What is the legislation?
The Regulation (EU) N°910/2014 on electronic identification and trust services for electronic transactions in the internal market (better known as the eIDAS Regulation) has applied directly to the EU Member States since 1 July 2016, when it came into full effect and the eSignature Directive of 1999 was repealed. The new legal framework ensures legal certainty for cross-border use of e-signatures, e-seals, time-stamps, eDelivery service and website authentication certificates. The main changes introduced by the eIDAS Regulation are:
- a regulation, not a directive, making it directly applicable across Europe without the need for transposition into national legislation
- paving the way to new remote qualified signature solutions and improved user experience
- a pan-European harmonization of electronic signature
- electronic documents cannot be denied legal effect solely because they are in electronic form
- qualified trust services across Europe
- the introduction of electronic seals, available to legal persons, technologically similar to electronic signature and ensuring identity and integrity
- the introduction of time stamping
- the constitutive effect of national Trusted Lists
- a qualified validation service for qualified electronic signatures
The Commission Implementing Decision related to the publication of Trusted Lists
Article 22 of the eIDAS Regulation obliges Member States to publish information related to the qualified trust service providers (QTSP) for which they are responsible, together with information related to the qualified trust services provided by them. Non-qualified trust service providers and trust services can be included on a voluntary basis. This information is published in so-called ‘trusted lists’ and Commission Implementing Decision (EU) 2015/1505 defines the technical specifications of these trusted lists.
The result of this Decision is the EU Trust Backbone, composed of the EU List of the Trusted Lists and the different Member States' Trusted Lists, a critical common asset upon which electronic signatures in Europe rely.
The Commission Implementing Decision related to cross-border processing of e-signatures
Following Articles 27 and 37 of the eIDAS Regulation, Commission Implementing Decision (EU) 2015/1506 specifies minimum formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies to ensure cross-border interoperability of the online services offered by then.
eSignature Directive (1999/93/EC)
Until 2000, only hand-written signatures were legally valid. The Directive on a Community framework for electronic signature (eSignature Directive), adopted in 1999, went into effect in January of 2000 and extended that recognition to electronic signatures.
The eSignature Directive established the legal framework at European level for electronic signatures and certification services. The aim was to ensure the security and legal integrity of communication occurring online by making electronic signatures easier to use and legally recognised within the European Union. Completion of such a legal framework was an essential prerequisite for efficient electronic delivery of public services and for the development of safe electronic transactions. The Directive did not favour any specific technology.
The eSignature Directive was repealed as of 1 July 2016 when the rules on trust services under the eIDAS Regulation came into effect.
The Services Directive (2006/123/EC)
Since 2006, all Member States have a Point of Single Contact, to facilitate the free establishment of service providers and the free provision of services in the European Union. Under the Services Directive (2006/123/EC), service providers from any Member State willing to create and run a business in another Member State are entitled to carry out all the relevant administrative procedures and formalities via the Points of Single Contact and by electronic means, including across borders.
The use of electronic signatures is a means to support the implementation of the Services Directive. Service providers may submit documents through the electronic channels of the Points of Single Contact, which were issued and signed digitally by the competent national authorities of another Member State. Likewise, the document submitted may have been signed electronically by the service providers themselves.
Electronic signatures must therefore be accepted and technically supported across Member States. Pursuant to legal requirements arising from European Commission Decisions:*
- where an electronic signature is required, Member States must accept advanced electronic signatures based on a qualified certificate, with or without a secure signature device, for the completion of the formalities and procedures via the Points of Single Contact;
- each Member State must establish, maintain and publish a Trusted List of certified service providers issuing qualified certificates to the public who are supervised/accredited by them;
- Member States must put in place the necessary technical means allowing them to process electronically signed documents issued by competent authorities that service providers submit in the context of completing procedures and formalities through the Points of Single Contact.
(* presented in the two sections below, on publication of Trusted Lists, and on cross-border processing of eSignatures)
In this context, SD-DSS (the forerunner of DSS) and Trusted List Manager were developed under the ISA program, to make it easy for Member States and their e-government managers to comply with these obligations by providing them with the necessary technical tools to manage Trusted Lists and to create and verify so-called “advanced electronic signatures”.
Previous Commission Decisions related to the publication of Trusted Lists
Commission Decision 2009/767/EC, with corrigendum, amended by Commission Decision 2010/425/EU, and Commission Decision 2013/662/EU, obliges Member States to make available information necessary for the validation of advanced electronic signatures supported by a qualified certificate. This information is published in so-called ‘trusted lists’ containing information on certified service providers issuing qualified certificates to the public on a Community framework for electronic signatures and are supervised/accredited by the Member States.
Previous Commission Decisions related to cross-border processing of e-signatures
Commission Decision 2011/130/EU, amended by Commission Decision 2014/148/EU, with corrigendum, establishing minimum requirements for the cross-border processing of documents signed electronically by competent authorities under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market.