The EC has adopted the Regulation on electronic identification and trust services for electronic transactions in the internal market.
What's the issue?
The e-Signatures Directive, passed in 1999, which recognised the legal validity of electronic signatures in the EU, has become outdated as more and more activities previously conducted on paper or in person, are carried out or transmitted online. In particular, the e-Signatures Directive does not deal with trust services (paid for authentication services), electronic seals or website authentication. In addition, the absence of harmonised standards in new authentication systems across the EU has long been considered a barrier to the functioning of the internal market.
What's the development?
After several years of negotiation, the EC has adopted the Regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS). The eIDAS Regulation:
- lays down conditions for mutual recognition of electronic identification;
- sets out rules for trust services, in particular for electronic transactions;
- creates a legal framework for electronic signatures, seals and time stamps, electronic documents, electronic registered delivery services and certificate services for website authentication.
The new Regulation will (mostly) apply from 1 July 2016. From that date, the e-Signature Directive (1999/93/EC) is repealed. It is worth mentioning that the Department for Business, Industry and Skills has just published guidance on electronic signatures as the law currently stands under the e-Signature Directive.
Member States may choose to join the mutual recognition schemes of e-identification (eID) as soon as the necessary implementing acts are in place which is expected to be in the second half of 2016. The mandatory mutual recognition is expected to apply in the latter half of 2018.
What does this mean for you?
The Regulation makes it clear that electronic signatures, seals and time stamps and electronic documents will not be legally invalid simply because they are electronic. It is, however, left up to Member States to make any decisions about particular requirements for certain transactions (for example, exemptions in relation to transfers of land).
Provision is made for two tiers of standards in most areas of electronic authentication. The superior level must have "qualified" or met criteria which are either laid down in the Regulation or can be provided for by secondary legislation. For example, an "advanced electronic signature", which is given the same effect as a handwritten signature, must meet the following requirements:
- it is uniquely linked to the signatory;
- it is capable of identifying the signatory;
- it is created using electronic signature creation data that the signatory can, with a high level of confidence use under his sole control; and
- it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
Provisions are also made for reciprocal recognition of electronic identification and authentication schemes across Member States, again subject to them meeting set criteria.
For those who use or provide electronic authentication services, this is a key piece of legislation.
Among other things, the Regulation makes provision for the following:
- Member States will be required to recognise means of eID of natural and legal persons falling under another Member State's eID scheme which has been notified to the Commission. Member States can choose whether or not to notify some, all or none of the eID schemes used at national level to access public online or specific services. Notified schemes must be interoperable. The new rules only cover cross-border aspects of using eID. Member States retain jurisdiction over national eID schemes;
- the Regulation enhances and expands provisions under the e-Signature Directive in relation to standards for electronic signatures taking on equivalent legal effect of a handwritten signature and also introduces rules on trust services for the first time including the creation and verification of electronic time stamps and electronic registered delivery services, or the creation and validation of certificates to authenticate websites. Trust services which comply with the Regulation can be used throughout the EU;
- Member States will set up supervisory bodies to oversee co-operation and best practice and to recognise "qualified" trust services;
- An EU trust mark will be created which can be used (but does not have to be) to identify trust services which meet certain criteria.