), 30(2), 31 and 37(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council. |
Amendment 143 Proposal for a regulation Article 40 | |
Text proposed by the Commission |
Amendment |
The Commission shall report to the European Parliament and to the Council on the application of this Regulation. The first report shall be submitted no later than four years after the entry into force of this Regulation. Subsequent reports shall be submitted every four years thereafter. |
The Commission shall report to the European Parliament and to the Council on the application of this Regulation. The first report shall be submitted no later than two years after the entry into force of this Regulation. Subsequent reports shall be submitted every four years thereafter. |
Justification | |
With all the new elements that have been added to the regulation and given that it is directly applicable in the Member States, the rapporteur takes the view that the first assessment report should be submitted at the most two years after the entry into force of the regulation. | |
Amendment 144 Proposal for a regulation Article 40 – paragraph 1 a (new) | |
Text proposed by the Commission |
Amendment |
|
1a. The report must make it possible to establish whether the scope of this Regulation needs to be changed for the purposes of adaptation to developments in technology, in the market and in the legal context in the Member States and internationally; generally, the report must indicate whether the Regulation has made it possible to attain its stated objectives with regard to building trust in the online environment. The report must, in particular, include an assessment of the application of Articles 13, 16 and 19. The report shall be accompanied by legislative proposals, if necessary. |
Amendment 145 Proposal for a regulation Article 40 – paragraph 1 b (new) | |
Text proposed by the Commission |
Amendment |
|
1b. The report must make it possible to establish whether the scope of this Regulation needs to be changed for the purposes of adaptation to developments in technology, in the market and in the legal context in the Member States and internationally; generally, the report must indicate whether the Regulation has made it possible to attain its stated objectives with regard to building trust in the online environment. The report must, in particular, include an assessment of the application of Articles 13, 16 and 19. The report shall be accompanied by legislative proposals, if necessary. |
Amendment 146 Proposal for a regulation Annex III – paragraph 1 – point b – subparagraph 2 a (new) | |
Text proposed by the Commission |
Amendment |
|
Sensitive data within the meaning of Article 8 of Directive 95/46/CE shall not be processed. |
Amendment 147 Proposal for a regulation Annex IV – paragraph 1 – point b – subparagraph 2 a (new) | |
Text proposed by the Commission |
Amendment |
|
Sensitive data within the meaning of Article 8 of Directive 95/46/CE shall not be processed. |
PROCEDURE
Title |
Electronic identification and trust services for electronic transactions in the internal market |
||||
References |
COM(2012)0238 – C7-0133/2012 – 2012/0146(COD) |
||||
Committee responsible Date announced in plenary |
ITRE 14.6.2012 |
|
|
|
|
Opinion by Date announced in plenary |
IMCO 14.6.2012 |
||||
Associated committee(s) - date announced in plenary |
7.2.2013 |
||||
Rapporteur Date appointed |
Marielle Gallo 21.6.2012 |
||||
Discussed in committee |
21.2.2013 |
24.4.2013 |
8.7.2013 |
|
|
Date adopted |
9.7.2013 |
|
|
|
|
Result of final vote |
+: –: 0: |
31 0 2 |
|||
Members present for the final vote |
Claudette Abela Baldacchino, Pablo Arias Echeverría, Adam Bielan, Preslav Borissov, Sergio Gaetano Cofferati, Birgit Collin-Langen, Lara Comi, Anna Maria Corazza Bildt, Cornelis de Jong, Vicente Miguel Garcés Ramón, Evelyne Gebhardt, Thomas Händel, Małgorzata Handzlik, Philippe Juvin, Edvard Kožušník, Toine Manders, Sirpa Pietikäinen, Phil Prendergast, Robert Rochefort, Heide Rühle, Christel Schaldemose, Andreas Schwab, Róża Gräfin von Thun und Hohenstein, Emilie Turunen, Bernadette Vergnaud, Barbara Weiler |
||||
Substitute(s) present for the final vote |
Jürgen Creutzmann, Marielle Gallo, Ildikó Gáll-Pelcz, María Irigoyen Pérez, Roberta Metsola, Olle Schmidt, Sabine Verheyen |
||||
OPINION of the Committee on Legal Affairs (26.6.2013)
for the Committee on Industry, Research and Energy
on the proposal for a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market
(COM(2012)0238 – C7‑0133/2012 – 2012/0146(COD))
Rapporteur: Alajos Mészáros
SHORT JUSTIFICATION
On 4 June 2012, the Commission proposed a regulation on electronic identification and trust services for electronic transactions in the internal market, as the last of 12 key actions proposed in the Single Market Act. The proposal is an answer to the needs of the participants of the digital market to ensure a comprehensive legal framework for secure and trustworthy electronic transactions on EU level.
The aim of the proposal is to ensure that citizens and businesses can use their national electronic identification schemes to access public services in other EU countries where these schemes are available. It also creates an internal market for e-Signatures and related online trust services across borders, in particular by ensuring that these services will have the same legal status as traditional paper based processes. Through the new EU legislation the mutual recognition of electronic identification and authentication shall be guaranteed.
Your rapporteur for opinion welcomes the Commission proposal in the context of efforts to strengthen and complete the functioning of the digital single market by enhancing the trust in electronic transactions. The importance of the proposal for citizens and businesses, in particular SMEs, as well as for national authorities cannot be over-estimated.
However, your rapporteur strongly believes that the system proposed can only strengthen the digital single market and allow all players to fully benefit from its potential if sufficient legal security and certainty is assured so that citizens and businesses can have confidence and trust in secure cross-border electronic transactions. Therefore some changes in notification procedures and clarifications on liability and data protection have been proposed. At the same time, unnecessary red tape, in particular unnecessary burdens on SMEs, should be avoided. He has suggested a number of amendments in order to improve the Commission proposal as regards these aspects.
Your rapporteur has further suggested a number of changes to the provisions relating to implementing and delegated acts as proposed by the Commission, with a view to better reflecting the objectives of Articles 290 and 291 TFEU. In particular, on a number of issues, a delegation of legislative power to the Commission did not appear appropriate; in some cases, a further specification as to the content and objective of the delegation seemed necessary.
AMENDMENTS
The Committee on Legal Affairs calls on the Committee on Industry, Research and Energy, as the committee responsible, to incorporate the following amendments in its report:
Amendment 1 Proposal for a regulation Recital 10 | |
Text proposed by the Commission |
Amendment |
(10) Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare sets up a network of national authorities responsible for eHealth. To enhance safety and the continuity of cross-border healthcare, the network is required to produce guidelines on cross-border access to electronic health data and services, including by supporting ‘common identification and authentication measures to facilitate transferability of data in cross-border healthcare’. Mutual recognition and acceptance of electronic identification and authentication is key to make cross border healthcare for European citizens a reality. When people travel for treatment, their medical data needs to be accessible in the country of treatment. This requires a solid, safe and trusted electronic identification framework. |
(10) Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare sets up a network of national authorities responsible for eHealth. To enhance safety and the continuity of cross-border healthcare, the network is required to produce guidelines on cross-border access to electronic health data and services, including by supporting ‘common identification and authentication measures to facilitate transferability of data in cross-border healthcare’. Mutual recognition and acceptance of electronic identification and authentication is key to make cross-border healthcare for European citizens a reality. When people travel for treatment, their medical data need to be accessible in the country of treatment. This requires a solid, safe and trusted electronic identification framework that should be such as to rule out infringement of current consumer and data protection standards. |
Amendment 2 Proposal for a regulation Recital 11 | |
Text proposed by the Commission |
Amendment |
(11) One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States to access at least public services. This Regulation does not aim at intervening on electronic identity management systems and related infrastructures established in the Member States. The aim of this Regulation is to ensure that for the access to cross-border online services offered by the Member States, secure electronic identification and authentication is possible. |
(11) One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States to access at least public services. This Regulation does not aim at intervening on electronic identity management systems and related infrastructures established in the Member States. The aim of this Regulation is to ensure that for the access to cross-border online services offered by the Member States, a high degree of security can be provided for electronic identification and authentication, for instance by establishing different security levels corresponding to particular types of services to be accessed. |
Justification | |
Security has to be organised according to distinct levels. The proposal for a regulation does not say what type of online services is to be accessed by means of electronic identification. Access to sensitive private data ought to imply, for the purposes of identification, reliability of a different degree from what is required for general information or transaction services. | |
Amendment 3 Proposal for a regulation Recital 11 | |
Text proposed by the Commission |
Amendment |
(11) One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States to access at least public services. This Regulation does not aim at intervening on electronic identity management systems and related infrastructures established in the Member States. The aim of this Regulation is to ensure that for the access to cross-border online services offered by the Member States, secure electronic identification and authentication is possible. |
(11) One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States to access at least public services. This Regulation does not aim at intervening on electronic identity management systems and related infrastructures established in the Member States. The aim of this Regulation is to ensure that for the access to cross-border online services offered by the Member States, a high degree of security can be provided for electronic identification and authentication, for instance by establishing security levels adjusted according to the types of services to be accessed. |
Amendment 4 Proposal for a regulation Recital 16 | |
Text proposed by the Commission |
Amendment |
(16) Cooperation of Member States should serve the technical interoperability of the notified electronic identification schemes with a view to foster a high level of trust and security appropriate to the degree of risk. The exchange of information and the sharing of best practices between Member States with a view to their mutual recognition should help such cooperation. |
(16) Cooperation of Member States should serve the technical interoperability and neutrality of the notified electronic identification schemes with a view to fostering a high level of trust and security appropriate to the degree of risk. The exchange of information and the sharing of best practices between Member States with a view to their mutual recognition should help such cooperation. |
Justification | |
The proposal for a regulation does not provide the means for a Member State to challenge the technical conformity of a notified electronic identification scheme. Because of this gap, schemes not conforming to the requirements might spread within the EU. The desired harmonisation to be brought about by the regulation is in danger of boiling down to circumvention of national legislation and encouraging forum shopping. | |
Amendment 5 Proposal for a regulation Recital 23 a (new) | |
Text proposed by the Commission |
Amendment |
|
(23a) The concepts of accessibility and design for all should be mainstreamed when legislative measures on electronic identification are being pursued at Union level. |
Amendment 6 Proposal for a regulation Recital 25 | |
Text proposed by the Commission |
Amendment |
(25) Supervisory bodies should cooperate and exchange information with data protection authorities to ensure proper implementation of data protection legislation by service providers. The exchange of information should in particular cover security incidents and personal data breaches. |
(25) Supervisory bodies should cooperate and exchange information with data protection authorities to ensure proper implementation of data and consumer protection legislation by service providers. The exchange of information should in particular cover security incidents and personal data breaches. |
Amendment 7 Proposal for a regulation Recital 28 | |
Text proposed by the Commission |
Amendment |
(28) All Member States should follow common essential supervision requirements to ensure a comparable security level of qualified trust services. To ease the consistent application of these requirements across the Union, Member States should adopt comparable procedures and should exchange information on their supervision activities and best practices in the field. |
(28) All Member States should follow common essential supervision requirements to ensure a comparable security and data protection level of qualified trust services. To ensure the consistent application of these requirements across the Union, Member States should adopt comparable procedures and should exchange information on their supervision activities and best practices in the field. |
Amendment 8 Proposal for a regulation Recital 49 | |
Text proposed by the Commission |
Amendment |
(49) In order to complement certain detailed technical aspects of this Regulation in a flexible and rapid manner, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of interoperability of electronic identification; security measures required of trust service providers; recognised independent bodies responsible for auditing the service providers; trusted lists; requirements related to the security levels of electronic signatures; requirements of qualified certificates for electronic signatures their validation and their preservation; the bodies responsible for the certification of qualified electronic signature creation devices; and the requirements related to the security levels of electronic seals and to qualified certificates for electronic seals; the interoperability between delivery services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. |
(49) In order to complement certain detailed technical aspects of this Regulation in a flexible and rapid manner, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of interoperability of electronic identification; trusted lists; requirements of qualified certificates for electronic signatures their validation and their preservation; the bodies responsible for the certification of qualified electronic signature creation devices; and to qualified certificates for electronic seals; the interoperability between delivery services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. |
Amendment 9 Proposal for a regulation Article 1 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. This Regulation lays down rules for electronic identification and electronic trust services for electronic transactions with a view to ensuring the proper functioning of the internal market. |
1. This Regulation lays down rules for electronic identification and electronic trust services for electronic transactions with the aim to develop the digital single market by guaranteeing a high degree of security, and strengthening confidence and trust in cross-border electronic transactions of the digital environment. |
Amendment 10 Proposal for a regulation Article 1 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. This Regulation lays down the conditions under which Member States shall recognise and accept electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another Member State. |
2. This Regulation lays down the conditions under which Member States shall recognise and accept electronic identification means of any entity or natural or legal persons falling under a notified electronic identification scheme of another Member State. |
Amendment 11 Proposal for a regulation Article 1 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. This Regulation establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services and website authentication. |
3. This Regulation establishes a legal framework for electronic signatures, electronic seals, electronic validation and verification, electronic time stamps, electronic documents, electronic delivery services and website authentication. |
Amendment 12 Proposal for a regulation Article 1 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. This Regulation ensures that trust services and products which comply with this Regulation are permitted to circulate freely in the internal market. |
4. This Regulation ensures that trust services and products which comply with this Regulation circulate freely in the internal market. |
Amendment 13 Proposal for a regulation Article 2 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. This Regulation applies to electronic identification provided by, on behalf or under the responsibility of Member States and to trust service providers established in the Union. |
1. This Regulation applies to electronic identification provided by, on behalf or under the responsibility of Member States and to trust service providers established in the Union. This regulation applies to trust services offered to the public. |
Amendment 14 Proposal for a regulation Article 2 – paragraph 3 a (new) | |
Text proposed by the Commission |
Amendment |
|
3a. This Regulation does not apply to trust services deployed solely for testing, training or scientific research purposes. |
Amendment 15 Proposal for a regulation Article 3 – paragraph 1 – point 1 | |
Text proposed by the Commission |
Amendment |
(1) ‘electronic identification’ means the process of using person identification data in electronic form unambiguously representing a natural or legal person; |
(1) ‘electronic identification’ means the process of using person identification data in electronic form unambiguously representing an entity or a natural or legal person; |
Amendment 16 Proposal for a regulation Article 3 – paragraph 1 – point 2 | |
Text proposed by the Commission |
Amendment |
(2) ‘electronic identification means’ means a material or immaterial unit containing data as referred to in point 1 of this Article, and which is used to access services online as referred to in Article 5; |
(2) ‘electronic identification means’ means a material or immaterial unit containing data as referred to in point 1 of this Article, and which is used to access electronic services as referred to in Article 5; |
Amendment 17 Proposal for a regulation Article 3 – paragraph 1 – point 10 | |
Text proposed by the Commission |
Amendment |
(10) ‘certificate’ means an electronic attestation which links electronic signature or seal validation data of a natural or a legal person respectively to the certificate and confirms those data of that person; |
(10) ‘certificate’ means an electronic attestation which links electronic signature or seal validation data with the identification data of any entity or a natural or a legal person respectively and confirms those data of that person; |
Amendment 18 Proposal for a regulation Article 3 – paragraph 1 – point 14 | |
Text proposed by the Commission |
Amendment |
(14) ‘trust service provider’ means a natural or a legal person who provides one or more trust services; |
(14) ‘trust service provider’ means an entity or a natural or a legal person who provides at least one trust service; |
Amendment 19 Proposal for a regulation Article 3 – paragraph 1 – point 19 | |
Text proposed by the Commission |
Amendment |
(19) ‘creator of a seal’ means a legal person who creates an electronic seal; |
(19) ‘creator of a seal’ means an entity or a legal person who creates an electronic seal; |
Amendment 20 Proposal for a regulation Article 3 – paragraph 1 – point 27 | |
Text proposed by the Commission |
Amendment |
(27) ‘electronic document’ means a document in any electronic format; |
(27) ‘electronic document’ means a separate set of structured data in any electronic format; |
Amendment 21 Proposal for a regulation Article 3 – paragraph 1 – point 31 a (new) | |
Text proposed by the Commission |
Amendment |
|
(31a) ‘breach of security’ means a security incident leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. |
Amendment 22 Proposal for a regulation Article 4 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. Products which comply with this Regulation shall be permitted to circulate freely in the internal market. |
2. Products which comply with this Regulation shall circulate freely and securely in the internal market. |
Amendment 23 Proposal for a regulation Article 4 a (new) | |
Text proposed by the Commission |
Amendment |
|
Article 4 a |
|
Data processing and protection |
|
1. Trust service providers, issuers, validation services, relying parties and supervisory bodies shall ensure fair and lawful processing in accordance with Directive 95/46/EC when processing personal data. Such processing shall be strictly limited to the minimum data needed to issue and maintain an eID or certificate, validate an electronic authentication or to provide a trust service. |
|
2. Trust service providers, issuers, validation services shall guarantee the confidentiality and integrity of data related to a person to whom the eID is issued or the service is provided. |
|
3. Without prejudice to the legal effect given to pseudonyms under national law, Member States shall not prevent issuers from indicating in electronic authentication means a pseudonym instead of or in addition to the holder's name or prevent trust service providers indicating in electronic signature certificates a pseudonym instead of the signatory's name. |
|
4. Validation services must not collect or retain data beyond the extent necessary for the process of validation. Validation services must not profile signatories, relying parties or any other customers. Logs may be retained for the purpose of detecting fraud and intrusions but for no more than 90 days. |
|
5. Qualified trust service providers shall store documents or information related to the provided service according to national laws. After termination of their activities, qualified trust ervice providers shall depose those documents and data with the supervisory body. |
Amendment 24 Proposal for a regulation Article 4 b (new) | |
Text proposed by the Commission |
Amendment |
|
Article 4b |
|
Right of access and information for users of trust services |
|
Trust service providers shall provide users at least with information on the collection, communication, and retention of their personal data as well as information on the verification procedure, which shall be put in place. |
Amendment 25 Proposal for a regulation Article 5 – title | |
Text proposed by the Commission |
Amendment |
Mutual recognition and acceptance |
Mutual recognition of electronic identification means |
Amendment 26 Proposal for a regulation Article 5 | |
Text proposed by the Commission |
Amendment |
When an electronic identification using an electronic identification means and authentication is required under national legislation or administrative practice to access a service online, any electronic identification means issued in another Member State falling under a scheme included in the list published by the Commission pursuant to the procedure referred to in Article 7 shall be recognised and accepted for the purposes of accessing this service. |
When an electronic identification using an electronic identification means and authentication is allowed under national legislation or administrative practice to access a service online, any electronic identification means issued in another Member State that ensures the same or an higher level of assurance and that falls under a scheme included in the list published by the Commission pursuant to the procedure referred to in Article 7 shall be recognised and accepted for the purposes of accessing this service. |
Amendment 27 Proposal for a regulation Article 6 – paragraph 1 – point b | |
Text proposed by the Commission |
Amendment |
(b) the electronic identification means can be used to access at least public services requiring electronic identification in the notifying Member State; |
(b) the electronic identification means can be used to access at least public services allowing electronic identification in the notifying Member State; |
Amendment 28 Proposal for a regulation Article 6 – paragraph 1 – point b a (new) | |
Text proposed by the Commission |
Amendment |
|
(ba) the electronic identification means have built-in security levels adjusted according to the types of services to which they give access; |
Justification | |
Security has to be based on distinct levels. The proposal does not say what type of online services is to be accessed by means of electronic identification. Access to sensitive private data ought to imply, for the purposes of identification, reliability of a different degree from what is required for general information. The recognition of identity should be a process designed to provide the proper degree of security, corresponding to the type of services that citizens are to access. | |
Amendment 29 Proposal for a regulation Article 6 – paragraph 1 – point d | |
Text proposed by the Commission |
Amendment |
(d) the notifying Member State ensures the availability of an authentication possibility online, at any time and free of charge so that any relying party can validate the person identification data received in electronic form. Member States shall not impose any specific technical requirements on relying parties established outside of their territory intending to carry out such authentication. When either the notified identification scheme or authentication possibility is breached or partly compromised, Member States shall suspend or revoke without delay the notified identification scheme or authentication possibility or the compromised parts concerned and inform the other Member States and the Commission pursuant to Article 7; |
(d) the notifying Member State ensures the availability of authentication online, so that any relying party established outside of the territory of that Member State can validate the person identification data received in electronic form. Such authentication shall be provided free of charge when accessing a service online provided by a public sector body. Member States shall not unduly impose any specific technical requirements on relying parties intending to carry out such authentication; |
Justification | |
The unambiguous attribution of the person identification data to the person themselves would require a very high level of background check (at least Level 4) and which is inconsistent with use of different levels of assurance. The level of certainty applying to the attribution of data should be based on the level of assurance. This level should always be the minimum required to safeguard the interests of the relying party. The question of data minimisation is relevant here. | |
Amendment 30 Proposal for a regulation Article 7 – paragraph 1 – points a to c | |
Text proposed by the Commission |
Amendment |
1. Member States which notify an electronic identification scheme shall forward to the Commission the following information and without undue delay, any subsequent changes thereof: |
1. The notifying Member State shall forward to the Commission the following information and without undue delay, any subsequent changes thereof: |
(a) a description of the notified electronic identification scheme; |
(a) a description of the notified electronic identification scheme, including its identity assurance levels; |
(b) the authorities responsible for the notified electronic identification scheme; |
(b) the authority or authorities responsible for the notified electronic identification scheme; |
(c) information on by whom the registration of the unambiguous person identifiers is managed; |
(c) information on the entity or entities which manages the verification of the person identification data; |
Justification | |
These changes compliment those made to the other ‘eID’ articles and reiterate that “unambiguous” attribution is inconsistent with levels of assurance. | |
Amendment 31 Proposal for a regulation Article 7 – paragraph 1 – point a | |
Text proposed by the Commission |
Amendment |
(a) a description of the notified electronic identification scheme; |
(a) a description of the notified electronic identification scheme, including the security levels corresponding to the types of services to be accessed; |
Amendment 32 Proposal for a regulation Article 7 – paragraph 1 – point d | |
Text proposed by the Commission |
Amendment |
(d) a description of the authentication possibility; |
(d) a description of the authentication possibility, taking into account the different security levels required for access; |
Amendment 33 Proposal for a regulation Article 7 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. If the Commission receives a notification after the period referred to in paragraph 2 expired, it shall amend the list within three months. |
3. If the Commission receives a notification after the period referred to in paragraph 2 expired, it shall amend the list within one month. |
Amendment 34 Proposal for a regulation Article 7 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. The Commission may, by means of implementing acts, define the circumstances, formats and procedures of the notification referred to in paragraphs 1 and 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
4. The Commission may, by means of implementing acts, define the formats of the notification referred to in paragraphs 1 and 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Justification | |
The definition of circumstances and procedures of the notification goes beyond mere implementation of the proposed Regulation and therefore should not be conferred upon the Commission by way of implementing powers under Article 291 TFEU. | |
Amendment 35 Proposal for a regulation Article 8 – title | |
Text proposed by the Commission |
Amendment |
Coordination |
Coordination and interoperability |
Amendment 36 Proposal for a regulation Article 8 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Member States shall cooperate in order to ensure the interoperability of electronic identification means falling under a notified scheme and to enhance their security. |
1. Member States shall cooperate in order to ensure the interoperability and technological neutrality of electronic identification means falling under a notified scheme and to enhance their security. |
Justification | |
The provisions intended to guarantee technical interoperability have to be technologically neutral so as not to interfere with the options favoured by Member States when developing their national electronic identification and authentication schemes. | |
Amendment 37 Proposal for a regulation Article 8 – paragraph 1 a (new) | |
Text proposed by the Commission |
Amendment |
|
1a. Where an electronic identification scheme has been shown to be unacceptable from the point of view of neutrality and interoperability in the light of the technological pre-checking for which Member States are to be responsible under the cooperation arrangement referred to in paragraph 1, it shall not be eligible for notification under Article 7 for the purposes of mutual recognition within the meaning of Article 5. |
Amendment 38 Proposal for a regulation Article 8 – paragraph 1 d (new) | |
Text proposed by the Commission |
Amendment |
|
1d. Member States shall cooperate in order to ensure the interoperability of electronic identification means falling under a notified electronic identification scheme and to enhance their security. |
Justification | |
The interoperability model will be key to the success of the Regulation. Further discussion between Member States is required to determine what this needs to include and how this should work. | |
Amendment 39 Proposal for a regulation Article 8 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the facilitation of cross border interoperability of electronic identification means by setting of minimum technical requirements. |
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the facilitation of cross border interoperability of electronic identification means by setting of technologically neutral minimum requirements for the different security levels. |
Justification | |
In accordance with Article 290 TFEU, the objectives, content, scope and duration of the delegation of power shall be explicitly defined in the legislative acts. The amendment adds a necessary clarification to the delegation. | |
Amendment 40 Proposal for a regulation Article 9 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. A trust service provider shall be liable for any direct damage caused to any natural or legal person due to failure to comply with the obligations laid down in Article 15(1), unless the trust service provider can prove that he has not acted negligently. |
1. A trust service provider shall be liable for damage caused to any entity or natural or legal person due to failure to comply with the obligations laid down in Article 15(1), unless the trust service provider can prove that he has not acted negligently. |
Amendment 41 Proposal for a regulation Article 9 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. A qualified trust service provider shall be liable for any direct damage caused to any natural or legal person due to failure to meet the requirements laid down in this Regulation, in particular in Article 19, unless the qualified trust service provider can prove that he has not acted negligently. |
2. A qualified trust service provider shall be liable for any damage caused to any natural or legal person due to failure to meet the requirements laid down in this Regulation, in particular in Article 19, unless the qualified trust service provider can prove that he has not acted negligently. |
Amendment 42 Proposal for a regulation Article 9 – paragraph 2 a (new) | |
Text proposed by the Commission |
Amendment |
|
2a. This Regulation is without prejudice to Regulation (EC) No 864/2007 of the European Parliament and of the Council of 11 July 2007 on the law applicable to non-contractual obligations (Rome II)1 in particular the application of the law which, under Article 4 of the Rome II Regulation, applies to a non-contractual obligation arising out of a tort/delict. |
|
__________________ |
|
1 Regulation (EC) No 864/2007 of the European Parliament and of the Council of 11 July 2007 on the law applicable to non-contractual obligations (Rome II), OJ L 199, 31.7.2007, p. 40. |
Amendment 43 Proposal for a regulation Article 11 | |
Text proposed by the Commission |
Amendment |
Article 11 |
deleted |
Data processing and protection |
|
1. Trust service providers and supervisory bodies shall ensure fair and lawful processing in accordance with Directive 95/46/EC when processing personal data. |
|
2. Trust service providers shall process personal data according to Directive 95/46/EC. Such processing shall be strictly limited to the minimum data needed to issue and maintain a certificate or to provide a trust service. |
|
3. Trust service providers shall guarantee the confidentiality and integrity of data related to a person to whom the trust service is provided. |
|
4. Without prejudice to the legal effect given to pseudonyms under national law, Member States shall not prevent trust service providers indicating in electronic signature certificates a pseudonym instead of the signatory's name. |
|
(See amendment for Article 4a (new)) | |
Amendment 44 Proposal for a regulation Article 12 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
Trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities whenever possible. |
Trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities unless it is technically impossible. |
Amendment 45 Proposal for a regulation Article 12 – paragraph 1 a (new) | |
Text proposed by the Commission |
Amendment |
|
1a. The Commission shall establish and award trust mark to distinguish products and services accessible for persons with disabilities. |
Amendment 46 Proposal for a regulation Article 12 – paragraph 1 b (new) | |
Text proposed by the Commission |
Amendment |
|
1b. EU standards organizations are responsible for development of assessment criteria for products and services accessible for persons with disabilities. |
Amendment 47 Proposal for a regulation Article 13 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Member States shall designate an appropriate body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. Supervisory bodies shall be given all supervisory and investigatory powers that are necessary for the exercise of their tasks. |
1. Member States shall designate an appropriate body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. Supervisory bodies shall be given supervisory and investigatory powers that are necessary for the exercise of their tasks. |
Amendment 48 Proposal for a regulation Article 13 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Member States shall designate an appropriate body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. Supervisory bodies shall be given all supervisory and investigatory powers that are necessary for the exercise of their tasks. |
1. Member States shall designate an appropriate body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. Supervisory bodies shall be given all supervisory and investigatory powers that are necessary for the exercise of their tasks. Member States shall notify to the Commission the names and the addresses of their respective designated supervisory bodies. |
(See amendment for paragraph 4) | |
Justification | |
Restructuring for the sake of clarity: paragraph 1 deals with the designation of supervisory body. The provision has been moved from paragraph 4 as it deals with the same subject. | |
Amendment 49 Proposal for a regulation Article 13 – paragraph 1 a (new) | |
Text proposed by the Commission |
Amendment |
|
1a. The Commission shall be empowered to adopt implementing acts in accordance with the examination procedure referred to in Article 39(2) concerning specific means of supervision. |
Amendment 50 Proposal for a regulation Article 13 – paragraph 3 – introductory part | |
Text proposed by the Commission |
Amendment |
3. Each supervisory body shall submit a yearly report on the last calendar year's supervisory activities to the Commission and Member States by the end of the first quarter of the following year. It shall include at least: |
3. Each supervisory body shall submit a yearly report on the last calendar year's supervisory activities to the Commission by the end of the first quarter of the following year. It shall include at least: |
Justification | |
It appears unnecessarily burdensome to require the submission of the yearly report also to the Member States. | |
Amendment 51 Proposal for a regulation Article 13 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. Member States shall notify to the Commission and other Member States the names and the addresses of their respective designated supervisory bodies. |
deleted |
(See amendment for paragraph 1) | |
Amendment 52 Proposal for a regulation Article 13 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. The Commission shall be empowered to adopt delegated acts, in accordance with Article 38, concerning the definition of procedures applicable to the tasks referred to in paragraph 2. |
deleted |
Justification | |
Under Article 290, a legislative act may delegate to the Commission the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of the legislative act. The proposed delegation would go beyond mere supplementing or amending of non-essential elements of the proposed Regulation. | |
Amendment 53 Proposal for a regulation Article 13 – paragraph 6 | |
Text proposed by the Commission |
Amendment |
6. The Commission may, by means of implementing acts, define the circumstances, formats and procedures for the report referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
6. The Commission may, by means of implementing acts, define the formats for the report referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Justification | |
The definition of circumstances and procedures for the report goes beyond mere implementation of the proposed Regulation and therefore should not be conferred upon the Commission by way of implementing powers under Article 291 TFEU. | |
Amendment 54 Proposal for a regulation Article 14 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Supervisory bodies shall cooperate with a view to exchange good practice and provide each other, within the shortest possible time, with relevant information and mutual assistance so that activities can be carried out in a consistent manner. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out inspections related to the security audits as referred to in Articles 15, 16 and 17. |
1. Supervisory bodies shall cooperate with a view to exchange good practice and provide each other, within the shortest possible time, with relevant information and mutual assistance so that activities as referred to in Article 13 can be carried out in a consistent manner. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out inspections related to the security audits as referred to in Articles 15, 16 and 17. |
Amendment 55 Proposal for a regulation Article 14 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. The Commission may, by means of implementing acts, specify the formats and procedures for the mutual assistance provided for in this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
deleted |
Justification | |
The specification of formats and procedures for the mutual assistance goes beyond mere implementation of the proposed Regulation and therefore should not be conferred upon the Commission by way of implementing powers under Article 291 TFEU. | |
Amendment 56 Proposal for a regulation Article 15 – paragraph 1 – subparagraph 1 | |
Text proposed by the Commission |
Amendment |
1. Trust service providers who are established in the territory of the Union shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. Having regard to state of the art, these measures shall ensure that the level of security is appropriate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of adverse effects of any incidents. |
1. Trust service providers who are established in the territory of the Union shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. Having regard to the latest technological developments, any such measures shall ensure that the level of security is appropriate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of the adverse effects of any incidents. |
Amendment 57 Proposal for a regulation Article 15 – paragraph 2 a (new) | |
Text proposed by the Commission |
Amendment |
|
2a. When the breach of security is likely to adversely affect the users of trust services, the supervisory body shall without undue delay notify the breach to those users in order to enable them to take the necessary precautions. |
Amendment 58 Proposal for a regulation Article 15 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. The Commission shall be empowered to adopt delegated acts, in accordance with Article 38, concerning the further specification of the measures referred to in paragraph 1. |
deleted |
Justification | |
Under Article 290, a legislative act may delegate to the Commission the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of the legislative act. The proposed delegation would go beyond mere supplementing or amending of non-essential elements of the proposed Regulation. | |
Amendment 59 Proposal for a regulation Article 15 – paragraph 6 | |
Text proposed by the Commission |
Amendment |
6. The Commission may, by means of implementing acts, define the circumstances, formats and procedures, including deadlines, applicable for the purpose of paragraphs 1 to 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
6. The Commission may, by means of implementing acts, define the formats applicable for the purpose of paragraphs 1 to 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Justification | |
The definition of circumstances and procedures, including deadlines, goes beyond mere implementation of the proposed Regulation and therefore should not be conferred upon the Commission by way of implementing powers under Article 291 TFEU. | |
Amendment 60 Proposal for a regulation Article 16 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the specification of the conditions under which the independent body carrying out the audit referred to in paragraph 1 of this Article and in Article 15(1) and in Article 17(1) shall be recognised. |
deleted |
Justification | |
Under Article 290, a legislative act may delegate to the Commission the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of the legislative act. The proposed delegation would go beyond mere supplementing or amending of non-essential elements of the proposed Regulation | |
Amendment 61 Proposal for a regulation Article 16 – paragraph 6 | |
Text proposed by the Commission |
Amendment |
6. The Commission may, by means of implementing acts, define the circumstances, procedures and formats applicable for the purpose of paragraphs 1, 2 and 4. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
6. The Commission may, by means of implementing acts, define the formats applicable for the purpose of paragraphs 1, 2 and 4. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Justification | |
The definition of circumstances and procedures goes beyond mere implementation of the proposed Regulation and therefore should not be conferred upon the Commission by way of implementing powers under Article 291 TFEU. | |
Amendment 62 Proposal for a regulation Article 17 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Qualified trust service providers shall notify the supervisory body of their intention to start providing a qualified trust service and shall submit to the supervisory body a security audit report carried out by a recognised independent body, as provided for in Article 16(1). Qualified trust service providers may start to provide the qualified trust service after they have submitted the notification and security audit report to the supervisory body. |
1. Qualified trust service providers shall notify the supervisory body of their intention to start providing a qualified trust service and shall submit to the supervisory body a security audit report carried out by a recognised independent body, as provided for in Article 16(1). Qualified trust service providers may start to provide the qualified trust service after the positive conclusion of the verification under paragraph 3. |
Justification | |
It appears premature to allow qualified trust service providers to start to provide the qualified trust service already after they have submitted the notification and the security audit report to the supervisory body. Only qualified trust service providers complying with the requirements of the Regulation should be allowed to start to provide qualified trust services. | |
Amendment 63 Proposal for a regulation Article 17 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. Once the relevant documents are submitted to the supervisory body according to paragraph 1, the qualified service providers shall be included in the trusted lists referred to in Article 18 indicating that the notification has been submitted. |
deleted |
Amendment 64 Proposal for a regulation Article 17 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. The Commission may, by means of implementing acts, define the circumstances, formats and procedures for the purpose of paragraphs 1, 2 and.3 Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
5. The Commission may, by means of implementing acts, define the formats for the purpose of paragraphs 1, 2 and.3 Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Justification | |
The definition of circumstances and procedures, including deadlines, goes beyond mere implementation of the proposed Regulation and therefore should not be conferred upon the Commission by way of implementing powers under Article 291 TFEU. | |
Amendment 65 Proposal for a regulation Article 18 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Each Member State shall establish, maintain and publish trusted lists with information related to the qualified trust service providers for which it is competent together with information related to the qualified trust services provided by them. |
1. Each Member State shall establish, maintain and publish trusted lists with information related to the qualified trust service providers referred to in Article 17 for which it is responsible including information allowing identification of the qualified trust service providers and an indication on their qualified status together with information related to the qualified trust services provided by them. |
Amendment 66 Proposal for a regulation Article 19 – paragraph 2 – point b | |
Text proposed by the Commission |
Amendment |
(b) bear the risk of liability for damages by maintaining sufficient financial resources or by an appropriate liability insurance scheme; |
(b) with regard to the risk of liability for damages as referred to in Article 8(2), maintain sufficient financial resources or obtain appropriate liability insurance; |
Justification | |
This provides the additional detail necessary to ensure that trust service providers know what is required of them. | |
Amendment 67 Proposal for a regulation Article 19 – paragraph 2 – point c | |
Text proposed by the Commission |
Amendment |
(c) before entering into a contractual relationship, inform any person seeking to use a qualified trust service of the precise terms and conditions regarding the use of that service; |
(c) before entering into a contractual relationship, inform any person seeking to use a qualified trust service of the terms and conditions regarding the use of that service, including any limitation on its use; |
Justification | |
This provides the additional detail necessary to ensure that trust service providers know what is required of them. | |
Amendment 68 Proposal for a regulation Article 19 – paragraph 2 – point e | |
Text proposed by the Commission |
Amendment |
(e) use trustworthy systems to store data provided to them, in a verifiable form so that: |
(e) use trustworthy systems to store data provided to them, in a verifiable form so that: |
– they are publicly available for retrieval only where the consent of the person to whom the data has been issued has been obtained, |
- they are publicly available for retrieval only where the consent of the person to whom the data relates has been obtained, |
– only authorised persons can make entries and changes, |
- only authorised persons can make entries and changes to the stored data, |
– information can be checked for authenticity; |
- the data can be checked for authenticity; |
Justification | |
This provides the additional detail necessary to ensure that trust service providers know what is required of them. | |
Amendment 69 Proposal for a regulation Article 19 – paragraph 2 – point f | |
Text proposed by the Commission |
Amendment |
(f) take measures against forgery and theft of data; |
(f) take appropriate measures against forgery and theft of data; |
Justification | |
This provides the additional detail necessary to ensure that trust service providers know what is required of them. | |
Amendment 70 Proposal for a regulation Article 19 – paragraph 2 – point g | |
Text proposed by the Commission |
Amendment |
(g) record for an appropriate period of time all relevant information concerning data issued and received by the qualified trust service provider, in particular for the purpose of providing evidence in legal proceedings. Such recording may be done electronically; |
(g) record and keep accessible for an appropriate period of time, including after the activities of the qualified trust service provider have ceased, all relevant information concerning data issued and received by the qualified trust service provider, in particular for the purpose of providing evidence in legal proceedings. Such recording may be done electronically; |
Justification | |
This provides the additional detail necessary to ensure that trust service providers know what is required of them. | |
Amendment 71 Proposal for a regulation Article 19 – paragraph 2 – point i a (new) | |
Text proposed by the Commission |
Amendment |
|
(ia) when the qualified trust service includes the issuing of qualified certificates, establish and keep updated a certificate database. |
Justification | |
This provides the additional detail necessary to ensure that trust service providers know what is required of them. | |
Amendment 72 Proposal for a regulation Article 20 – paragraph 6 | |
Text proposed by the Commission |
Amendment |
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of the different security levels of electronic signature referred to in paragraph 4. |
deleted |
Justification | |
Under Article 290, a legislative act may delegate to the Commission the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of the legislative act. The proposed delegation would go beyond mere supplementing or amending of non-essential elements of the proposed Regulation.. | |
Amendment 73 Proposal for a regulation Article 21 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid down in Annex I. |
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid down in Annex I in order to ensure the necessary adaptation to technological development. |
Justification | |
In accordance with Article 290 TFEU, the objectives, content, scope and duration of the delegation of power shall be explicitly defined in the legislative acts. The amendment adds a necessary clarification to the delegation. | |
Amendment 74 Proposal for a regulation Article 23 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the establishment of specific criteria to be met by the designated bodies referred to in paragraph 1. |
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the establishment of specific criteria to be met by the designated bodies referred to in paragraph 1 for the purpose of carrying out the certification under paragraph 1. |
Justification | |
In accordance with Article 290 TFEU, the objectives, content, scope and duration of the delegation of power shall be explicitly defined in the legislative acts. The amendment adds a necessary clarification to the delegation. | |
Amendment 75 Proposal for a regulation Article 24 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. The Commission may, by means of implementing acts, define circumstances, formats and procedures applicable for the purpose of paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
3. The Commission may, by means of implementing acts, define formats applicable for the purpose of paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Justification | |
The definition of circumstances and procedures goes beyond mere implementation of the proposed Regulation and therefore should not be conferred upon the Commission by way of implementing powers under Article 291 TFEU. | |
Amendment 76 Proposal for a regulation Article 25 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid in down in paragraph 1. |
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid in down in paragraph 1 in order to ensure the necessary adaptation to technological development. |
Justification | |
In accordance with Article 290 TFEU, the objectives, content, scope and duration of the delegation of power shall be explicitly defined in the legislative acts. The amendment adds a necessary clarification to the delegation. | |
Amendment 77 Proposal for a regulation Article 27 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid down in paragraph 1. |
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid down in paragraph 1 in order to ensure the necessary adaptation to technological development. |
Justification | |
In accordance with Article 290 TFEU, the objectives, content, scope and duration of the delegation of power shall be explicitly defined in the legislative acts. The amendment adds a necessary clarification to the delegation. | |
Amendment 78 Proposal for a regulation Article 28 – paragraph 6 | |
Text proposed by the Commission |
Amendment |
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of different security assurance levels of electronic seals referred to in paragraph 4. |
deleted |
Amendment 79 Proposal for a regulation Article 29 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid down in Annex III. |
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the further specification of the requirements laid down in Annex III in order to ensure the necessary adaptation to technological development. |
Justification | |
In accordance with Article 290 TFEU, the objectives, content, scope and duration of the delegation of power shall be explicitly defined in the legislative acts. The amendment adds a necessary clarification to the delegation. | |
Amendment 80 Proposal for a regulation Article 38 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. The power to adopt delegated acts referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall be conferred on the Commission for an indeterminate period of time from the entry into force of this Regulation. |
2. The power to adopt delegated acts referred to in Articles 8(3), 18(5), 21(4), 23(3), 25(2), 27(2), 29(4), 30(2), 31, 35(3) and 37(3) shall be conferred on the Commission for an indeterminate period of time from the entry into force of this Regulation. |
Amendment 81 Proposal for a regulation Article 38 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. The delegation of power referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force. |
3. The delegation of power referred to in Articles 8(3), 18(5), 21(4), 23(3), 25(2), 27(2), 29(4), 30(2), 31, 35(3) and 37(3) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force. |
Amendment 82 Proposal for a regulation Article 38 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. A delegated act adopted pursuant to Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council. |
5. A delegated act adopted pursuant to Articles 8(3), 18(5), 21(4), 23(3), 25(2), 27(2), 29(4), 30(2), 31, 35(3) and 37(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council. |
Amendment 83 Proposal for a regulation Article 40 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
The Commission shall report to the European Parliament and to the Council on the application of this Regulation. The first report shall be submitted no later than four years after the entry into force of this Regulation. Subsequent reports shall be submitted every four years thereafter. |
The Commission shall report to the European Parliament and to the Council on the application of this Regulation, in particular with a view to reaching the aim of the Regulation to develop the digital single market by strengthening confidence and trust in secure cross-border electronic transactions. The report shall take account of, amongst others, market developments as well as legal and technological developments. It shall further be accompanied by appropriate legislative proposals if necessary. The first report shall be submitted no later than two years after the entry into force of this Regulation. Subsequent reports shall be submitted every four years thereafter. |
PROCEDURE
Title |
Electronic identification and trust services for electronic transactions in the internal market |
||||
References |
COM(2012)0238 – C7-0133/2012 – 2012/0146(COD) |
||||
Committee responsible Date announced in plenary |
ITRE 14.6.2012 |
|
|
|
|
Opinion by Date announced in plenary |
JURI 14.6.2012 |
||||
Rapporteur Date appointed |
Alajos Mészáros 11.12.2012 |
||||
Discussed in committee |
24.4.2013 |
|
|
|
|
Date adopted |
20.6.2013 |
|
|
|
|
Result of final vote |
+: –: 0: |
25 0 0 |
|||
Members present for the final vote |
Raffaele Baldassarre, Luigi Berlinguer, Sebastian Valentin Bodu, Françoise Castex, Christian Engström, Marielle Gallo, Lidia Joanna Geringer de Oedenberg, Sajjad Karim, Klaus-Heiner Lehne, Antonio Masip Hidalgo, Jiří Maštálka, Alajos Mészáros, Bernhard Rapkay, Evelyn Regner, Dimitar Stoyanov, Rebecca Taylor, Alexandra Thein, Tadeusz Zwiefka |
||||
Substitute(s) present for the final vote |
Sergio Gaetano Cofferati, Eva Lichtenberger, Angelika Niebler, Axel Voss |
||||
Substitute(s) under Rule 187(2) present for the final vote |
Frédérique Ries, Nikolaos Salavrakos, Jacek Włosowicz |
||||
OPINION of the Committee on Civil Liberties, Justice and Home Affairs (09.7.2013)
for the Committee on Industry, Research and Energy
on the proposal for a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market
(COM(2012)0238 – C7‑0133/2012 – 2012/0146(COD))
Rapporteur:Jens Rohde
SHORT JUSTIFICATION
This proposal for a regulation aims at establishing a mutual recognition of notified electronic identifications schemes as well as electronic trust services in order to develop the internal digital market. The proposal thereby expands the legal framework of the existing directive 1999/93/EC on electronic signatures.
The rapporteur welcomes the Commission proposal that seeks to deal with the problems within the existing directive, not only trough the reinforcement of the legal framework, but also trough an introduction of an increasing legal certainty. The rapporteur thus agrees with the choice of a regulation rather than a directive.
In the view of the rapporteur the regulation is a much needed first step in the development of a well-functioning internal digital market that will make it much easier for companies and consumers to deal with electronic cross-border transactions and increase trust in electronic transactions.
The rapporteur supports the Commissions efforts to combine the largely differentiated use of electronic identification schemes in the various Member States with a strong mutual recognition mechanism.
However, the regulation fails to provide a model that can ensure an adequate level of security building on existing experience.
The rapporteur therefore suggests introducing and defining the security levels within the regulation in order to settle any ambiguities and ensure that the regulation works in practice. As a result a number of delegated and implementing acts have been deleted accordingly.
Another security issue is within the regulation of trust services, where the rapporteur holds the view that it should be clear whether trust services that appear on the trusted list have been approved or still await confirmation of conformity.
In regard to both the electronic identification scheme and the trust services, the amendments proposed aim at cutting unnecessary red tape within the supervision mechanisms to ease the burden on both Member States and companies, and ensure a clear and concise coordination mechanism.
Lastly the amendments address the issue of liability, which is defined to widely within the Commission proposal, and could create unintended obstacles in the further development of the digital field.
AMENDMENTS
The Committee on Civil Liberties, Justice and Home Affairs calls on the Committee on Industry, Research and Energy, as the committee responsible, to incorporate the following amendments in its report:
Amendment 1 Proposal for a regulation Recital 20 | |
Text proposed by the Commission |
Amendment |
(20) Because of the pace of technological change, this Regulation should adopt an approach which is open to innovations. |
(20) Because of the pace of technological change, this Regulation should adopt an approach which is open to innovations but which focuses at all times primarily on consumers and their interests. |
Amendment 2 Proposal for a regulation Recital 23 | |
Text proposed by the Commission |
Amendment |
(23) In line with the obligations under the UN Convention on the Rights of Persons with Disabilities that has entered into force in the EU, persons with disabilities should be able to use trust services and end user products used in the provision of those services on equal bases with other consumers. |
(23) In line with the obligations under the UN Convention on the Rights of Persons with Disabilities that has entered into force in the EU and in line the Commission proposal on the accessibility of public sector bodies' websites1, persons with disabilities should be able to use trust services and end user products used in the provision of those services on equal bases with other consumers. |
|
__________________ |
|
1Proposal for a Directive of the European Parliament and of the Council on the accessibility of public sector bodies' websites. (COM(2012)0721). |
Amendment 3 Proposal for a regulation Recital 24 a (new) | |
Text proposed by the Commission |
Amendment |
|
(24a)Electronic identification schemes should comply with Directive 95/46 of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data1, which governs the processing of personal data carried out in the Member States pursuant to this Regulation and under the supervision of the Member States' competent authorities, in particular the independent public authorities designated by the Member States. |
|
__________________ |
|
1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281 , 23.11.1995, p. 31). |
Amendment 4 Proposal for a regulation Recital 25 | |
Text proposed by the Commission |
Amendment |
(25) Supervisory bodies should cooperate and exchange information with data protection authorities to ensure proper implementation of data protection legislation by service providers. The exchange of information should in particular cover security incidents and personal data breaches. |
(25) Supervisory bodies in the Member States should cooperate and exchange information with data protection authorities to ensure proper implementation of data protection legislation by service providers. The exchange of information should in particular cover security incidents and personal data breaches. |
Justification | |
The rapporteur is of the view that Member States must cooperate if harmonisation within the digital field is to be achieved. | |
Amendment 5 Proposal for a regulation Recital 30 | |
Text proposed by the Commission |
Amendment |
(30) To enable the Commission and the Member States to assess the effectiveness of the breach notification mechanism introduced by this Regulation, supervisory bodies should be requested to provide summary information to the Commission and to European Network and Information Security Agency (ENISA). |
(30) To enable the Commission and the Member States to assess the effectiveness of the breach notification mechanism introduced by this Regulation, supervisory bodies should be requested to provide summary information to the European Network and Information Security Agency (ENISA). |
Justification | |
The rapporteur only finds it necessary to report to a single point of contact. | |
Amendment 6 Proposal for a regulation Recital 49 | |
Text proposed by the Commission |
Amendment |
(49) In order to complement certain detailed technical aspects of this Regulation in a flexible and rapid manner, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of interoperability of electronic identification; security measures required of trust service providers; recognised independent bodies responsible for auditing the service providers; trusted lists; requirements related to the security levels of electronic signatures; requirements of qualified certificates for electronic signatures their validation and their preservation; the bodies responsible for the certification of qualified electronic signature creation devices; and the requirements related to the security levels of electronic seals and to qualified certificates for electronic seals; the interoperability between delivery services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. |
deleted |
Justification | |
The rapporteur finds that this needs to be done before the Regulation enters into force and should not be left to delegated acts c.f. the following amendment. This recital is thus unnecessary. | |
Amendment 7 Proposal for a regulation Article 1 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. This Regulation lays down the conditions under which Member States shall recognise and accept electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another Member State. |
2. This Regulation lays down the conditions under which Member States shall recognise and accept electronic identification means of any entity, natural or legal persons falling under a notified electronic identification scheme of another Member State. |
Amendment 8 Proposal for a regulation Article 1 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. This Regulation establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services and website authentication. |
3. This Regulation establishes a legal framework for electronic signatures, electronic seals, electronic validation and verification, electronic time stamps, electronic documents, electronic delivery services and website authentication. |
Amendment 9 Proposal for a regulation Article 2 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. This Regulation applies to electronic identification provided by, on behalf or under the responsibility of Member States and to trust service providers established in the Union. |
1. This Regulation applies to electronic identification provided by, on behalf of, under the responsibility or supervision of Member States. |
Justification | |
The rapporteur is of the opinion that it should be possible for Member States to outsource eID to third parties that are only supervised by the Member States. | |
Amendment 10 Proposal for a regulation Article 2 – paragraph 1 a (new) | |
Text proposed by the Commission |
Amendment |
|
1a. This Regulation applies to trust service providers established in the Union. |
Justification | |
The rapporteur would like to specify that the Regulation addresses two different issues. | |
Amendment 11 Proposal for a regulation Article 3 – paragraph 1 – point 1 | |
Text proposed by the Commission |
Amendment |
(1) ‘electronic identification’ means the process of using person identification data in electronic form unambiguously representing a natural or legal person; |
(1) ‘electronic identification’ means the process of using person identification data in electronic form unambiguously representing an entity, a natural or legal person or a pseudonym thereof; |
Amendment 12 Proposal for a regulation Article 3 – paragraph 1 – point 2 | |
Text proposed by the Commission |
Amendment |
(2) ‘electronic identification means’ means a material or immaterial unit containing data as referred to in point 1 of this Article, and which is used to access services online as referred to in Article 5; |
(2) ‘electronic identification means’ means a material or immaterial unit containing data as referred to in point 1 of this Article, and which is used to access electronic services as referred to in Article 5; |
Amendment 13 Proposal for a regulation Article 3 – paragraph 1 – point 10 | |
Text proposed by the Commission |
Amendment |
(10) ‘certificate’ means an electronic attestation which links electronic signature or seal validation data of a natural or a legal person respectively to the certificate and confirms those data of that person; |
(10) ‘certificate’ means an electronic attestation which links electronic signature or seal validation data of an entity, a natural or a legal person respectively to the certificate and confirms those data of that person; |
Amendment 14 Proposal for a regulation Article 3 – paragraph 1 – point 12 | |
Text proposed by the Commission |
Amendment |
(12) ‘trust service’ means any electronic service consisting in the creation, verification, validation, handling and preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication, and electronic certificates, including certificates for electronic signature and for electronic seals; |
(12) ‘trust service’ means any electronic service consisting, among others, of the creation, verification, validation, handling and preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication, and electronic certificates, including certificates for electronic signature and for electronic seals; |
Amendment 15 Proposal for a regulation Article 3 – paragraph 1 – point 14 | |
Text proposed by the Commission |
Amendment |
(14) ‘trust service provider’ means a natural or a legal person who provides one or more trust services; |
(14) ‘trust service provider’ means an entity, a natural or a legal person who provides one or more trust services; |
Amendment 16 Proposal for a regulation Article 3 – paragraph 1 – point 19 | |
Text proposed by the Commission |
Amendment |
(19) ‘creator of a seal’ means a legal person who creates an electronic seal; |
(19) ‘creator of a seal’ means an entity or a legal or natural person who creates an electronic seal; |
Amendment 17 Proposal for a regulation Article 3 – paragraph 1 – point 31 a (new) | |
Text proposed by the Commission |
Amendment |
|
(31a) 'personal data breach' means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; |
Amendment 18 Proposal for a regulation Article 6 – paragraph 1 – point a | |
Text proposed by the Commission |
Amendment |
(a) the electronic identification means are issued by, on behalf of or under the responsibility of the notifying Member State; |
(a) the electronic identification means are issued by, on behalf of, under the responsibility of, or supervised by the notifying Member State; |
Justification | |
In the view of the rapporteur it should be possible for Member States to outsource eID to third parties that are only supervised by the Member States. | |
Amendment 19 Proposal for a regulation Article 6 – paragraph 1 – point c | |
Text proposed by the Commission |
Amendment |
(c) the notifying Member State ensures that the person identification data are attributed unambiguously to the natural or legal person referred to in Article 3 point1; |
(c) the notifying Member State ensures that the person identification data are attributed unambiguously to the entity, natural or legal person referred to in Article 3, point 1; |
Amendment 20 Proposal for a regulation Article 6 – paragraph 1 – point e – introductory part | |
Text proposed by the Commission |
Amendment |
(e) the notifying Member State takes liability for: |
(e) unless the identity provider can establish that he has not acted negligently, the identity provider takes liability for: |
Justification | |
The rapporteur is of the view that it should be possible for Member States to outsourced eID to third parties to ensure competition. | |
Amendment 21 Proposal for a regulation Article 6 – paragraph 1 – point e a (new) | |
Text proposed by the Commission |
Amendment |
|
(ea) the notifying Member State takes responsibility for the establishment of a supervisory scheme for the identity provider and for supervision and reporting in accordance with this Regulation. |
Justification | |
The rapporteur recognises that Member States needs to have strong control with their identity providers to ensure the mutual trust between Member States. | |
Amendment 22 Proposal for a regulation Article 7 – paragraph 1 – point a | |
Text proposed by the Commission |
Amendment |
(a) a description of the notified electronic identification scheme; |
(a) description of the notified electronic identification scheme, including the level of security; |
Justification | |
The rapporteur finds it necessary to incorporate the security level into the interoperability model to ensure mutual trust. | |
Amendment 23 Proposal for a regulation Article 7 a (new) | |
Text proposed by the Commission |
Amendment |
|
Article 7a |
|
Protection and processing of personal data |
|
1. Processing of personal data by electronic identification schemes shall be carried out in accordance with Directive 95/46/EC. |
|
2. Such processing shall be fair and lawful and strictly limited to the minimum data needed to issue and maintain a certificate or to provide an electronic identification service. |
|
3. Personal data shall be kept in a form which permits the identification of data subjects for no longer than necessary for the purpose for which the personal data are processed. |
|
4. Electronic identification schemes shall ensure the confidentiality and integrity of data relating to a person to whom the trust service is provided. |
|
5. Without prejudice to the legal effect given to pseudonyms under national law, Member States shall not prevent the indication in electronic identification certificates of a pseudonym instead of the signatory's name. |
Amendment 24 Proposal for a regulation Article 8 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Member States shall cooperate in order to ensure the interoperability of electronic identification means falling under a notified scheme and to enhance their security. |
1. Member States shall cooperate in order to ensure the interoperability and technological neutrality of electronic identification means falling under a notified scheme and to enhance their security. |
Justification | |
The electronic identification requirement applies regardless of the means employed and should be neutral in terms of present and future identification technologies. | |
Amendment 25 Proposal for a regulation Article 8 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. The Commission shall, by means of implementing acts, establish the necessary modalities to facilitate the cooperation between the Member States referred to in paragraph 1 with a view to fostering a high level of trust and security appropriate to the degree of risk. Those implementing acts shall concern, in particular, the exchange of information, experiences and good practice on electronic identification schemes, the peer review of notified electronic identification schemes and the examination of relevant developments arising in the electronic identification sector by the competent authorities of the Member States. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
2. The Commission shall, by means of implementing acts, establish the interoperability framework to facilitate the cooperation between the Member States referred to in paragraph 1 with a view to fostering a high level of trust and security appropriate to the degree of risk. Those implementing acts shall concern, in particular, the exchange of information, experiences and good practice on electronic identification schemes, the peer review of notified electronic identification schemes and the examination of relevant developments arising in the electronic identification sector by the competent authorities of the Member States. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Amendment 26 Proposal for a regulation Article 8 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the facilitation of cross border interoperability of electronic identification means by setting of minimum technical requirements. |
deleted |
Amendment 27 Proposal for a regulation Article 8 a (new) | |
Text proposed by the Commission |
Amendment |
|
Article 8a |
|
Security requirements applicable to electronic identification schemes |
|
1. Electronic identification schemes shall take appropriate technical and organisational measures to manage the risks posed to the security of the electronic identification means they provide. Having regard to the state of the art, those measures shall ensure that the level of security is appropriate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of the adverse effects of any incidents. |
|
Electronic identification schemes shall submit the report of a security audit carried out by a recognised independent body to the supervisory body after an incident to confirm that appropriate security measures have been taken. |
|
2. Electronic identification schemes shall, without undue delay and where feasible not later than 24 hours after having become aware of it, notify the competent supervisory body, the competent national body for information security and other relevant third parties, such as data protection authorities, of any personal data breach that has a significant impact on the electronic identification provided and on the personal data retained therein. |
|
Where appropriate, in particular if a personal data breach concerns two or more Member States, the competent supervisory body shall inform the supervisory bodies in the other Member States. |
|
The competent supervisory body may also inform the public or require the electronic identification scheme to do so, where it determines that disclosure of the breach is in the public interest. |
|
3. Once a year the supervisory body of each Member State shall provide to ENISA a summary of breach notifications received from electronic identification schemes. |
|
4. In order to implement paragraphs 1 and 2, the competent supervisory body shall have the power to issue binding instructions to electronic identification providers. |
|
5. The Commission shall be empowered to adopt delegated acts, in accordance with Article 38, concerning the further specification of the measures referred to in paragraph 1. |
|
6. The Commission may, by means of implementing acts, define the circumstances, formats and procedures, including deadlines, applicable for the purpose of paragraphs 1 to 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). |
Amendment 28 Proposal for a regulation Article 8 b (new) | |
Text proposed by the Commission |
Amendment |
|
Article 8b |
|
Right of information and access of users electronic identification schemes |
|
Electronic identification schemes shall provide data subjects with information regarding the collection, communication and retention of their data, as well as the means to access their data pursuant to Article 10 of Directive 95/46/CE. |
Amendment 29 Proposal for a regulation Article 9 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. A trust service provider shall be liable for any direct damage caused to any natural or legal person due to failure to comply with the obligations laid down in Article 15(1), unless the trust service provider can prove that he has not acted negligently. |
1. A trust service provider shall be liable under national law for any damage caused to an entity, natural or legal person due to non-compliance with the obligations laid down in Article 15(1), unless the trust service provider can prove that he has not acted negligently. |
Justification | |
The rapporteur finds that the liability is too far reaching. | |
Amendment 30 Proposal for a regulation Article 11 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Trust service providers and supervisory bodies shall ensure fair and lawful processing in accordance with Directive 95/46/EC when processing personal data. |
1. Trust service providers and supervisory bodies shall ensure fair and lawful collecting and processing of personal data in accordance with Directive 95/46/EC. |
Amendment 31 Proposal for a regulation Article 11 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. Trust service providers shall process personal data according to Directive 95/46/EC. Such processing shall be strictly limited to the minimum data needed to issue and maintain a certificate or to provide a trust service. |
2. Trust service providers and supervisory bodies shall collect and process personal data according to Directive 95/46/EC. Such collecting and processing shall be strictly limited to the minimum personal data needed to issue and maintain a certificate or to provide a trust service. |
Amendment 32 Proposal for a regulation Article 11 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. Trust service providers shall guarantee the confidentiality and integrity of data related to a person to whom the trust service is provided. |
3. Trust service providers shall ensure the confidentiality and integrity of data related to a person to whom the trust service is provided. |
Justification | |
In the view of the rapporteur the trust service provider can not guarantee that the integrity of information provided by the user - they can only safeguard the information given. | |
Amendment 33 Proposal for a regulation Article 11 a (new) | |
Text proposed by the Commission |
Amendment |
|
Article 11a |
|
Right of information and access of users of trust services |
|
Trust services shall provide data subjects with information regarding the collection, communication and retention of their data, as well as the means to access their data pursuant to Article 10 of Directive 95/46/CE. |
Amendment 34 Proposal for a regulation Article 12 | |
Text proposed by the Commission |
Amendment |
Trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities whenever possible. |
Trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities. |
Amendment 35 Proposal for a regulation Article 13 a (new) | |
Text proposed by the Commission |
Amendment |
|
Article 13a |
|
Cooperation with data protection authorities |
|
Member States shall provide that the supervisory bodies referred to in Article 13 shall cooperate with Member States' data protection authorities designated pursuant to Article 28 of Directive 95/46/EC in order to enable them to ensure compliance with national data protection rules adopted pursuant to Directive 95/46/EC. |
Amendment 36 Proposal for a regulation Article 13 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. The Commission shall be empowered to adopt delegated acts, in accordance with Article 38, concerning the definition of procedures applicable to the tasks referred to in paragraph 2. |
5. The Commission shall be empowered to adopt implementing acts, in accordance with Article 39, concerning the definition of procedures applicable to the tasks referred to in paragraph 2. |
Justification | |
The rapporteur finds is necessary to change Article 13(5) to implementing acts, to ensure clarity. | |
Amendment 37 Proposal for a regulation Article 15 – paragraph 1 – subparagraph 2 | |
Text proposed by the Commission |
Amendment |
Without prejudice to Article 16(1), any trust service provider may submit the report of a security audit carried out by a recognised independent body to the supervisory body to confirm that appropriate security measures have been taken. |
Without prejudice to Article 16(1), any trust service provider shall submit the report of a security audit carried out by a recognised independent body to the supervisory body after an incident to confirm that appropriate security measures have been taken. |
Justification | |
The rapporteur is of the view that a trust service provider should be obliged to carry out an audit after an incident in order to avoid the same mistake in the future. | |
Amendment 38 Proposal for a regulation Article 15 – paragraph 2 – subparagraph 3 | |
Text proposed by the Commission |
Amendment |
The supervisory body concerned may also inform the public or require the trust service provider to do so, where it determines that disclosure of the breach is in the public interest. |
The competent supervisory body may also inform the public or require the trust service provider to do so, where it determines that disclosure of the breach is in the public interest. |
Justification | |
The amendment is made in consistency with the change to article 15, paragraph 1. | |
Amendment 39 Proposal for a regulation Article 15 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. The supervisory body shall provide to ENISA and to the Commission once a year with a summary of breach notifications received from trust service providers. |
3. The supervisory body of each Member State shall provide ENISA once a year with a summary of breach notifications received from trust service providers. |
Justification | |
The rapporteur finds it unnecessary for supervisory boards to report to more than a single point. | |
Amendment 40 Proposal for a regulation Article 16 – paragraph 1 | |
Text proposed by the Commission |
Amendment |
1. Qualified trust service providers shall be audited by a recognised independent body once a year to confirm that they and the qualified trust services provided by them fulfil the requirements set out in this Regulation, and shall submit the resulting security audit report to the supervisory body. |
1. Qualified trust service providers shall, at their own expense, be audited by a recognised independent body every second year to confirm that they and the qualified trust services provided by them fulfil the requirements set out in this Regulation, and shall submit the resulting security audit report to the competent supervisory body. |
Justification | |
The rapporteur finds no need to have audits every year as long as the qualified trust service provider has previously proven to live up to the regulation as it is an extensive and costly measure. | |
Amendment 41 Proposal for a regulation Article 17 – paragraph 2 | |
Text proposed by the Commission |
Amendment |
2. Once the relevant documents are submitted to the supervisory body according to paragraph 1, the qualified service providers shall be included in the trusted lists referred to in Article 18 indicating that the notification has been submitted. |
2. Once the relevant documents are submitted to the supervisory body according to paragraph 1, the qualified service providers shall be included in the trusted lists referred to in Article 18 indicating that the notification has been submitted and are awaiting confirmation of conformity by the supervisory body. |
Justification | |
It is in the view of the rapporteur that it needs to be clear whether the trust services has been approved or still awaits conformation of conformity for security reasons. | |
Amendment 42 Proposal for a regulation Article 17 – paragraph 3 – subparagraph 2 | |
Text proposed by the Commission |
Amendment |
The supervisory body shall indicate the qualified status of the qualified service providers and the qualified trust services they provide in the trusted lists after the positive conclusion of the verification, not later than one month after the notification has been done in accordance with paragraph 1. |
The supervisory body shall indicate the qualified status of the qualified service providers and the qualified trust services they provide in the trusted lists after the positive conclusion of the verification, not later than 30 days after the notification has been done in accordance with paragraph 1. |
Justification | |
A month is not a precise timeframe since there can be a difference of more than 3 days. | |
Amendment 43 Proposal for a regulation Article 18 – paragraph 3 | |
Text proposed by the Commission |
Amendment |
3. Member States shall notify to the Commission, without undue delay, information on the body responsible for establishing, maintaining and publishing national trusted lists, and details of where such lists are published, the certificate used to sign or seal the trusted lists and any changes thereto. |
3. Member States shall notify to the Commission, without undue delay, information on the body responsible for establishing, maintaining and publishing national trusted lists, and details of where such lists are published, the certificate that is used to validate the signature or seal applied to the trusted lists and any changes thereto. |
Justification | |
You can not sign with a certificate or a seal you can only validate. | |
Amendment 44 Proposal for a regulation Article 18 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of the information referred to in paragraph 1. |
deleted |
Justification | |
In the view of the rapporteur this should be in the competence of the supervisory body not the Commission. | |
Amendment 45 Proposal for a regulation Article 19 – paragraph 1 – subparagraph 1 | |
Text proposed by the Commission |
Amendment |
1. When issuing a qualified certificate, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity and, if applicable, any specific attributes of the natural or legal person to whom a qualified certificate is issued. |
1. When issuing a qualified certificate, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity and, if applicable, any specific attributes of the entity, natural or legal person to whom a qualified certificate is issued. |
Amendment 46 Proposal for a regulation Article 19 – paragraph 2 – point d | |
Text proposed by the Commission |
Amendment |
(d) use trustworthy systems and products which are protected against modification and guarantee the technical security and reliability of the process supported by them; |
(d) use trustworthy systems and products which are protected against unauthorised modification and guarantee the technical security and reliability of the process supported by them; |
Justification | |
Systems need to be altered over time in order to keep them up to date, and in the view of the rapporteur this thus needs to be possible. | |
Amendment 47 Proposal for a regulation Article 19 – paragraph 2 – point d a (new) | |
Text proposed by the Commission |
Amendment |
|
(da) the compliance referred to in point (b) may without prejudice to national identification schemes allow for the remote issuing of electronic identification through a previously conducted verification of physical appearance; |
Justification | |
In the view of the rapporteur Member States should be allowed to issue electronic identification schemes based of previous verification. | |
Amendment 48 Proposal for a regulation Article 19 – paragraph 2 – point i a (new) | |
Text proposed by the Commission |
Amendment |
|
(ia) make publicly available its data protection policy, indicating the data protection authority competent for its supervision. |
Amendment 49 Proposal for a regulation Article 20 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. If an electronic signature with a security assurance level below qualified electronic signature is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic signatures matching at least the same security assurance level shall be recognised and accepted. |
4. If an electronic signature with a security level below the defined level for a qualified electronic signature is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic signatures matching at least the same security assurance level shall be recognised and accepted. |
Justification | |
In the view of the rapporteur the security level should be defined trough implementing acts as specified in Articles 7 and 8. | |
Amendment 50 Proposal for a regulation Article 20 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. Member States shall not request for cross-border access to a service online offered by a public sector body an electronic signature at a higher security assurance level than qualified electronic signature. |
5. Member States shall not request for cross-border access to a service online offered by a public sector body an electronic signature at a higher security level than qualified electronic signature. |
Justification | |
The word 'assurance' is unnecessary. | |
Amendment 51 Proposal for a regulation Article 20 – paragraph 6 | |
Text proposed by the Commission |
Amendment |
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of the different security levels of electronic signature referred to in paragraph 4. |
deleted |
Justification | |
In the view of the rapporteur such an important definition should not be left for delegated acts but dealt with within annex I. | |
Amendment 52 Proposal for a regulation Article 28 – paragraph 4 | |
Text proposed by the Commission |
Amendment |
4. If an electronic seal security assurance level below the qualified electronic seal is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic seals matching at a minimum the same security assurance level shall be accepted. |
4. If an electronic seal security level below the qualified electronic seal is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic seals matching at a minimum the same security assurance level shall be accepted. |
Justification | |
The word assurance is unnecessary and changed to ensure consistency with previous amendments. | |
Amendment 53 Proposal for a regulation Article 28 – paragraph 5 | |
Text proposed by the Commission |
Amendment |
5. Member States shall not request for accessing a service online offered by a public sector body an electronic seal with higher security assurance level than qualified electronic seals. |
5. Member States shall not request for accessing a service online offered by a public sector body an electronic seal with higher security level than qualified electronic seals. |
Justification | |
The word assurance is unnecessary and changed to ensure consistency with previous amendments. | |
Amendment 54 Proposal for a regulation Article 28 – paragraph 6 | |
Text proposed by the Commission |
Amendment |
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the definition of different security assurance levels of electronic seals referred to in paragraph 4. |
deleted |
Justification | |
The rapporteur is of the view that this need to be settled within the regulation and not left for delegated acts but should be dealt with within annex III instead. | |
Amendment 55 Proposal for a regulation Article 28 – paragraph 7 | |
Text proposed by the Commission |
Amendment |
7. The Commission may, by means of implementing acts, establish reference numbers of standards for the security assurance levels of electronic seals. Compliance with the security assurance level defined in a delegated act adopted pursuant to paragraph 6 shall be presumed when an electronic seal meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
7. The Commission shall, by means of implementing acts, establish reference numbers of standards for the defined security levels of electronic seals. Compliance with the defined security level in Annex III shall be presumed when an electronic seal meets those standards. The implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union. |
Justification | |
The paragraph is changed according to deletion of paragraph 6. | |
Amendment 56 Proposal for a regulation Article 38 | |
Text proposed by the Commission |
Amendment |
1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article. |
1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article. |
2. The power to adopt delegated acts referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall be conferred on the Commission for an indeterminate period of time from the entry into force of this Regulation. |
2. The power to adopt delegated acts referred to in Articles 8a(5),15(5), 16(5),21(4), 23(3), 25(2), 27(2), 29(4), 30(2), 31, 35(3) and 37(3) shall be conferred on the Commission for an indeterminate period of time from the entry into force of this Regulation. |
3. The delegation of power referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force. |
3. The delegation of power referred to in Articles 8a(5), 15(5), 16(5), 21(4), 23(3), 25(2), 27(2), 29(4), 30(2), 31, 35(3) and 37(3) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force. |
4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. |
4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. |
5. A delegated act adopted pursuant to Articles 8(3), 13(5), 15(5), , 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(3) and 37(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council. |
5.A delegated act adopted pursuant to Articles 8a(5), 15(5), 16(5), 21(4), 23(3), 25(2), 27(2), 29(4), 30(2), 31, 35(3) and 37(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council. |
Amendment 57 Proposal for a regulation Annex I – paragraph 1 – point b – subparagraph 2 a (new) | |
Text proposed by the Commission |
Amendment |
|
Sensitive data within the meaning of Article 8 of Directive 95/46/CE shall not be processed. |
Amendment 58 Proposal for a regulation Annex III – paragraph 1 – point b – subparagraph 2 a (new) | |
Text proposed by the Commission |
Amendment |
|
Sensitive data within the meaning of Article 8 of Directive 95/46/CE shall not be processed. |
Amendment 59 Proposal for a regulation Annex IV – paragraph 1 – point b – subparagraph 2 a (new) | |
Text proposed by the Commission |
Amendment |
|
Sensitive data within the meaning of Article 8 of Directive 95/46/CE shall not be processed. |
PROCEDURE
Title |
Electronic identification and trust services for electronic transactions in the internal market |
||||
References |
COM(2012)0238 – C7-0133/2012 – 2012/0146(COD) |
||||
Committee responsible Date announced in plenary |
ITRE 14.6.2012 |
|
|
|
|
Opinion by Date announced in plenary |
LIBE 14.6.2012 |
||||
Rapporteur Date appointed |
Jens Rohde 20.9.2012 |
||||
Discussed in committee |
25.4.2013 |
29.5.2013 |
|
|
|
Date adopted |
8.7.2013 |
|
|
|
|
Result of final vote |
+: –: 0: |
34 4 0 |
|||
Members present for the final vote |
Jan Philipp Albrecht, Edit Bauer, Emine Bozkurt, Salvatore Caronna, Philip Claeys, Carlos Coelho, Agustín Díaz de Mera García Consuegra, Ioan Enciu, Frank Engel, Cornelia Ernst, Tanja Fajon, Hélène Flautre, Nathalie Griesbeck, Sylvie Guillaume, Anna Hedh, Sophia in ‘t Veld, Teresa Jiménez-Becerril Barrio, Anthea McIntyre, Roberta Metsola, Claude Moraes, Georgios Papanikolaou, Carmen Romero López, Judith Sargentini, Birgit Sippel, Renate Sommer, Rui Tavares, Nils Torvalds, Kyriacos Triantaphyllides, Axel Voss, Renate Weber, Josef Weidenholzer, Cecilia Wikström, Tatjana Ždanoka, Auke Zijlstra |
||||
Substitute(s) present for the final vote |
Anna Maria Corazza Bildt, Mariya Gabriel, Jens Rohde, Salvador Sedó i Alabart |
||||
PROCEDURE
Title |
Electronic identification and trust services for electronic transactions in the internal market |
||||
References |
COM(2012)0238 – C7-0133/2012 – 2012/0146(COD) |
||||
Date submitted to Parliament |
4.6.2012 |
|
|
|
|
Committee responsible Date announced in plenary |
ITRE 14.6.2012 |
|
|
|
|
Committee(s) asked for opinion(s) Date announced in plenary |
ECON 14.6.2012 |
IMCO 14.6.2012 |
JURI 14.6.2012 |
LIBE 14.6.2012 |
|
Not delivering opinions Date of decision |
ECON 11.9.2012 |
|
|
|
|
Associated committee(s) Date announced in plenary |
IMCO 7.2.2013 |
|
|
|
|
Rapporteur(s) Date appointed |
Marita Ulvskog 3.7.2012 |
|
|
|
|
Discussed in committee |
18.12.2012 |
24.4.2013 |
19.6.2013 |
|
|
Date adopted |
14.10.2013 |
|
|
|
|
Result of final vote |
+: –: 0: |
37 4 1 |
|||
Members present for the final vote |
Amelia Andersdotter, Josefa Andrés Barea, Jean-Pierre Audy, Ivo Belet, Jan Březina, Reinhard Bütikofer, Maria Da Graça Carvalho, Giles Chichester, Jürgen Creutzmann, Pilar del Castillo Vera, Christian Ehler, Vicky Ford, Adam Gierek, Norbert Glante, Fiona Hall, Edit Herczog, Romana Jordan, Philippe Lamberts, Bogdan Kazimierz Marcinkiewicz, Marisa Matias, Angelika Niebler, Jaroslav Paška, Vittorio Prodi, Herbert Reul, Jens Rohde, Paul Rübig, Salvador Sedó i Alabart, Francisco Sosa Wagner, Evžen Tošenovský, Ioannis A. Tsoukalas, Claude Turmes, Marita Ulvskog, Alejo Vidal-Quadras |
||||
Substitute(s) present for the final vote |
Antonio Cancian, Rachida Dati, Ioan Enciu, Françoise Grossetête, Roger Helmer, Jolanta Emilia Hibner, Werner Langen, Zofija Mazej Kukovič, Alajos Mészáros |
||||
Date tabled |
6.11.2013 |
||||