Docstoc

Electronic signatures in Europe KU Leuven

Document Sample
Electronic signatures in Europe KU Leuven Powered By Docstoc
					                THE IMPLEMENTATION OF THE
  EUROPEAN DIRECTIVE ON ELECTRONIC SIGNATURES




                  Status report September 2002




            Landwell law firms (www.landwellglobal.com)
Interdisciplinary Centre for Law and Information Technology, K.U.Leuven
                               (www.icri.be)

                                                                          1
Table of Contents



Austria..................................................................................................................3

Belgium ................................................................................................................7

Denmark ............................................................................................................11

Finland ...............................................................................................................15

France................................................................................................................19

Germany............................................................................................................22

Greece ...............................................................................................................25

Ireland ................................................................................................................31

Italy.....................................................................................................................35

Luxembourg ......................................................................................................39

The Netherlands................................................................................................44

Portugal..............................................................................................................47

Spain ..................................................................................................................49

Sweden..............................................................................................................54

United Kingdom.................................................................................................57

Contact details...................................................................................................61




                    2
Austria


 1. References to relevant laws, decrees, implementation measures, related e-government
    initiatives (with url’s to relevant webpages): where can we find the text of the laws and decrees
    and follow the developments in this area in your country?

          1. Act on Electronic Signatures 1999 (Bundesgesetz über Elektronische Signaturen).

          This act is published in the Federal Law Gazette (Bundesgesetzblatt BGBl I 1999/190) on 19
          August 1999, and was amended by BGBl I 2000/137 on 29 December 2000, by BGBl I 2001/32 on
          30 March 2001 and by BGBl I 2001/152 on 21 December 2001. We will refer to this Act as “ES-
          Act”.

          2. Ordinance of the Federal Minister on Electronic Signatures 2000 (Verordnung des
          Bundeskanzlers über Elektronische Signaturen).

          This ordinance is published in the Federal Law Gazette (Bundesgesetzblatt BGBl II 2000/30). We
          will refer to this ordinance as “ES-Ordinance”.

          3. Ordinance of the Federal Minister on the Suitability of Confirmation Offices 2002
          (Verordnung des Bundeskanzlers über die Eignung von Bestätigungsstellen).

          This ordinance was issued on the basis of the Commission Decision of 6 November 2000 on the
          Minimum Criteria to be taken into Account by Member States when designating Bodies in
          accordance with Article 3(4) of Directive 1999/93/EC. It is published in the Federal Law Gazette
          (Bundesgesetzblatt BGBl II 2002/117). We will refer to this ordinance as “EB-Ordinance”.

          4. All relevant legal instruments and information can be found on the website of the competent
          authority regarding electronic signatures, Rundfunk- und Telekom Regulierungs-GmbH (www.rtr.at)
          and is partly in English language available, too.



 2. Transposition of art. 5.1 of the directive: briefly describe how the equivalence between qualified
    electronic signatures and handwritten signatures has been established.

          In general there are no special formal requirements under Austrian contract law. Therefore
          agreements can be entered into by any, including electronic means. However, for various legal
          actions Austrian law foresees special requirements such as written form or notarisation by a notary
          public.
          Art. 5.1 (a) of the directive is implemented by Sec. 4, para. 1 of the ES-Act. Which states that a
          “secure” electronic signature (sichere elektronische Signatur) fulfills the legal requirements of a
          handwritten signature, esp. regarding writing acc. to Sec. 886 General Civil Code (Allgemeines
          Bürgerliches Gesetzbuch). A secure electronic signature has to fulfill special requirements as
          regulated by law.
          Furthermore, the ES-Act provides that for different legal transactions a secure electronic signature
          fulfills not the requirements of a handwritten signature acc. to Sec. 886 General Civil Code. This is
          the case for:
          - legal transactions regarding familiy and inheritance law, which are bound to written or even
          stricter formal requirements,



                                                                                                             3
        - other declarations or legal transactions which are bound to the requirement of an official
        authentication, judicial or notarial legalization or notarial deed,
        - declarations, legal transactions or applications which require an official authentication, judicial or
        notarial legalization or notarial deed for the registration in the Companies´ Register (Firmenbuch),
        the Real Estate Register (Grundbuch) or any other official register, and
        - sureties (Bürgschaften).
        Art. 5.1 (b) of the directive has been implemented by Sec. 3 para. 3 ES-Act, where it is stated that
        the assumption of authenticity of a document acc. to Sec. 294 Act on Civil Procedures
        (Zivilprozessordnung) is also applicable for documents with secure electronic signatures.
        This means that private documents which are signed with a secure electronic signature are
        sufficient evidence for the fact that the content stems from the signing person.


3. Transposition of art. 5.2: how has this provision of the directive been transposed in your
   national law and what are the consequences? If 5.2 has not been transposed explicitly, what is
   the legal value of (not qualified) electronic signatures in your country?

        Art. 5.2 of the directive is implemented more or less literally by Sec. 3 para. 2 ES-Act.


4. Transposition of Annex 1: enacted and draft provisions about the requirements for qualified
   certificates (the question here is whether your law, in comparison with Annex 1, has divergent
   or more precise provisions about this; are there any references to standards?)

        The wording of annex 1 of the Directive is implemented more or less literally into Sec. 5 ES-Act.
        Following the Austrian ES-Act further details and information may be requested into the qualified
        certificate by the person buying the certificate.


5. Transposition of Annex 2: enacted and draft provisions about the requirements for CSP’s
   issuing qualified certificates (same question as 4: are there already more detailed
   requirements? references to standards?)

        All requirements laid down in annex 2 of the Directive have been incorporated into the Austrian ES-
        Act in Sec. 7 para. 1-3. Furthermore it is regulated that secure electronic signatures may be bound
        to these requirements in the voluntary accreditation.


6.   Transposition of Annex 3: enacted and draft provisions about the requirements for secure
     signature-creation devices (same question as 4: are there already more detailed requirements?
     references to standards?)

        The requirements of annex 3 of the Directive are incorporated in Sec. 7 para. 2 ES-Act. It refers to
        organizational and technical aspects, technical aspects are laid down in Sec. 18 ES-Act. Annex 3
        (2) is regulated more strictly by Sec. 18 para. 2 ES-Act, where it is said that data to be signed has to
        be presented to the signatory prior to the signature process.
        More details are laid down in the ES-Ordinance.


7.   Transposition of Annex 4: have the recommendations of Annex 4 been taken into account by
     your legislator or government (question is: did your country something with these
     recommendations?)

        Annex 4 of the Directive has been incorporated into the ES-Act in Sec. 18 para 4.



        4
8. Transposition of Art. 3.3: describe briefly the “appropriate system that allows for supervision”
   of CSP’s established in your country and issuing qualified certificates to the public. Is there any
   kind of supervision for other CSP’s (not issuing qc’s to the public)?

        The supervisory system is regulated by the ES-Act in its Sections 6 and 13-17.
        Supervisory authority is the Telekom-Control-Kommission/ “TCK” (Sec. 110 Telecommunication
        Act/Telekommunikationsgesetz). The Telekom-Control-Kommission may make use of the RTR-
        GmbH (Sec. 108 Telecommunication Act) for the supervisory duties.
        Basically, certification-service-providers (CSP) do not need any approval before going into action.
        Thus, there are many duties that have to be fulfilled.
        The procedure is as follows:
        1. A CSP has to notify the start of its activities to TCK without delay (in electronic form). In this
        connection a security concept (Sicherheitskonzept) and a certification concept
        (Zertifizierungskonzept) for each of its signature- and certification service, including technical
        components and procedure, is to be notified to TCK. The notification has to include an electronic
        signature. (applicable for all CSP)
        2. The minimum capital of a CSP issuing qualified electronic signatures has to amount to Eur
        300.000.
        3. The notification has to include:
        - security- and certification concept,
        - description of specific safety risks with the CSP,
        - proof of the financial background and the necessary liability insurance,
        - proof of qualification of the technical employees.
        4. A security- and certification concept has to contain (minimum content if qualified certificates):
        - firm, seat and address of CSP
        - type, area of application of certificates
        - procedure for applying for a certificate
        - office hours
        - production and format of signature-creation-data (Signaturerstellungsdaten)
        - signature-check-data (Signaturprüfdaten)
        - creation and format of signature-creation-data of signatories
        - technical procedure, list of products, formats, details, safety measures
        - security of authorization codes
        - methods for the check of signatures
        - period and procedure for “Nachsignieren”.
        4. RTR-GmbH reviews the notice at first. If there are no formal objections, the notice is published on
        the website (www.signatur.rtr.at) with the remark “in checking status (wird derzeit geprüft)”.
        Afterwards TCK is able to demand the improvement or even prohibit to carry out the service,
        otherwise a certificate is issued and published.
        5. The TKC has to control the activities of the CSP on a spontaneous basis or after a complaint.
        6. TKC is able to prohibit the CSP to carry out its business if necessary.
        7. CSPs that are selling secure electronic signatures may voluntarily undertake to comply with the
        requirements laid down for qualified certificates. If they do so (voluntarily accrediation) they may call
        themselves “accrediated CSP”.


9. Transposition of Art. 3.4: provisions about the bodies and procedures to determine the
   conformity of secure signature-creation devices with the requirements for qualified electronic
   signatures. Are there more precise provisions or measures on this issue?

        The Commission Decision (6 November 2000) has been published by the Ordinance of the
        Federal Minister on the Suitability of Confirmation Offices 2002 (see 1). Further steps have not
        been taken.




                                                                                                               5
10. Transposition of Art. 3.2: brief description of the voluntary accreditation scheme(s) for
    certification-service provision: bodies, procedures, costs, standards, output, …

       Voluntary accrediation is regulated by Sec. 17 ES-Act (see 8).
       If a CSP does not fulfill the necessary requirements any longer, the accreditation of the CSP may
       be revoked.


11. Transposition of Art. 3.7: are there already specific requirements for the use of electronic
    signatures in the public sector?

       No specific requirements.


12. Some information about your national market of certification services: major players, well-
    known projects, etc. and a general idea of what will happen next in your country?

           1. Qualified certificates:
           - A-Trust Gesellschaft für Sicherheitssysteme im elektronischen Datenverkehr GmbH
           - Datakom Austria GmbH
           2. other certificates:
           - Arge Daten – Österreichische Gesellschaft für Datenschutz
           - Generali Office-Service und Consulting AG
           - Institut für Angewandte Informationsverarbeitung und Kommunikationstechnologie




       6
Belgium


 1. References to relevant laws, decrees, implementation measures, related e-government
    initiatives (with url’s to relevant webpages): where can we find the text of the laws and decrees
    and follow the developments in this area in your country?


         1. Act of 20 October 2000 introducing the use of telecommunication tools and the electronic
         signature in de judicial and extra-judicial procedure

         Wet tot invoering van het gebruik van telecommunicatiemiddelen en van de elektronische
         handtekening in de gerechtelijke en de buitengerechtelijke procedure- Loi introduisant l’utilisation
         de moyens de télécommunication et de la signature électronique dans la procédure judiciaire et
         extrajudiciaire

         The act is published in the Belgisch Staatsblad/Moniteur Belge, 22 december 2000. We will refer to
         this law as the Electronic Signature Act (ES act).

         2. Act of 9 July 2001 introducing a legal framework for electronic signatures and
         certification services

         Wet houdende vaststelling van bepaalde regels in verband met het juridisch kader voor
         elektronische handtekeningen en certificatiediensten – Loi fixant certaines règles relatives au cadre
         juridique pour les signatures électroniques et les services de certification

         The law was signed by the King on July 9 2001 and has been published in the Belgisch
         Staatsblad/Moniteur Belge of 29 September 2001. One implementing decree (on control and
         accreditation) is drafted and ready for publication. We will refer to the law as the Certification
         Service Providers Act (CSP Act).

         3. All relevant legal instruments can be found on the website of the Interdisciplinary Centre for Law
         and IT (www.icri.be). The website of the Ministry of economic affairs also provides updates on the
         status of implementation of the directive (http://www.mineco.fgov.be).

         4. The official in charge of the implementation of the directive is Philippe DEGAVRE – Ministry of
         Economic Affairs (North Gate III, Boulevard du Roi Albert II, 16, 1000 Bruxelles, tel: +32 2 206 47
         09 (FR) +32 2 206 46 78 (NL), fax: +32 2 206 57 41, @: be.sign@mineco.fgov.be)


 2. Transposition of art. 5.1 of the directive: briefly describe how the equivalence between qualified
    electronic signatures and handwritten signatures has been established.

         In general there are no formal requirements under Belgian contract law. Thus an agreement can be
         entered into by any means, including electronic means. There is however a lot (thousands) of
         special rules in the law requiring something to be in writing or signed.
         Art. 5.1 (a) of the directive is implemented by article 4, §4 of the CSP Act. Noteworthy is that the
         Belgian legislator explicitly mentioned that no distinction in legal value should be made between an
         electronic signature made by a physical person or by a legal person.
         Art. 5.1 (b) of the directive is implicitly implemented by the new article 1322 of the Civil Code (art. 2
         of the ES Act). This article states that every string of data which can be imputed to a person and



                                                                                                                7
        which guarantees the integrity of the contents of the signed document, is being considered as a
        valid signature. It means that also a 5.1 signature is a valid signature (i.e. an advanced electronic
        signature based on a qualified certificate created by a secure-signature-creation device).


3. Transposition of art. 5.2: how has this provision of the directive been transposed in your
   national law and what are the consequences? If 5.2 has not been transposed explicitly, what is
   the legal value of (not qualified) electronic signatures in your country?

        Art. 5.2 of the directive is implemented by art. 4, §5 of the CSP Act.
        Art. 5.2 of the directive is implicitly implemented by the new article 1322 of the Civil Code (art. 2 of
        the ES Act): every string of data is being considered as a valid signature for evidential purposes as
        long as it can be imputed to a person and it guarantees the integrity of the contents of the signed
        document,.



4. Transposition of Annex 1: enacted and draft provisions about the requirements for qualified
   certificates (the question here is whether your law, in comparison with Annex 1, has divergent
   or more precise provisions about this; are there any references to standards?)

        The wording of annex 1 of the Directive is more or less copied into the Belgian CSP Act. Thus the
        Belgian law neither has divergent nor more precise provisions.


5. Transposition of Annex 2: enacted and draft provisions about the requirements for CSP’s
   issuing qualified certificates (same question as 4: are there already more detailed
   requirements? references to standards?)

        All requirements laid down in annex 2 of the Directive have been incorporated into the Belgian CSP
        Act.
        The appropriate period of time to keep relevant information has been set to 30 years (annex 2, i of
        the CSP Act). This time period equals the longest period of limitation for judicial claims, i.e. 30 years
        for claims on property rights (art. 2262, Civil Code).


6.   Transposition of Annex 3: enacted and draft provisions about the requirements for secure
     signature-creation devices (same question as 4: are there already more detailed requirements?
     references to standards?)

        The wordings of annex 3 of the Directive are more or less copied into the Belgian CSP Act. Thus
        the Belgian law neither has divergent nor more precise provisions.

7.   Transposition of Annex 4: have the recommendations of Annex 4 been taken into account by
     your legislator or government (question is: did your country something with these
     recommendations?)

        Yes, the wordings of annex 4 of the Directive are more or less copied into the Belgian CSP Act.
        Following the ministry of Economic affairs, Belgium did not impose the recommendations as a
        requirement because this would keep CA's away from Belgium and it would even be against the
        directive in this sense. But if there would be a revision of the directive, Belgium would be prepared
        to change its legislation accordingly. This change could easily be done by royal decree.




        8
8. Transposition of Art. 3.3: describe briefly the “appropriate system that allows for supervision”
   of CSP’s established in your country and issuing qualified certificates to the public. Is there any
   kind of supervision for other CSP’s (not issuing qc’s to the public)?

        The supervisory system is being regulated by the CSP act and by a royal decree. The text of the
        decree is drafted and ready for publication.
        The procedure is as follows:
        1. Before it starts its activities a CSP willing to issue qualified certificates needs to notify the ministry
        of Economic affairs. The information to be provided by the CSP is its name, its geographical
        address and contact details, relevant professional data (e.g. VAT number), evidence of insurance
        for liability (article 4 §2 CSP Act).
        2. The ministry of Economic affairs sends a notification of receipt to the CSP (article 4 §2 CSP Act).
        3. The CSP starts issuing qualified certificates
        4. The ministry of Economic affairs always has the right to control the activities of the CSP on a
        spontaneous basis or after a complaint.
        5. In case of control the ministry of Economic affairs will study the relevant documents (i.c.
        Certificate Practice Statement and other policies) and if necessary, check the premises.
        6. In case the ministry of Economic affairs concludes that the CSP does not fulfill the legal
        requirements, it informs the CSP.
        7. If the CSP does not take relevant actions within a given delay in order to be conform with the law,
        the ministry of Economic affairs brings the case before court.
        The specific requirements on the basis of which the ministry will perform the audit still need to be
        developed by royal decree (article 20 CSP Act).
        No supervisory system is currently installed for CSP's issuing non-qualified certificates to the public.
        Article 20 § 1 of the CSP Act refers to a supervisory system for all certification service providers
        though.


9. Transposition of Art. 3.4: provisions about the bodies and procedures to determine the
   conformity of secure signature-creation devices with the requirements for qualified electronic
   signatures. Are there more precise provisions or measures on this issue?

        The administrative body will designate the institutions responsible for determining the conformity.
        The procedural rules have been drafted in a royal decree (art. 7 CSP Act). The rules will be in
        concordance with the Commission decision of 6 November 2000 on the minimum criteria. This
        decree does not have to go to Council of ministers.


10. Transposition of Art. 3.2: brief description of the voluntary accreditation scheme(s) for
    certification-service provision: bodies, procedures, costs, standards, output, …

        A system of accreditation for CSP's issuing qualified certificates to the public is being established by
        Royal decree.
        The text of the decree is still in its drafting phase (it is the same decree as for 3.2).
        Apart from the decree there will be drafted a checklist. This checklist will contain a methodology and
        a list of procedures of assessment drafted with the help of consultants (typically E&Y, PwC). The
        checklist will be need to be accepted by a technical committee. This technical committee will consist
        of representatives of the diverse administrations, industry and consumer groups.
        The CSP Act already defines the basic procedural rules: an administrative body under the auspices
        of the ministry of economic affairs will be responsible for the accreditation. The body will base its
        decision on the evaluation done by a specialized entity (typically academic research center). The
        evaluating entity will first have to be accredited by the traditional accreditation bodies BELTEST and
        BELCERT for performing this kind of evaluation. (art. 17 and 18 CSP Act).
        If a CSP does not fulfill the necessary requirements any longer, the accreditation of the CSP will be
        revoked (article 20).



                                                                                                                   9
11. Transposition of Art. 3.7: are there already specific requirements for the use of electronic
    signatures in the public sector?

       Yes, a new initiative called FED-PKI will set up a federal public key infrastructure. This infrastructure
       will enable the Belgian administration to communicate securely with each other and with the public
       using electronic signatures. Another initiative closely tied to FED-PKI is called BELPIC. The
       BELPIC (Belgian Personal Identity Card) project mainly covers the creation of a Belgian E-ID-card
       and a certification environment for issuing electronic ID-certificates.


12. Some information about your national market of certification services: major players, well-
    known projects, etc. and a general idea of what will happen next in your country?

       There exist three major certification services in Belgium: Globalsign (www.globalsign.net), Isabel
       (www.isabel.be) and Belgacom E-trust (www.e-trust.be). A new service is being established by the
       Belgian postal service and a few commercial partners (www.ecertio.com).




       10
Denmark


 1. References to relevant laws, decrees, implementation measures, related e-government
    initiatives (with url’s to relevant webpages): where can we find the text of the laws and decrees
    and follow the developments in this area in your country?

          The Danish Act on electronic signatures (L. nr. 417) of May 31, 2000 implemented the EU Dir.
          1999/93/EC of 13. December 1999 (hereafter called the “ACT”). The Act came into force October
          1, 2000.

             The Danish Executive Order (Bekg. Nr. 923) of May 10, 2000 on requirements to the security
          of the certification service providers. The order was executed with authority in the Act on
          electronic signatures (L. nr. 417) and came into force October 16, 2000.

             Relevant legal instruments can be found on the website of the Danish Parliament (www.ft.dk)
          or the website of the Government’s legal online information system (www.retsinfo.dk). Further,
          you can find reports and evaluations on electronic signatures made by the Ministry of Research
          on the Ministry’s website (www.fsk.dk).

          The official in charge of the implementation of the directive is Morten Kristansen, Ministry of
          Research, Technology and Development, Bredgade 43, 1260 Copenhagen, Denmark.


 2. Transposition of art. 5.1 of the directive: briefly describe how the equivalence between qualified
    electronic signatures and handwritten signatures has been established.

          Under Danish law there are no formal requirements as to the validity of a contract unless
          otherwise mandated under special laws. Thus, the general rule is that the validity of electronic
          signatures is the same as of a handwritten signature.

          Chapter 7 of the Act implements art. 5.1 (a) of the EC directive.

          Chapter 7 states that when any other Danish law requires an electronic signature affixed to an
          electronic document, the electronic signature shall be considered valid when fulfilling the
          requirements mandated in the Act. Thus, the Act mandates some formal requirements for an
          electronic signature’s validity, but at the same time it prevents further requirements in other laws.


 3. Transposition of art. 5.2: how has this provision of the directive been transposed in your
    national law and what are the consequences? If 5.2 has not been transposed explicitly, what is
    the legal value of (not qualified) electronic signatures in your country?

         The Act has not implemented Art. 5.2. However, it is very apparent from the Danish case law that
         the legal effectiveness and admissibility of an electronic signature is of equivalence with a
         handwritten signature.


 4. Transposition of Annex 1: enacted and draft provisions about the requirements for qualified
    certificates (the question here is whether your law, in comparison with Annex 1, has divergent
    or more precise provisions about this; are there any references to standards?)



                                                                                                            11
             Annex I of the directive has been incorporated into chapter 3 of the Act without any
             amendments.


5. Transposition of Annex 2: enacted and draft provisions about the requirements for CSP’s
   issuing qualified certificates (same question as 4: are there already more detailed
   requirements? references to standards?)

         Annex 2 of the directive has been incorporated into chapter 4 of the Act with a few additional
         requirements, which are the following requirements:

         o The certification service provider shall choose an external state authorised auditor to control the
         system revision in the certification service provider centre.
         o The certification service provider shall use secure procedures for the purpose of controlling the
         identity as well as other facts related to the signatory. These procedures shall be public.
         o When a certificate is issued, the certification service provider shall ensure that the signatory has
         the signature-creation data, which corresponds with the data in the certification.
         o When a certificate is issued and the certification service provider delivers the signature-creation
         data and the signature-verification data, the data must be connected in a unique way. The
         certification service provider must ensure absolute confidentiality under the creation process of the
         data.
         o The certificate service provider must inform the signatory of the costs of the use of the
         certification and use of the providers other services.
         o The certification service provider shall register and keep all relevant information about the
         certificates in a reasonable period of at least 6 years.

         Further, with authority in the Act, the Minister of Research has executed an order, The Danish
         Executive Order (Bekg. Nr. 923) of May 10, 2000, which came into force October 16, 2000
         (hereafter called the “Order”). The Order mandates further requirements as for security control with
         the certification service provider, identity control of the signatory before the certification is issued,
         obligation to provide information when entering into a contract and finally the requirement of
         ensuring a catalogue and revocation service.


6.   Transposition of Annex 3: enacted and draft provisions about the requirements for secure
     signature-creation devices (same question as 4: are there already more detailed requirements?
     references to standards?)

         Annex 2 of the directive has been incorporated directly into chapter 8 of the Act. Thus, there have
         not been made any amendments, however, the Act does mandate that a signature-creation system
         may only be used when it has been tested by state authorities established for such purpose.


7.   Transposition of Annex 4: have the recommendations of Annex 4 been taken into account by
     your legislator or government (question is: did your country something with these
     recommendations?)

        Annex 4 is not implemented into the Act or in other laws. However, it was taken into account under
        the process of the Act as it was suggested in the first draft as an annex to the Act.

8. Transposition of Art. 3.3: describe briefly the “appropriate system that allows for supervision”
   of CSP’s established in your country and issuing qualified certificates to the public. Is there any
   kind of supervision for other CSP’s (not issuing qc’s to the public)?

         The supervising system is regulated in Chapter 9 of the Act. The main rules are as follows



        12
       ! Before or at the latest of the time of issuing a certificate, the certificate service provider (CSP)
       shall notify the Danish Tele Authority (DTA). The information to be provided by the CSP is its name,
       its address, the auditor’s name, and the management’s identity etc.
       ! CSP shall submit a report to the DTA, which contains a describing of the CSP and their
       systems, a statement from the management on whether they believe their systems are secure and
       in accordance with the law and another statement from the auditor on whether he finds the systems
       are secure and in accordance with the law.
       ! The CSP is required to submit an annual report to the DTA.
       ! The DTA supervise the legality of the CPS actions.
       ! The DTA may also order the CSP to submit reports etc., mandate a special system revision
       and in some cases impose a fine in order to enforce an order.
       ! Finally the DTA may take away the right to issue a certification in cases where the CSP hasn’t
       followed an order executed by the DTA, or in such cases of criminal activity or bankruptcy. Such
       decision of the TDA may be appealed to a court.

9. Transposition of Art. 3.4: provisions about the bodies and procedures to determine the
   conformity of secure signature-creation devices with the requirements for qualified electronic
   signatures. Are there more precise provisions or measures on this issue?

       The Minister of Research has in order no. 923 of 5 October 2000 regulated the safety procedures
       concerning keycenters (i.e. certificationcenters). However, Denmark has not yet built an actual
       public key infrastructure so there is no Certification Authority at this time, but has set up a forum to
       come up with ideas of how to do so. Denmark is as such one of the most active countries in the EU
       in this respect, especially compared to the work under UNCITRAL that only seek to recognise the
       use of such systems.

       The fact new legislation is now also regulating the use of electronic signatures and Public Key
       Encryption systems shows that the existence of such systems is not far into the future in Denmark.
       For more information please contact Dansk Dataforening -or see www.difo.dk.


10. Transposition of Art. 3.2: brief description of the voluntary accreditation scheme(s) for
    certification-service provision: bodies, procedures, costs, standards, output, …

       There is no CA, cf. sec. 9, however the rules regulating the system is in place and incorporates the
       directive.


11. Transposition of Art. 3.7: are there already specific requirements for the use of electronic
    signatures in the public sector?

       So far the use of electronic signatures is a rarity, however the legislation above is in place, and
       there are now a few examples of the use of such technology, hereunder in the telecommunication
       legislation between the end-user and the supplier, and in the use of paperless formal registration.
       See the “Info-2000-report” made by the Ministry of Research for more future initiatives.


12. Some information about your national market of certification services: major players, well-
    known projects, etc. and a general idea of what will happen next in your country?

       There are several private initiatives using encryption where groups of Internet users validate each
       other’s identity - the so-called “webs of trust”. On a more formal basis there is, at least legal basis,
       for a public key encryption, c.f. sec. (9).




                                                                                                            13
Finally the following uses the Information Technology Security Evaluation Criteria (ITSEC)
according to the recommendation in 95/144/EF, EFT 1995 L :
Danish Standard (Dansk Standard) certifies all aspects of business
DANAK (Danish Accreditation) certifies both companies and persons for both systems and
products according to ministerial order no. 478 of 4 June 1997 The ISO 9000 standard (quality
certification of all sorts) has three under sections; ISO 9001, 9002 and 9003, and finally there are
numerous private and semi-public certifies certifying hardware products.




14
Finland


 1. References to relevant laws, decrees, implementation measures, related e-government
    initiatives (with url’s to relevant webpages): where can we find the text of the laws and decrees
    and follow the developments in this area in your country?

          1. Government bill (197/2001) on electronic signatures and certificates

          In Finnish: Hallituksen esitys laiksi sähköisistä allekirjoituksista

          The Directive 1999/93/EC on a Community framework for electronic signatures (the Directive) has
          not yet been ratified in Finland. The Government bill on electronic signatures and certificates (the
          Bill) is currently being discussed in committees in the Parliament. The estimated date of entry into
          force is 1 January 2003. This report is based on the Bill. In the following, when we refer to the
          Electronic Signature Act (ES Act), we refer to the Government’s proposal (the Bill), which has not
          yet been confirmed by our Parliament.

          2. All relevant legal instruments so far can be found in Finnish and in Swedish on the website of the
          Finnish Parliament (www.eduskunta.fi) and also on the website of the FINLEX Data Bank
          (www.finlex.fi).

          3. Useful sites for the observation of the development of electronic signatures are the websites of
          Ministry of Transportation and Communications (www.mintc.fi) and Finnish Communications
          Regulatory Authority (FICORA) (www.ficora.fi).
          4. The official in charge of the implementation of the directive is the Ministry of Transportation and
          Communications.


 2. Transposition of art. 5.1 of the directive: briefly describe how the equivalence between qualified
    electronic signatures and handwritten signatures has been established.

          The Finnish contract law is based on freedom of contract. Usually there are no formal requirements
          for transactions. Thus, an agreement can be entered into by any means, including electronic
          means. However, there are many special provisions in Finnish law concerning certain types of
          contracts, for example real estate transactions. These provisions require for example that an
          agreement of certain type should be in writing and signed.
          Art. 5.1 (a) of the Directive will be implemented in section 18 of the ES Act: If a signature is required
          in a transaction pursuant to law, an advanced electronic signature, which is created with a qualified
          certificate and a secure signature creation device, fulfils this requirement.
          Art. 5.1 (b) of the Directive will be implemented implicitly in section 18 of the ES Act: Advanced
          electronic signature created with a qualified certificate and a secure signature creation device fulfils
          the requirements laid down for a valid handwritten signature, and therefore is admissible as
          evidence in legal proceedings.


 3. Transposition of art. 5.2: how has this provision of the directive been transposed in your
    national law and what are the consequences? If 5.2 has not been transposed explicitly, what is
    the legal value of (not qualified) electronic signatures in your country?

          Art. 5.2 of the Directive will be implemented implicitly in section 18 of the ES Act: Not-qualified
          electronic signatures do not equal with handwritten signatures. However, not-qualified signatures



                                                                                                                15
        are accepted as evidence in legal proceedings because of the principle of free evaluation of
        evidence applied in Finnish courts. Therefore, the objective of the article in question shall be
        achieved in Finland without national provisions.


4. Transposition of Annex 1: enacted and draft provisions about the requirements for qualified
   certificates (the question here is whether your law, in comparison with Annex 1, has divergent
   or more precise provisions about this; are there any references to standards?)

        The Finnish legislator will formulate the definition of the qualified certificate in the section 7
        paragraph 1 of the ES Act: A qualified certificate complies with the requirements set in the section 7
        paragraph 2 of the ES Act and is granted by a certification-service-provider (CSP). The wordings of
        Annex 1 of the Directive will be more or less copied into the section 7 paragraph 2 of the ES Act. A
        CSP providing certificate services in Finland will have to fulfill the requirements set in the sections
        10 – 15 of the ES Act.


5. Transposition of Annex 2: enacted and draft provisions about the requirements for CSP’s
   issuing qualified certificates (same question as 4: are there already more detailed
   requirements? references to standards?)

        The wordings of Annex 2 of the Directive will be more or less copied into the sections 10 – 15 of the
        ES Act.
        There are no more detailed requirements or any references to standards yet.
        A CSP will be obliged to keep the information of a certificate for 10 years after the certificate
        expires.


6.   Transposition of Annex 3: enacted and draft provisions about the requirements for secure
     signature-creation devices (same question as 4: are there already more detailed requirements?
     references to standards?)

        The wordings of Annex 3 of the Directive will be more or less copied into the section 5 subsection 1
        paragraphs 1-5 of the ES Act. The section 5 subsection 2 of the ES Act will set the provisions for
        the situations when a secure signature creation device always fulfills with the requirements set on
        section 5 subsection 1 paragraphs 1-5 of the ES Act: Section 5 subsection 2 of the ES Act will
        explicitly refer to the generally acknowledged standards ratified by the European Commission and
        published in Official Journal of the European Communities.


7.   Transposition of Annex 4: have the recommendations of Annex 4 been taken into account by
     your legislator or government (question is: did your country something with these
     recommendations?)

        No, Finland has not yet done anything with the recommendations of Annex 4.


8. Transposition of Art. 3.3: describe briefly the “appropriate system that allows for supervision”
   of CSP’s established in your country and issuing qualified certificates to the public. Is there any
   kind of supervision for other CSP’s (not issuing qc’s to the public)?

        The supervisory system will be regulated by the ES Act. The Ministry of Transport and
        Communications will control the general administration and development. The Finnish




        16
       Communications Regulatory Authority (FICORA) will supervise compliance of the ES Act and give
       provisions and recommendations.

       The supervisory system will be as follows:

       1. Before a certification-service-provider (CSP) willing to issue qualified certificates start its activities
       in Finland, it needs to notify in writing to FICORA. The information to be provided in the notification
       includes the CSP’s name, its contact information and the information, which proves that the
       requirements set in sections 7 and 10-15 in the ES Act are met. When necessary, FICORA can
       issue technical regulations and recommendations on more detailed contents of the data submitted
       by the CSP’s.
       2. The CSP starts issuing qualified certificates.
       3. FICORA supervises that the CSPs comply with the requirements set in the ES Act. In case the
       CSP’s certificate or the CSP itself does not fulfill the requirements of the sections 7 and 10-15 of the
       ES Act, FICORA must immediately after it has received the notification forbid the CSP to offer its
       certificates as qualified certificates.
       4. The CSP must immediately notify in writing any changes of the information required in the
       starting notification as referred to as in point 8.1.
       5. FICORA maintains a public list of CSPs which provide qualified certificates to the public in
       Finland.
       6. A controller appointed by FICORA to control the compliance of the ES Act and other regulations
       set under the ES Act, may carry out an investigation. The controller has the right to check the
       CSP’s equipments and software. The CSP should give the controller free access to its premises.
       The controller may also ask the police for executive assistance.
       7. If the CSP fails to comply with the ES Act or any regulation set under the ES Act, FICORA may
       oblige it to correct its error or delinquency. To enforce this, FICORA may set a conditional
       imposition of a fine.
       8. A decision of FICORA made under the ES Act shall be appealed to the administrative court.
       No supervisory system is currently installed for CSP's issuing non-qualified certificates to the public.


9. Transposition of Art. 3.4: provisions about the bodies and procedures to determine the
   conformity of secure signature-creation devices with the requirements for qualified electronic
   signatures. Are there more precise provisions or measures on this issue?

       According to section 6 subsection 1 of the ES Act, FICORA will be able to appoint control offices
       responsible for determine whether a signature-creation device fulfills the requirements set in the
       section 5 subsection 1 of the ES Act.
       The requirements for the appointment of a control office will be set in section 6 subsection 2 of the
       ES Act.
       According to section 6 subsection 3 of the ES Act, FICORA appoints the control offices on account
       of an application. The application shall include the applicant’s contact information, extract of the
       Trade Register or other equivalent account and also an account which proves that the applicant
       fulfills the requirements set in section 6 subsection 2 of the ES Act. FICORA may give further
       instructions about the application and delivering it to FICORA. FICORA has not yet given any
       instructions.
       According to section 6 subsection 4 of the ES Act, FICORA will supervise the activities of the
       control offices.
       Section 6 of the ES Act is in accordance with the decision of the European Commission of 6
       November 2000 on the minimum criteria for control offices.


10. Transposition of Art. 3.2: brief description of the voluntary accreditation scheme(s) for
    certification-service provision: bodies, procedures, costs, standards, output, …

       Finland does not have any voluntary accredition schemes for certificate service provision.


                                                                                                                17
11. Transposition of Art. 3.7: are there already specific requirements for the use of electronic
    signatures in the public sector?

       No, but there is a Government bill (17/2002) on dealing electronically with the public authorities. The
       Act on dealing electronically with the public authorities will be a general law and it will not have any
       specific provisions about the use of electronic signatures. It will only refer to the ES Act, which is
       meant to be a special law on electronic signatures.


12. Some information about your national market of certification services: major players, well-
    known projects, etc. and a general idea of what will happen next in your country?

       There are several firms offering certification services in Finland, for example Certall Finland Oy
       (www.certall.fi), Novotrust Oy (www.novogroup.com), Sonera Smart Trust (www.smarttrust.com),
       F-Secure Oyj (www.f-secure.com) and SSH Communications Security Oy (www.ssh.com).
       The Population Register Centre (http://www.vaestorekisterikeskus.fi/) also provides certification
       services. An electronic identification card is a secure network key for all on-line services, which
       require identification of a person, as many government and many private sector services require.
       The card enables a service provider to reliably identify the user. In the future, identification can be
       done from a mobile device such as a cellular phone equipped with a special chip.




       18
France


 1. References to relevant laws, decrees, implementation measures, related e-government
    initiatives (with url’s to relevant webpages): where can we find the text of the laws and decrees
    and follow the developments in this area in your country?
                                th
         1. Act dated March 13 , 2000 introducing a legal framework for electronic signature
         Loi n°2000-230 du 13 mars 2000 portant adaptation du droit de la preuve aux technologies de
         l’information relative à la signature électronique
         We will refer to this law as the Electronic Signature Act (ES act).
                                          th
         2. Decree dated March 20 ,2001 relative to the electronic signature
         Décret n°2001-272 du 20 mars 2001 pris en application de l’article 1316-4 du code civil et relatif à
         la signature électronique.
                                     th
         3. Decree dated April 18 , 2002 relative to certification devices and providers
         Décret n°2002-535 du 18 avril 2002 complétant le décret de signature électronique en fixant les
         règles de certification des procédés de signature.
         This decree details the accreditation scheme of the certification service providers and has been
                                             st
         completed by an "arrêté" of May 31 , 2002.

         4. All relevant legal instruments can be found on a specific website of the French Government
         (www.internet.gouv.fr) or on the texts library (www.legifrance.gouv.fr). Furthermore, many French
         websites provide specific information relating to the electronic signature, notably www.premier-
         ministre.gouv.fr or www.minefi.gouv.fr.

         5. The information relative to the directives implementations are available through the Parliament’s
         websites : www.assemblee-nationale.fr and www.senat.fr.



 2. Transposition of art. 5.1 of the directive: briefly describe how the equivalence between qualified
    electronic signatures and handwritten signatures has been established.

         In general there are no formal requirements under French contract law. Thus an agreement can be
         entered into by any means, including electronic means. There is however certain special rules in
         the law requiring something to be in writing or signed.
         Art. 5.1 (a) of the directive is implemented by the new article 1316 of Civil code (article 1 of ES act).
         The law explicitly mentions that no distinction in legal value should be made between an electronic
         signature made by a physical person or by a legal person.
         Art. 5.1 (b) of the directive is implemented by new articles 1316-1 and 1316-3 of the Civil Code (art.
         1 and 3 of the ES Act). This article states that every string of data which can be imputed to a person
         and which guarantees the integrity of the contents of the signed document, is being considered as a
         valid signature.


 3. Transposition of art. 5.2: how has this provision of the directive been transposed in your
    national law and what are the consequences? If 5.2 has not been transposed explicitly, what is
    the legal value of (not qualified) electronic signatures in your country?




                                                                                                               19
        Art. 5.2 of the directive is implemented by the new article 1316-1 of the Civil Code (art. 1 of the ES
        Act): every string of data is being considered as a valid signature for evidential purposes as long as
        it can be imputed to a person and it guarantees the integrity of the contents of the signed document.


4. Transposition of Annex 1: enacted and draft provisions about the requirements for qualified
   certificates (the question here is whether your law, in comparison with Annex 1, has divergent
   or more precise provisions about this; are there any references to standards?)

        The wording of annex 1 of the Directive is more or less copied into the French 2001 Decree. Thus
        the French legislation neither has divergent nor more precise provisions.


5. Transposition of Annex 2: enacted and draft provisions about the requirements for CSP’s
   issuing qualified certificates (same question as 4: are there already more detailed
   requirements? references to standards?)

        All requirements laid down in Annex 2 of the Directive have been incorporated into the French
        legislation.
        The appropriate period of time to keep relevant information has been set to 30 years. This time
        period equals the longest period of limitation for judicial claims, i.e. 30 years for claims on property
        rights (art. 2262 Civil Code).


6.   Transposition of Annex 3: enacted and draft provisions about the requirements for secure
     signature-creation devices (same question as 4: are there already more detailed requirements?
     references to standards?)

        The wording of annex 3 of the Directive are more or less copied into the French legislation. Thus
        the French law neither has divergent nor more precise provisions.

7.   Transposition of Annex 4: have the recommendations of Annex 4 been taken into account by
     your legislator or government (question is: did your country something with these
     recommendations?)

        No


8. Transposition of Art. 3.3: describe briefly the “appropriate system that allows for supervision”
   of CSP’s established in your country and issuing qualified certificates to the public. Is there any
   kind of supervision for other CSP’s (not issuing qc’s to the public)?

        The 2002 Decree states that the DCSSI (Direction Centrale de la Sécurité des Systèmes
        d’Information) is the only entity to control the CSP.
        The procedure is as follows:
        1. Before it starts its activities a CSP willing to issue qualified certificates needs to notify the DCSSI.
        The information to be provided by the CSP is its name, its geographical address and contact
        details, relevant professional data (e.g. VAT number), evidence of insurance for liability.
        2. The CSP starts issuing qualified certificates
        3. The DCSSI always has the right to control the activities of the CSP on a spontaneous basis or
        after a complaint.

        All information relative to the certification are available on the Information Systems Security website
        (www.ssi.gouv.fr).




        20
9. Transposition of Art. 3.4: provisions about the bodies and procedures to determine the
   conformity of secure signature-creation devices with the requirements for qualified electronic
   signatures. Are there more precise provisions or measures on this issue?

       The DCSSI is the only entity to control the conformity of secure signature creation devices.
       The evaluation and certification guides are available on the DCSSI website
       (http://www.ssi.gouv.fr/fr/documentation/index.html).


10. Transposition of Art. 3.2: brief description of the voluntary accreditation scheme(s) for
    certification-service provision: bodies, procedures, costs, standards, output, …

       All information relative to the voluntary accreditation are available on the website
       www.internet.gouv.fr.
       However, the “Comité Français d’Accréditation” will accredit different entites which may accredit
       other entities. This procedure is not an obligation.


11. Transposition of Art. 3.7: are there already specific requirements for the use of electronic
    signatures in the public sector?

       Yes, several public entities have specific infrastructure to communicate securely with each other
       and with the public using electronic signatures (for example, defense or tax entities).
       Many appliances of the digital signature within the public sector have appeared recently : people
       may pay theirs taxes with a digital signature or exchange information with social entities with the
       same way, enterprises may reply to public bids electronically with digital signature…
       For example, please check www.impots.gouv.fr.


12. Some information about your national market of certification services: major players, well-
    known projects, etc. and a general idea of what will happen next in your country?

       There exist many major certification services in France :
       ♦ Certinomis (La Poste and Sagen) : www.certinomis.com
       ♦ Certplus (Verisign distributor) : www.certplus.com
       ♦ ICS : www.ics-sign.com
       ♦ E signature (Canadian company in France): www.e-signature.com

       Furthermore, almost every telecom provider (France Telecom, Cegetel, Equant, etc…) provides
       certification services. PricewaterhouseCoopers provides also certification services
       (www.betrusted.com).

       The French government provides also many information about digital signature and certification
       services (www.internet.gouv.fr).




                                                                                                       21
Germany


 1. References to relevant laws, decrees, implementation measures, related e-government
    initiatives (with url’s to relevant webpages): where can we find the text of the laws and decrees
    and follow the developments in this area in your country?

         Law Governing Framework Conditions for Electronic Signatures and Amending Other
         Regulations (inofficial version for industry consultation, for official German text please refer to the
         Official Journal - Bundesgesetzblatt - BGBl - Teil I, Nr. 22 of 21.Mai 2001).
         further information: Guideline to the Information and Communication Services Acts, a website
         of the German Government
         Law adjusting legal form in german law to the efforts of electronic communication and
         commerce (German version)
         Law implementing the electronic form in the public sector (German draft version) the law has
         not been published yet, final version



 2. Transposition of art. 5.1 of the directive: briefly describe how the equivalence between qualified
    electronic signatures and handwritten signatures has been established.

         Art. 5.1 (a) of the directive is implemented by §§ 126, 126a, 127 BGB (German civil code). In most
         cases of electronic communications a special form is not required by law. There are a lot of German
         laws requiring the paper-based form and a handwritten signature. Pursuant to the new § 126 III
         BGB advanced electronic signatures which are based on a qualified certificate and which are
         created by a secure-signature-creation device meet the legal requirements of a signature.
         According to German signature law qualified certificates can only be given to a natural, not to a
         legal person. Only natural persons can sign with advanced electronic signatures.
         Pursuant to Art. 5.1 (b), there are no formal requirements in legal proceedings. To enforce
         electronic signatures under German law, one has to obey the new § 292 a ZPO (German civil
         procedure code). § 292 a ZPO constitutes a prima facie evidence for advanced electronic
         signatures which are based on a qualified certificate and which are created by a secure-signature-
         creation device.


 3. Transposition of art. 5.2: how has this provision of the directive been transposed in your
    national law and what are the consequences? If 5.2 has not been transposed explicitly, what is
    the legal value of (not qualified) electronic signatures in your country?

         5.2 has not been transposed explicitly
         the evidentiary value of (not qualified) electronic signatures is like telefax, e-mail or phone call
         admission as evidence in legal proceedings is ensured, the only question is the value of this
         evidence according to the level of security the signature provides


 4. Transposition of Annex 1: enacted and draft provisions about the requirements for qualified
    certificates (the question here is whether your law, in comparison with Annex 1, has divergent
    or more precise provisions about this; are there any references to standards?)




         22
        Annex 1 is implemented by § 7 SigG, there are no divergent or more precise provisions and no
        references to standards under German law

5. Transposition of Annex 2: enacted and draft provisions about the requirements for CSP’s
   issuing qualified certificates (same question as 4: are there already more detailed
   requirements? references to standards?)

        All requirements laid down in annex 2 of the Directive have been incorporated into the German law
        (SigG)


6. Transposition of Annex 3: enacted and draft provisions about the requirements for secure
   signature-creation devices (same question as 4: are there already more detailed requirements?
   references to standards?)

        All requirements laid down in annex 2 of the Directive have been incorporated into the German law
        (SigG)


7.   Transposition of Annex 4: have the recommendations of Annex 4 been taken into account by
     your legislator or government (question is: did your country something with these
     recommendations?)

        All requirements laid down in annex 2 of the Directive have been incorporated into the German law
        (SigG)


8. Transposition of Art. 3.3: describe briefly the “appropriate system that allows for supervision”
   of CSP’s established in your country and issuing qualified certificates to the public. Is there any
   kind of supervision for other CSP’s (not issuing qc’s to the public)?

        In Germany we have a dual system. The supervision is provided by an authority, the
        Regulierungsbehörde für Post und Telekommunikation.
        Before a CSP starts its activities he has to notify this. The information to be provided by the CSP is
        its name, its geographical address and contact details, legal agents, relevant professional data (e.g.
        commercial register copy), evidence of the expert knowledge, experience and qualifications of the
        employees, safety concept and evidence of its implementation as well as evidence of insurance for
        liability (article 4 §2 CSP Act).
        There is no specific supervision for other CSP’s (not issuing qc’s to the public).



9. Transposition of Art. 3.4: provisions about the bodies and procedures to determine the
   conformity of secure signature-creation devices with the requirements for qualified electronic
   signatures. Are there more precise provisions or measures on this issue?

        The conformity of secure signature-creation-devices with the requirements is determined by
        appropriate private bodies. The private bodies are listed at: Regulierungsbehörde für Post und
        Telekommunikation


10. Transposition of Art. 3.2: brief description of the voluntary accreditation scheme(s) for
    certification-service provision: bodies, procedures, costs, standards, output, …




                                                                                                           23
       The voluntary accreditation substitutes the prior authorisation required by the old German signature
       law (1997). The Regulierungsbehörde für Post und Telekommunikation is responsible for the
       voluntary accreditation. They involve private bodies in the procedure and testing. The costs are very
       high for the CSP. For the voluntary accreditation further requirements must be fulfilled by the
       applicant, e.g. certain documentation must be stored for thirty years.



11. Transposition of Art. 3.7: are there already specific requirements for the use of electronic
    signatures in the public sector?

       In some cases in the public sector only advanced electronic signatures which are based on a
       qualified certificate of a CSP with voluntary accreditation and which are created by a secure-
       signature-creation device are accepted. The voluntary accreditation of the CSP is not necessary for
       foreigners living in another EU-member-state.



12. Some information about your national market of certification services: major players, well-
    known projects, etc. and a general idea of what will happen next in your country?

       In Germany all CSP providing advanced electronic signatures which are based on a qualified
       certificate and which are created by a secure-signature-creation device have the voluntary
       accreditation.
       The list is available on the internet.
       The major players are:
       Produktzentrum TeleSec der Deutschen Telekom AG
       DATEV eG, concentrating on electronic signatures for legal and tax consultants and for the public
       sector
       Medizon AG - specialized on the medical sector
       AuthentiDate International AG has voluntary accreditation only for timestamping service
       TC TrustCenter AG
       D-Trust GmbH
       Deutsche Post Signtrust GmbH has already given up providing advanced electronic signatures.
       Generally all CSP spent lot of money and are waiting for the ROI. The situation is difficult for the
       CSP, because there is no killer application on the market. One possible application is e-invoicing.
       PwC Germany is drafting a process of implementing e-invoicing for German companies.
       German lawyers associations and German tax consultants associations are establishing their own
       CSP in cooperation with DATEV.




       24
Greece


 1. References to relevant laws, decrees, implementation measures, related e-government
    initiatives (with url’s to relevant webpages): where can we find the text of the laws and decrees
    and follow the developments in this area in your country?

         1. Presidential Decree 150/2001 (hereinunder the Decree)

         “Implementation of Directive 99/93/EC of the European Parliament and Council on a community
         framework for electronic signatures” (Greek Official Gazette, ΦΕΚ 125/A of 25 June 2001).


         2. Regulation of the National Telecommunications and Post Commission (EETT)
         (hereinunder the Regulation)

         “on the provision of certification services for electronic signatures” (Greek Official Gazette, ΦΕΚ
         603/B of 16 May 2002).

         This regulation was issued in the framework of the powers to EETT awarded on the basis of art. 4
         par. 8 of the Presidential Decree for the supervision and control of certification service providers
         established in Greece and of the designated bodies that will perform the conformity assessment of
         electronic signature creation devices.

         3. The Presidential Decree can be found in Greek on the web site of the e-business forum (being a
         consultative forum driven by various stakeholders of the private sector - academia, business
         consultants, industry, SMEs - set up under the auspices of the Ministry of Development of Greece):
         www.ebusinessforum.gr/plaisio.

         Both texts can also be found               in   Greek    language     on    the   web    site   of   EETT
         (www.eett.gr/gr_pages/index2.htm)




 2. Transposition of art. 5.1 of the directive: briefly describe how the equivalence between qualified
    electronic signatures and handwritten signatures has been established.

         The Greek law does not require that private law conventions should adopt a specific form (e.g.,
         bearing an electronic signature) in order to be legally valid. However, various provisions of the
         Greek legislation mandate the use of a handwritten signature for passing certain acts (e.g.,
         agreements on real estate, warranties etc.).

         Art. 5.1 (a) and (b) of the directive is implemented by article 3 par. 1 of the Decree stipulating that
         the advanced electronic signature which is based on a qualified certificate and which is created by a
         secure-signature-creation device is equivalent to a handwritten signature both in substantial law
         and procedure.

         Since the entry into force of the Decree, no other provision has been modified in the Greek Civil
         Code or other area of law confirming that a handwritten signature could from now on be replaced
         by a signature of art. 3 par. 1 for the fulfillment of legal acts for which the law stipulates the use of a
         handwritten signature.



                                                                                                                 25
3. Transposition of art. 5.2: how has this provision of the directive been transposed in your
   national law and what are the consequences? If 5.2 has not been transposed explicitly, what is
   the legal value of (not qualified) electronic signatures in your country?

        Art. 5.2 of the directive is explicitly transposed by art. 3 par. 2 of the Decree. This provision
        stipulates that the electronic signature which does not satisfy the conditions of the first paragraph
        (thus, which is not advanced or which is not based on a qualified certificate and/or which is not
        created by an electronic signature creation device) cannot be denied legal effectiveness and
        admissibility.


4. Transposition of Annex 1: enacted and draft provisions about the requirements for qualified
   certificates (the question here is whether your law, in comparison with Annex 1, has divergent
   or more precise provisions about this; are there any references to standards?)

        Annex 1 of the Directive is literally copied in a respective Annex 1 of the Decree laying down the
        Requirements for qualified certificates. There is no reference to any standards in this Annex.


5. Transposition of Annex 2: enacted and draft provisions about the requirements for CSP’s
   issuing qualified certificates (same question as 4: are there already more detailed
   requirements? references to standards?)

        Annex 2 of the Directive is literally copied in a respective Annex 2 of the Decree laying down the
        Requirements for Certification-Service-Providers issuing qualified certificates. There is no reference
        to any standards in this Annex.

        Under letter (i) of the Annex, it is provided that CSP shall preserve the information related to
        qualified certificates for a period of thirty (30) years, especially for evidential purposes in legal
        proceedings.


6.   Transposition of Annex 3: enacted and draft provisions about the requirements for secure
     signature-creation devices (same question as 4: are there already more detailed requirements?
     references to standards?)

         Annex 3 of the Directive is literally copied in a respective Annex 3 of the Decree laying down the
         conditions that should be met by secure signature-creation device. There is no reference to any
         standards in this Annex.


7.   Transposition of Annex 4: have the recommendations of Annex 4 been taken into account by
     your legislator or government (question is: did your country something with these
     recommendations?)

        The Greek legislator transposed Annex 4 of the Directive in form of recommendations.

        In a questionnaire to which EETT has invited external market players to respond a few months ago,
        EETT asked, inter alia, whether compliance with Annex 4 was considered necessary for the
        implementation of the electronic signatures Greek law. In the same question, EETT asked the
        market players to express their views about how best the implementation of the Annex should be
        achieved in practice.




        26
        In the answers provided, other parties found that compliance with the recommendations of Annex 4
        will be observed, while others expressed the view that maintenance of Annex 4 cannot be of any
        added value since the requirements thereof are fulfilled through the technical tools used.

        No formal decision has however been taken so far neither from EETT nor from any other Greek
        authority on how Annex IV should be implemented in practice.


8. Transposition of Art. 3.3: describe briefly the “appropriate system that allows for supervision”
   of CSP’s established in your country and issuing qualified certificates to the public. Is there any
   kind of supervision for other CSP’s (not issuing qc’s to the public)?

        Art. 4 par. 8 of the Decree provides that EETT is the responsible authority for the supervision and
        control of Certificate Service Providers being established in Greece, regardless of whether they
        issue qualified certificates or not.

        The Regulation lays down the provisions implementing this supervision, the main lines of which are
        the following:

        Obligation of all CSPs established in Greece to notify EETT at the commencement of their activities
        of the following information: relevant co-ordinates (name, address, web-site etc.), company’s legal
        form and authorized representatives, VAT number, description of provided services.

            CSPs issuing qualified certificates should in addition submit:

        a) Statement of the CSP that he complies with Annexes 1 and 2 of the Decree;
        b) Certificate Practice Statement;
        c) Document(s) demonstrating adequate financial and insurance coverage in case of cessation
        of activities, liability;
        d) Certificates issued by the responsible public and/or judicial authorities confirming that the CSP in
        question has not gone bankrupt and has not been subject to composition bankruptcy, insolvency,
        receivership, winding-up or liquidation. The CSP should renew such certificates every three (3)
        months.

        - The EETT holds a registry in electronic or paper form, of the above-mentioned data of all the
        CSPs established in Greece. The registry should specifically mention the CSP who, according to
        his declaration, issues qualified certificates.

        - All CSPs shall notify EETT of any subsequent amendments to the information held on the registry
        within 7 days.

        - All CSPs shall inform EETT of the cessation of their activities.

        - All CSPs shall submit to EETT annual reports describing their activities. In these reports, special
        emphasis shall be put on questions and complaints addressed to CSPs from counter-parties or
        third parties.

        - In the case of CSPs issuing qualified certificates, the annual reports shall at least comprise:

        Description of the premises and of all the necessary technical and organizational equipment thereof
        used by CSPs;
        List of the signature creation products used for the generation of advanced electronic signatures;
        The precautionary security measures that CSPs are able to take in order to ensure uninterrupted
        operation of services, particularly in case of force majeure;
        The measures the CSPs warrant to take in order to preserve archives and data;



                                                                                                            27
       Description of the procedures that the CSP follows in order to ensure the capabilities and
       trustworthiness of the employed staff;
       Copy of the standard Certification Services Agreement used by the CSP and of all accompanying
       documentation thereof. The CSP has the obligation to amend this agreement according to EETT’s
       observations, if the latter finds out that any of the clauses of the agreement are abusive or contrary
       to Greek law;
       Any documents providing information about the Certificate Practice Policy and Certificate Practice
       Statement of the CSP;

       - CSPs issuing qualified certificates shall notify EETT of any amendments of its certification
       practices and policy related to elements of Annexes 1 and 2 of the Decree and of the standard
       Certification Services Agreement.

       - CSPs issuing qualified certificates shall inform EETT of any assignment of part of their services to
       a third party, with obligation to indicate the kind of the assigned service, as well as the duration of
       the assignment.

       - The EETT may at all times, on its own initiative or following a complaint, examine the compliance
       of CSPs with the provisions of the Decree and the Regulation. To this end, EETT itself or other
       bodies designated by it may proceed to audit controls at the location in which CSP is formally
       established or from which it operates its business. The CSP being subject to control shall co-
       operate with the EETT and provide all necessary assistance to the effective execution of such
       controls.


9. Transposition of Art. 3.4: provisions about the bodies and procedures to determine the
   conformity of secure signature-creation devices with the requirements for qualified electronic
   signatures. Are there more precise provisions or measures on this issue?

       The decree provides in art. 4 §2 that the conformity of secure signature creation devices with the
       requirements of Annex 3 shall be determined by EETT or by other public or private bodies that
       EETT shall designate for this purpose. To establish their decisions, EETT or the bodies that will
       undertake such controls are obliged to follow the minimum criteria as laid in the Commission
       Decision of 6 November 2000.

       The implementation of this provision was the subject of another question that EETT addressed to
       the market players through the public consultation procedure. Accordingly, EETT asked which
       public or private authorities/bodies would the market players consider as capable of undertaking
       this role in Greece and which should be the standards to follow.

       Different solutions were put forward in the answers. However, EETT has not yet taken any formal
       position (by means of a Regulation or decision) on how art. 4 §2 should be implemented.

       EETT has recently issued an open call for tenders for the elaboration of a study that will examine,
       inter alia, which procedure should be put in place for the designation of the bodies that will uptake
       the conformity assessment of signature creation products.

       We conclude from the above, that EETT does not seem ready to take any decision in the short
       term regarding the implementation of art. 3.4 prior to the elaboration of this study.




10. Transposition of Art. 3.2: brief description of the voluntary accreditation scheme(s) for
    certification-service provision: bodies, procedures, costs, standards, output, …



       28
       No concrete steps have yet been taken in Greece with respect to the implementation of art. 3.2 of
       the directive (accordingly, art. 4.5 of the Decree).

       However, EETT has recently issued a public tender for the undertaking of a study on the
       organization, design and application of voluntary accreditation of CSPs and other issues concerning
       the electronic signature certification service provision.

       The study will aim to provide expert guidance on the selection of the most appropriate voluntary
       accreditation and supervision-control scheme for CSPs established in Greece. The expert team
       that will be appointed to carry out the research will also be responsible for recommending the
       criteria, prerequisites, standards, etc. for the implementation and operation of such voluntary
       accreditation scheme.

       We conclude from the above, that EETT does not seem ready to take any decision with regard to
       the implementation of art. 3.2 of the directive in the short term, at least not before the study is
       elaborated.


11. Transposition of Art. 3.7: are there already specific requirements for the use of electronic
    signatures in the public sector?

       The Greek legislator had already provided in 1998 in the Act “regulating the exchange of
       documents by electronic means (telefax / e-mail) between the public administration services or
       between public administration services and citizens” [Law n°. 2672/1998) that only digital signatures
       should be used in such exchanges.

       The same Act reserved the possibility to the Greek legislator to extend the use of electronic
       documents in several areas or activities of the public administration that would be defined later by
       presidential decrees. However, no secondary legislation has yet been introduced for this purpose
       since 1998.

       In the framework of e-government, only a few initiatives have been evolving in Greece for the time
       being. In social security, the Greek Social Security Institution (IKA) adopted an electronic system
       that enables employers to submit to IKA the data regarding their employees by electronic means.
       Nevertheless, the standard form that employers should fill in for this purpose does not bear any
       (electronic) signature. In addition, Greek credit institutions allow their clients to pay their
       contributions to the Greek Social Security Institution by electronic means. The security of such
       operations and the users’ authentication are ensured in such electronic transmissions through the
       use of encryption, PIN codes and passwords.

       Another e-government project concerns the submission of tax declarations (income tax and VAT
       declarations) of physical and legal persons to the Greek tax authorities (TAXIS.net project). As in
       the field of social security and related e-banking services, the citizens’ authentication is managed
       through the use of PIN codes and personal identification numbers allocated by the tax services.

       Information about these pilot initiatives can be found at: www.e-gov.gr (web site can also be
       displayed in English).


12. Some information about your national market of certification services: major players, well-
    known projects, etc. and a general idea of what will happen next in your country?

       The dominant player in the provision of certification services in Greece seems to be VeriSign
       operating on the Greek market through its Greek affiliate, the company Adacom.



                                                                                                         29
On the other hand, no progress has yet been reported concerning the implementation of a scheme
for the setting-up of a Certification Authority in Greece (the so-called HELLAS TRUST. It is foreseen
that this scheme will be developed jointly by the National Bank of Greece, Alpha Bank the Athens
Chamber of Commerce and Industry (EBEA) and the major Greek Telecommunications Operator
(OTE) [more information on the web site of EBEA, www.acci.gr].




30
Ireland


 1. References to relevant laws, decrees, implementation measures, related e-government
    initiatives (with url’s to relevant webpages): where can we find the text of the laws and decrees
    and follow the developments in this area in your country?

          Directive 1999/93/EC on a Community framework for electronic signatures has been transposed
          into Irish law through the Electronic Commerce Act, 2000 (hereinafter referred to as the “e
          Commerce Act”). This act deals with, inter alia, the legal recognition of electronic signatures and the
          accreditation and supervision of Certification Service Providers. The e Commerce Act came into
                           th
          force on the 19 of September 2000.
          All relevant Irish legislation can be found on the website for the Irish Houses of Parliament (the
          Oireachtas) at www.gov.ie/oireachtas/frame.htm
          The Irish Government Department of Communications, Marine and National Resources is primarily
          responsible for the development of e Commerce in Ireland and developments in this area are
          normally posted on their website at www.marine.gov.ie.



 2. Transposition of art. 5.1 of the directive: briefly describe how the equivalence between qualified
    electronic signatures and handwritten signatures has been established.

          Article 5.1 of the Directive has been implemented in Ireland through Sections 13 and 22 of the e
          Commerce Act.
          Section 13 provides that if, by law or otherwise, a signature is required from or permitted by, a
          person or public body, then an electronic signature may be used. An electronic signature for the
          purposes of Section 13 includes an advanced electronic signature based on a qualified certificate. It
          is important to note that an electronic signature will only be valid under Section 13 if it is used with
          the consent of the recipient party, as the e Commerce Act is not intended to force people to transact
          electronically (Section 13(2) and Section 24).

          Section 22(b) of the e Commerce Act provides that an electronic signature shall not be denied
          admissibility into evidence in any legal proceedings on the sole ground that it is in electronic form.
          In addition, the e Commerce Act explicitly states that where a signature requires to be witnessed
          (Section 14), or where a document needs to be executed under seal (Section 16), the signature
          must be an electronic signature, which meets the requirements of Annex 1 of the Directive (i.e. an
          advanced electronic signature based on a qualified certificate).

          The e Commerce Act also provides that the above Sections will not apply to any law in relation to
          the transfer of land or to the execution of documents such as wills, trusts, enduring powers of
          attorney, affidavits and sworn statutory declarations, which must continue to utilise the traditional
          handwritten form (Section 10).


 3. Transposition of art. 5.2: how has this provision of the directive been transposed in your
    national law and what are the consequences? If 5.2 has not been transposed explicitly, what is
    the legal value of (not qualified) electronic signatures in your country?

          Article 5.2 of the Directive has been implemented in Ireland through Sections 13 and 22 of the
          Ecommerce Act.



                                                                                                               31
        Section 13 provides that if, by law or otherwise, a signature is required from or permitted by, a
        person or public body, then an electronic signature may be used. As stated above in the answer to
        question 2, an electronic signature will only be valid under Section 13 if it is used with the consent of
        the recipient party (Section 13(2)).

        Section 22(b) of the Ecommerce Act provides that an electronic signature shall not be denied
        admissibility into evidence in any legal proceedings on the sole ground that it is in electronic form.
        As outlined in the answer to question 2, Section 10 of the Ecommerce Act insists on the continued
        use of traditional handwritten signatures in certain areas of the law.



4. Transposition of Annex 1: enacted and draft provisions about the requirements for qualified
   certificates (the question here is whether your law, in comparison with Annex 1, has divergent
   or more precise provisions about this; are there any references to standards?)

        Annex I of the Directive is reproduced in the Schedule to the e Commerce Act. Section 30(2) of the
        e Commerce Act provides that every Certification Service Provider issuing a qualified certificate
        must take reasonable steps to ensure that the certificate contains all the details required by Annex
        1 of the Directive. Therefore, Irish law does not contain any divergent or more precise provisions in
        relation to the content requirements for qualified certificates.


5. Transposition of Annex 2: enacted and draft provisions about the requirements for CSP’s
   issuing qualified certificates (same question as 4: are there already more detailed
   requirements? references to standards?)

        Annex II of the Directive is also reproduced in the Schedule to the e Commerce Act. Section 29 of
        the e Commerce Act provides that the Minister for Communication, Marine and Natural Resources
        may, through Statutory Instrument, establish a scheme of voluntary accreditation of Certification
        Service Providers. Section 29(2)(c) provides that this Statutory Instrument may prescribe the
        manner in which any newly created accreditation authority would elaborate on or supervise
        compliance with the rights and obligations under the Directive and, in particular, Annex II of the
        Directive.

        To date no corresponding Statutory Instrument has been implemented into Irish law. Therefore it is
        not possible at this stage to determine whether Irish law contains any divergent or more precise
        provisions in relation to the requirements for Certification Service Providers issuing qualified
        certificates, as contained in Annex II of the Directive.



6.   Transposition of Annex 3: enacted and draft provisions about the requirements for secure
     signature-creation devices (same question as 4: are there already more detailed requirements?
     references to standards?)

        Section 2 of the e Commerce Act defines a “secure signature creation device” as a signature
        creation device which meets the requirements set out in Annex III of the Directive. Annex III of the
        Directive is also reproduced in the Schedule to the e Commerce Act.
        Section 29(4)(a) of the e Commerce Act provides that the Minister for Communication, Marine and
        Natural Resources may, through Statutory Instrument, designate persons or public bodies for the
        purposes of determining whether secure signature creation devices conform with the requirements
        of Annex III of the Directive.




        32
        To date no corresponding Statutory Instrument has been implemented into Irish law. Therefore it is
        not possible at this stage to determine whether Irish law contains any divergent or more precise
        provisions in relation to the requirements for secure signature creation devices, as contained in
        Annex III of the Directive.


7.   Transposition of Annex 4: have the recommendations of Annex 4 been taken into account by
     your legislator or government (question is: did your country something with these
     recommendations?).

        Unlike the other Annexes to the Directive, Annex IV is not reproduced in the e Commerce Act.
        However, it is possible that subsequent Statutory Instruments by the Minister for Communications,
        Marine and Natural Resources may implement the recommendations for secure signature
        verification contained in Annex IV of the Directive.


8. Transposition of Art. 3.3: describe briefly the “appropriate system that allows for supervision”
   of CSP’s established in your country and issuing qualified certificates to the public. Is there any
   kind of supervision for other CSP’s (not issuing qc’s to the public)?

        Section 29(3) of the e Commerce Act provides that the Minister for Communications, Marine and
        Natural Resources shall prescribe a scheme of supervision of Certification Service Providers
        established in the state who issue qualified certificates to the public. To date no corresponding
        Statutory Instrument has been implemented into Irish law.


9. Transposition of Art. 3.4: provisions about the bodies and procedures to determine the
   conformity of secure signature-creation devices with the requirements for qualified electronic
   signatures. Are there more precise provisions or measures on this issue?

        Section 29(4) of the e Commerce Act provides that the Minister for Communications, Marine and
        Natural Resources may after consultation with the Minister for Enterprise, Trade and Employment,
        by Statutory Instrument, designate persons or public bodies for the purposes of determining
        whether secure signature creation devices conform with the requirements of Annex III of the
        Directive. To date no corresponding Statutory Instrument has been implemented into Irish law.


10. Transposition of Art. 3.2: brief description of the voluntary accreditation scheme(s) for
    certification-service provision: bodies, procedures, costs, standards, output, …

        Section 29(2) of the e Commerce Act provides that the Minister for Communications, Marine and
        Natural Resources may after consultation with the Minister for Enterprise, Trade and Employment,
        by Statutory Instrument, establish a scheme of voluntary accreditation of Certification Service
        Providers for the purpose of the Directive and to enhance levels of certification service provision in
        the State, and may designate accreditation authorities and prescribe such matters relating to their
        designation as the Minister thinks appropriate for the purpose. To date no corresponding Statutory
        Instrument has been implemented into Irish law.


11. Transposition of Art. 3.7: are there already specific requirements for the use of electronic
    signatures in the public sector?

        In the case of public bodies, Section 13(2)(a) of the e Commerce Act provides that where an
        electronic signature is required or permitted to be given to a public body, such an electronic
        signature may be subject to further “information technology and procedural requirements”, as long


                                                                                                           33
       as those requirements are objective, transparent, proportionate and non-discriminatory. These
       potential requirements are explicitly stated to include the requirement that the signature is an
       advanced electronic signature, is based on a qualified certificate, is issued by an accredited
       Certification Service Provider or that a secure signature creation device has created it.
       Sections 14 and 16 of the e Commerce Act contain similar provisions in relation to documents
       containing signatures that need to be witnessed and documents that need to be made under seal
       respectively.
       In addition, it should be noted that the Irish Government is pro-active in encouraging Irish citizens
       and businesses to deal with public authorities online and this can be seen from the respective
       websites www.oasis.gov.ie and www.basis.ie.


12. Some information about your national market of certification services: major players, well-
    known projects, etc. and a general idea of what will happen next in your country?

       The current Irish Certification Service Providers are the Irish postal service, an post
       (www.post.trust.ie), the Irish Chamber of Commerce
       (www.chambersireland.ie/hdocs/ebusiness_cert.html) and the Irish Revenue Commissioners
       (www.ros.ie) who received the egovernment label from the Belgian Presidency and the European
       Commission in November 2001 in due recognition of their egovernment application which was
       found to be one of the very best practices of its type.




       34
Italy


  1. References to relevant laws, decrees, implementation measures, related e-government
     initiatives (with url’s to relevant webpages): where can we find the text of the laws and decrees
     and follow the developments in this area in your country?

          The act that for the first time regulated in Italy the different ways to compose, to record and to
          transmit electronic documents is the Presidential Decree number 445, dated December 28, 2000
          (herein after referred as the "Testo Unico").

          The major innovation introduced by the Testo Unico is the so called "digital signature" which may
          be considered a particular kind of advanced electronic signature, based on a system of two
          asymmetric keys, one private and the other one public, that grant the origin and the integrity of the
          electronic document.

          On January 23, 2002, the Italian Government issued the Legislative Decree number 10 (herein
          after referred as the "D.Lgs. 10/02"), which implemented the "Directive 1999/93/EC of the European
          Parliament and the Council of 13 December 1999 on a Community framework for electronic
          signatures" (herein after referred as the "Directive") and modified and integrated the Testo Unico.

          Furthermore, please consider that the co-ordination of the different provisions above mentioned and
          the implementations of some technical aspects of the Directive are deferred to a ministerial act
          (herein after referred as the "Regolamento"). Its first draft has been preliminarily approved by the
          Government on August 3, 2002. We expect its publication by the end of December 2002.

              You may find the text of the relevant laws and/or information in the following web sites:

          www.innovazione.gov.it (the web site of the Department of Innovation and Technology);
          www.parlamento.it (the web site of the Italian Parliament);
          www.interlex.com (a well done web site related to the juridical issue of Internet).



  2. Transposition of art. 5.1 of the directive: briefly describe how the equivalence between qualified
     electronic signatures and handwritten signatures has been established.

          Article 5.1 Directive has been implemented by article 10, Testo Unico (as modified by article 6.3
          D.Lgs 10/02) which states that an electronic document signed by a digital or an advanced electronic
          signature based on a qualified certificate and created by a secure-signature-creation device,
          constitutes full proof of the origin of the declarations set forth therein in the person who signed such
          writing.

               Furthermore, article 24 Testo Unico provides that the digital signature that has been
          authenticated by a notary public or another authorized public official is treated as having been
          recognized by its author. The authentication of a digital signature consists of a certification by the
          public official that the signature has been affixed in his presence. The public official must previously
          verify the identity of the person who makes the signature, the validity of the certificate and that the
          document signed is not in opposition with the judicial system and compliant with the will of the party.




                                                                                                               35
3. Transposition of art. 5.2: how has this provision of the directive been transposed in your
   national law and what are the consequences? If 5.2 has not been transposed explicitly, what is
   the legal value of (not qualified) electronic signatures in your country?

         The wording of article 5.2 Directive is more or less copied in article 10 Testo Unico (as modified by
         article 6.4 D.Lgs 10/02).

             Furthermore, at this proposal, article 10 Testo Unico states that electronic documents signed
         with a not qualified electronic signature:

         !        constitute full evidence of the facts or things represented therein, if the persons against
         whom they are offered do not deny their correspondence to the actual facts or things concerned;
         !        satisfies the requirements of a written signature in relation to the facts or things
         represented therein;
         !        satisfies also the requirements provided by articles 2214 – 2220 Italian Civil Code which
         are related to the Accounting Records.

         Finally, article 10 Testo Unico states that it is up to the judge to appraise the evidentiary value of the
         documents signed with a not qualified electronic signature with reference to their security and
         quality.


4. Transposition of Annex 1: enacted and draft provisions about the requirements for qualified
   certificates (the question here is whether your law, in comparison with Annex 1, has divergent
   or more precise provisions about this; are there any references to standards?)

        Article 2. e), D.Lgs 10/02 defines a certificate as qualified when it satisfies the same requirements
        set in Annex I.

             At this proposal, please consider that, as already referred, it is necessary to wait for the issuing
        of the Regolamento which, probably, will indicate some more detailed requirements or references
        to standards.


5. Transposition of Annex 2: enacted and draft provisions about the requirements for CSP’s
   issuing qualified certificates (same question as 4: are there already more detailed
   requirements? references to standards?)

        Article 2. e), D.Lgs 10/02 expressly refers to the same requirements defined in the Annex II.


6.   Transposition of Annex 3: enacted and draft provisions about the requirements for secure
     signature-creation devices (same question as 4: are there already more detailed requirements?
     references to standards?)

        The articles 2. f) and 10 D.Lgs 10/02 define the requirements of the secure signature-creation
        device as referred in the Annex III.


7.   Transposition of Annex 4: have the recommendations of Annex 4 been taken into account by
     your legislator or government (question is: did your country something with these
     recommendations?)

        At this proposal, it is necessary to wait for the Regolamento in order to verify how the signature
        verification process will be implemented in Italy


        36
8. Transposition of Art. 3.3: describe briefly the “appropriate system that allows for supervision”
   of CSP’s established in your country and issuing qualified certificates to the public. Is there any
   kind of supervision for other CSP’s (not issuing qc’s to the public)?

        According to articles 3 and 4, D.Lgs 10/02, the Department of Innovation and Technology and the
        Authority of Technology in the Public Sector are in charge to set up a supervisory system which will
        be implemented according to the Regolamento.


9. Transposition of Art. 3.4: provisions about the bodies and procedures to determine the
   conformity of secure signature-creation devices with the requirements for qualified electronic
   signatures. Are there more precise provisions or measures on this issue?

        The article 10 D.Lgs. 10/02 states that the requirements of the secure signature-creation device
        pointed out in the Annex III of the Directive are verified in accordance with the provisions of the
        Regolamento.


10. Transposition of Art. 3.2: brief description of the voluntary accreditation scheme(s) for
    certification-service provision: bodies, procedures, costs, standards, output, …

        Article 5, D.Lgs. 10/02 introduces voluntary accreditation schemes aiming at enhanced levels of
        certification-service provision which should be disciplined in the Regolamento.

            The sole provision stated by article 5, D.Lgs. 10/02, is that the providers should grant higher
        technical and financial requirements.


11. Transposition of Art. 3.7: are there already specific requirements for the use of electronic
    signatures in the public sector?

       As for the use of electronic signature in the public sector, article 9 D.Lgs. 10/02, which modifies
       article 38 Testo Unico, states that the communications and the petitions sent trough the Web to the
       public administration are valid only if:

       !         subscribed with a digital signature based on a qualified certificate and created by a secure-
       signature-creation device;
       !         the author of the document is identified by an electronic ID certificate or by the national
       card of services (which should be settled by the Regolamento).

       At this proposal, please note that, from December 31, 2005, faxes and electronic documents signed
       with the Digital Signature will be the only ways to send written communication to the public
       administration.


12. Some information about your national market of certification services: major players, well-
    known projects, etc. and a general idea of what will happen next in your country?

        Here are the web sites of the certification-service-providers authorized in Italy to assign digital
        signatures. Please note that the issuing of the Regolamento may modify this list:
        www.actalis.it;
        www.multicertify.com;
        www.cedacricert.it;



                                                                                                              37
www.ct.rupa.it;
www.enel.it/it/enel_it/index.html;
ca.finital.it;
www.card.infocamere.it;
www.e-trustm.it;
www.poste.it;
www.firmasicura.it;
www.firmadigitale.seceti.it;
ca.sia.it;
www.ssb.net.




38
Luxembourg


 1. References to relevant laws, decrees, implementation measures, related e-government
    initiatives (with url’s to relevant webpages): where can we find the text of the laws and decrees
    and follow the developments in this area in your country?

         - Law of 14 August 2000 relating to electronic commerce (EC law), transposing Directive 1999/93
         relating to a Community framework for electronic signatures, Directive 2000/31/EC relating to
         certain legal aspects of information society services, and certain provisions of Directive 97/7/EC
         concerning distance selling of goods and services other than financial services.
         - Law of 22 March 2000 relating to the creation of a National Accreditation Register, a National
         Council for Accreditation, Certification, Standardization and Promotion of Quality, and a
         Luxembourg standardization body. And Grand-Ducal Regulation of 10 May 2001 creating the
         National Council for accreditation, Certification, standardization and quality promotion.
         - Grand-Ducal Regulation of 1 June 2001 relating to electronic signatures, electronic payment and
         implementation of the Electronic Commerce Committee.                                                   This
         act fixes the requirements for the delivery of a “qualified certificate”, the conditions to be fulfilled by
         the certification service providers in order to deliver qualified certificates and security requirements
         of electronic signature storage, and details concerning the new electronic Commerce Committee.
         - Grand-Ducal Regulation of 28 December 2001 on the determination of a system for the
         accreditation of certification and inspection bodies, and of testing and standardization bodies, and
         on the creation of the Office Luxembourgeois d’Accreditation et de Surveillance (OLAS), an
         Accreditation committee and a National Directory of Quality and Technical Assessors.
         - All relevant legal instruments (French and English) can be found on the website of the Office
         Luxembourgeois d’Accreditation et de Surveillance (www.etat.lu/OLAS/ ).


 2. Transposition of art. 5.1 of the directive: briefly describe how the equivalence between qualified
    electronic signatures and handwritten signatures has been established.

         Art.5.1 (a) & (b) of the Directive are implemented by article 18 (1) of the EC law. Noteworthy is that
         the Luxembourg legislator has added a third condition in order for electronic signatures to be
         equivalent to handwritten signatures. Under the Luxembourg EC law, an electronic signature
         constitutes a signature within the meaning of the civil code if :
         -it is created by a secure-signature-creation device
         -which the signatory is able to keep under his own exclusive control and
         -which is based upon a qualified certificate.


 3. Transposition of art. 5.2: how has this provision of the directive been transposed in your
    national law and what are the consequences? If 5.2 has not been transposed explicitly, what is
    the legal value of (not qualified) electronic signatures in your country?

         Art.5.2 of the Directive is explicitly implemented by article 18 (2) of the EC law in the same wording.
         Therefore, an electronic signature may not be rejected by a judge for the sole reason that it is
         presented in electronic form, that it is not based upon a qualified certificate issued by an accredited
         certification-service-provider (CSP), or that it is not created by a secure-signature-creation device.
         In these cases, the electronic signature will be valid for evidential purposes as long as it identifies
         the person who has used such signature and guarantees the integrity of the content of the signed
         document (art.1322-1 of the Civil code).




                                                                                                                 39
4. Transposition of Annex 1: enacted and draft provisions about the requirements for qualified
   certificates (the question here is whether your law, in comparison with Annex 1, has divergent
   or more precise provisions about this; are there any references to standards?)

         The wording of Annex 1 of the Directive is more or less copied into the Luxembourg Grand-Ducal
         Regulation of 1 June 2001, which nevertheless includes some specifics:
         According to this Grand-Ducal Regulation, information mentioned in articles (d), (i) and (j) of the
         Annex 1 of the Directive is not mandatory in the qualified certificate and can be collected upon the
         situation. Specific information about the accreditation of the certification-service-provider may also
         be included on a non-mandatory basis.
         The Minister responsible for standardization publishes in the Mémorial the references of the
         technical norms or regulations generally admitted, including the national ones, relating to qualified
         certificate.


5. Transposition of Annex 2: enacted and draft provisions about the requirements for CSP’s
   issuing qualified certificates (same question as 4: are there already more detailed
   requirements? references to standards?)

        The wording of Annex 2 of the Directive is more or less copied into the Luxembourg Grand-Ducal
        Regulation of 1 June 2001, article 3. Nevertheless, noteworthy that article (k) Annex 2 of the
        Directive, is included in the Luxembourg EC law and provides more detailed requirements:
        “Article 22 of the Luxembourg EC law - Obligation of information
        The certification-service-provider shall procure the information needed for the proper and secure
        use of his services on a durable medium and in a readily comprehensible language.

        The minimum information required is as follows :
        • the procedure to be followed to create and verify an electronic signature;
        • the specifics modalities and conditions of use of certificates, including limits imposed on their
            use, provided that these limits may be discerned by third parties;
        • the obligation which, by virtue of this law, are incumbent upon the certificate-holder and the
            certification-service-provider;
        • the existence of a voluntary accreditation system;
        • the contractual conditions for issuing a certificate, including any limitation on the liability of the
            certification-service-provider;
        • the procedures by which complaints may be made and disputes settled.”

        Furthermore, article 25 of the EC law provides that to be able to issue qualified certificates,
        certification-service-providers must have adequate financial resources and material, technical and
        human resources to guarantee the security, reliability and durability of the certification services
        offered.
        The Minister responsible for standardization publishes in the Mémorial the references of the
        technical norms or regulations generally admitted, including national ones relating to certification
        service providers issuing qualified certificates.
        Those norms relating to electronic signature products whose reference numbers have been
        published in the Official Journal of the European Communities are not published in the Mémorial.


6.   Transposition of Annex 3: enacted and draft provisions about the requirements for secure
     signature-creation devices (same question as 4: are there already more detailed requirements?
     references to standards?)

         The wording of Annex 3 of the Directive is more or less copied into the Luxembourg Grand-Ducal
         Regulation of June 1st 2001, article 4.



        40
        The Minister responsible for standardization publishes in the Mémorial the references of the
        technical norms or regulations generally admitted, including national ones relating to electronic
        signature products, except for those norms relating to electronic signature products whose
        reference numbers have been published in the official Journal of the European Communities.
        References to secured electronic signature creation devices that have been certified as conforming
        to the requirements set out in article 4 by a body designated for this purpose by a member state of
        the European Community are also published in the Mémorial.


7.   Transposition of Annex 4: have the recommendations of Annex 4 been taken into account by
     your     legislator     or   government     (question     is:    did    your      countr
     y something with these recommendations?)

        The provisions required by Annex 4 of the Directive are not explicitly copied in the EC law or the
        Grand-Ducal Regulation of June 1st of 2001 unless for determined provisions: clear use of
        pseudonyms for example.

        Nevertheless, the EC law provides some requirements relating to the obligation of verification
        (article 23 of the EC law), (1) prior to the issue of a certificate, the service provider shall verify the
        complementary nature of the signature creation and signature-verification data, (2) when a qualified
        certificate is issued to a corporate entity, the certification-service-provider shall verify beforehand
        the identity and the authority to represent the natural person applying to him.


8. Transposition of Art. 3.3: describe briefly the “appropriate system that allows for supervision”
   of CSP’s established in your country and issuing qualified certificates to the public. Is there any
   kind of supervision for other CSP’s (not issuing qc’s to the public)?

        The supervisory system is being regulated by the Luxembourg EC law. The National Accreditation
        and Supervisory Authority (OLAS, Office Luxembourgeois d’Accréditation et de Surveillance)
        attached to the Minister of Economy is competent for the supervision of the CSP.

        The procedure is as follows:
        • A CSP willing to issue qualified certificates needs to notify the OLAS that his activities comply
        with the requirements of this law and the regulations enacted in execution hereof.
        • The OLAS shall keep a register of notifications, which will be published.
        • The OLAS may, either ex officio or at the request of any interested party, verify, or arrange for
        verification that the activities of a CSP comply with the provisions of the law or the regulation
        enacted in execution hereof.
        • In case of such control the OLAS and the registered external auditors shall be entitled to
        access to any establishment and to have any information and documents useful or necessary in
        accomplishing their mission.
        • In case the OLAS concludes that the CSP does not fulfill the legal requirements, it invites the
        CSP to comply with the said provisions within a delay.
        • If the CSP does not comply with the requirements within the delay, the OLAS will remove the
        CSP from the notification register and, if it is required in the public interest, the OLAS has the option
        to publish striking-off from the register at any time in the Mémorial, or in one or more foreign or
        national newspaper.

        According to the above mentioned laws and regulations, (question n°1), there are no special
        provisions concerning supervision of CSP which are not issuing qualified certificates.




                                                                                                               41
9. Transposition of Art. 3.4: provisions about the bodies and procedures to determine the
   conformity of secure signature-creation devices with the requirements for qualified electronic
   signatures. Are there more precise provisions or measures on this issue?

       According to art. 4 (3) of the Grand-Ducal Regulation, of 1 June 2001, “the Minister responsible for
       standardization publishes in the Mémorial the references of the technical norms or regulations
       generally admitted, including national ones, relating to electronic signature products, with reference
       to the present Regulation, except for those norms relating to electronic signature products whose
       reference numbers have been published in the Official Journal of the European Communities.
       References to secured electronic signature creation devices that have been certified as conforming
       to the requirements set out in the present article by a body designated for this purpose by a
       member state of the European Community are also published in the Memorial, with reference to
       the present Regulation”.
       Furthermore, one of the mission of the Electronic Commerce Committee, which is a consultative
       body attached to the Ministry of Economy, is to contribute towards clarifying the requirements
       relating to secure electronic signature creation devices.
       This Committee has not yet delivered any information in this aim.


10. Transposition of Art. 3.2: brief description of the voluntary accreditation scheme(s) for
    certification-service provision: bodies, procedures, costs, standards, output, …

       The voluntary accreditation is given by the Minister of the Economy on the recommendation of the
       Director of the OLAS, after the Accreditation committee has given his opinion.
       The National Accreditation and Supervisory Authority               (OLAS, Office Luxembourgeois
       d’Accréditation et de Surveillance) is responsible for the accreditation and the control of the
       accredited certification-service-providers complying with the provisions of the law.
       The conditions for obtaining and keeping accreditation have been determined by a Grand-Ducal
       regulation of 28 December 2001.

       According to this regulation, the procedure is as follows.

       - Official registration at the OLAS must contain all relevant documents (such as the official
       registration form F001 fulfilled and signed, general characteristics of the applicant, general
       information about the applicant and its accreditation domain and two copies of the quality
       handbook)
       - The OLAS carries out an audit with appointed auditors. The audit report is transmitted to the
       applicant, which may, within 20 days, send any remarks or comments to the OLAS.
       - The Accreditation Committee has 40 days to give his opinion to the Minister and the Director of
       the OLAS makes its recommendations to the Minister as well.
       - Decision of the Minister of the Economy and automatic inscription in the National Accreditation
       Register (assigning an identification number (2001/xxx/n°of order)

       The cost : 1.200 €
       The       detailed      procedure        form      can     be    downloaded      from :
       http://www.etat.lu/OLAS/docs/P001DEMANDE.doc
       The        registration        form         can         be    downloaded       from   :
       http://www.etat.lu/OLAS/docs/F001DEMANDE.doc
       The            official         auditors            list      is        available     :
       http://www.etat.lu/OLAS/francais/documents_auditeurs.html
       The first service provider accreditation has been given to LC LUXCONTROL (07/2002), for
       further        information         please        refer     to     the     webpage     :
       http://www.etat.lu/OLAS/francais/registre_inspection.html




       42
11. Transposition of Art. 3.7: are there already specific requirements for the use of electronic
    signatures in the public sector?

       Yes, the project eGovernment aims to develop a PKI platform for the normalization projects relating
       to electronic signature and payment issues (http://www.eluxembourg.lu/eGovernment.cfm ).
       Among others, the CRP Henri Tudor published in June 2002 an opportunity study for the
       implementation of PKI in Luxembourg and the concerned actors, the text is available on
       http://www.nmo.lu .
       The Minister of Economy is responsible for some aspects of the eluxembourg project
       (http://www.etat.lu/ECO and http://www.eluxembourg.lu ), therefore you can get more information
       asking François.thill@eco.etat.lu (official contact person of the Ministry).


12. Some information about your national market of certification services: major players, well-
    known projects, etc. and a general idea of what will happen next in your country?

       There exist two majors certification services in Luxembourg : euSign (in association with Xcert
       international, http://www.eusign.com ) and EuroSignCard (in association with Digital Signature
       Trust, first accredited authority in US, http://www.eurosigncard.com ).




                                                                                                       43
The Netherlands


 1. References to relevant laws, decrees, implementation measures, related e-government
    initiatives (with url’s to relevant webpages): where can we find the text of the laws and decrees
    and follow the developments in this area in your country?

         Adaptation of chapter 3 and 6 of the Civil Code, the Telecommunications Act and the Economic
         Offences Act regarding electronic signatures, effecting Directive 1999/93/EU of the European
         Parliament and the Council of the European Union of 13 December 1999 on a Community
         framework for electronic signatures (‘Electronic Signatures Act’).
         Aanpassing van Boek 3 en Boek 6 van het Burgerlijk Wetboek, de Telecommunicatiewet en de
         Wet op de economische delicten inzake elektronische handtekeningen ter uitvoering van
         richtlijn nr. 1999/93/EG van het Europees Parlement en de Raad van de Europese Unie van
         13 december 1999 betreffende een gemeenschappelijk kader voor elektronische
         handtekeningen (PbEG L 13) (Wet elektronische handtekeningen).

         This legislative proposal has recently been sent to the First Chamber (the Senate) for approval
         (Eerste Kamer, vergaderjaar 2001 – 2002, 27 743, nr. 265). The proposal will come into force after
         it has been entered in the Bulletin of Acts and Decrees. The text can be found at www.overheid.nl.

         The Dutch government's Public Key Infrastructure Task Force (PKIoverheid) is preparing the way
         for the full introduction of a public key infrastructure (PKI) by the end of 2002. This infrastructure is
         intended for almost all types of interchange and transactions with the government in public sector
         communications. These communications include the exchange between government bodies and
         the public, government bodies and the business community and between government bodies
         themselves.                For              more              information           refer              to
         www.pki-overheid.nl.


 2. Transposition of art. 5.1 of the directive: briefly describe how the equivalence between qualified
    electronic signatures and handwritten signatures has been established.

         Article 5.1 of the directive is implemented by article 3:15a Civil Code. Paragraph 1 of this article
         states that an electronic signature has equal legal effects as a handwritten signature if the method
         for authentication is sufficiently reliable. If the (technical) requirements of paragraph 2 are met, the
         method for authentication is assumed to be sufficiently reliable.


 3. Transposition of art. 5.2: how has this provision of the directive been transposed in your
    national law and what are the consequences? If 5.2 has not been transposed explicitly, what is
    the legal value of (not qualified) electronic signatures in your country?

         Article 5.2 of the directive (bullet 2, 3 and 4) is implemented by article 3:15c Civil Code. A method
         used for authentication may not be considered unreliable merely on the fact that it is e.g. not based
         on a qualified certificate. The first bullet of article 5.2 of the directive is not explicitly implemented
         since evidence under Dutch law can be already delivered by any means.


 4. Transposition of Annex 1: enacted and draft provisions about the requirements for qualified
    certificates (the question here is whether your law, in comparison with Annex 1, has divergent
    or more precise provisions about this; are there any references to standards?)



         44
        Annex 1 will be worked out in a governmental decree after the Electronic signatures act has
        entered into force.


5. Transposition of Annex 2: enacted and draft provisions about the requirements for CSP’s
   issuing qualified certificates (same question as 4: are there already more detailed
   requirements? references to standards?)

        Annex 2 will be worked out in a governmental decree after the Electronic signatures act has
        entered into force. No additional information is currently available.


6.   Transposition of Annex 3: enacted and draft provisions about the requirements for secure
     signature-creation devices (same question as 4: are there already more detailed requirements?
     references to standards?)

        Annex 3 will be worked out in a governmental decree after the Electronic signatures act has
        entered into force.


7.   Transposition of Annex 4: have the recommendations of Annex 4 been taken into account by
     your legislator or government (question is: did your country something with these
     recommendations?)

        No, according to the Dutch legislator Annex 4 does not require implementation.


8. Transposition of Art. 3.3: describe briefly the “appropriate system that allows for supervision”
   of CSP’s established in your country and issuing qualified certificates to the public. Is there any
   kind of supervision for other CSP’s (not issuing qc’s to the public)?

        This article has been implemented by article 2.1, paragraph 3 and 4, and article 2.2, paragraph 2
        Telecommunications Act. Parties issuing qualified certificates to the public need to register with the
        board as described in article 2 of the Act on the independent mail and telecom authority. There is
        no supervision for CSP’s not issuing qualified certificates.


9. Transposition of Art. 3.4: provisions about the bodies and procedures to determine the
   conformity of secure signature-creation devices with the requirements for qualified electronic
   signatures. Are there more precise provisions or measures on this issue?

        This article has been implemented by article 18.17 paragraph 2 and 3 Telecommunications Act. It
        states that the Minister of Transport can appoint a body that is in charge of the supervision of
        conformity of secure signature-creation devices with the requirements for qualified electronic
        signatures.


10. Transposition of Art. 3.2: brief description of the voluntary accreditation scheme(s) for
    certification-service provision: bodies, procedures, costs, standards, output, …

        This article has been implemented by article 18.16 of the Telecommunications Act. It states that the
        Minister of Transport can appoint one or more bodies responsible for that task.




                                                                                                           45
11. Transposition of Art. 3.7: are there already specific requirements for the use of electronic
    signatures in the public sector?

       See answer to question 1 (PKI Overheid). There is also a legislative proposal to supplement the
       General Administrative Law Act regarding electronic communication between citizens and
       administrative bodies.


12. Some information about your national market of certification services: major players, well-
    known projects, etc. and a general idea of what will happen next in your country?

       Well knows players are Verisign, PinkRoccade Trusted Services (www.verisign.nl), Enschede/SDU
       (www.ensdu.nl), Utimaco (hardware, software, www.utimaco.nl).




       46
Portugal


  1. References to relevant laws, decrees, implementation measures, related e-government
     initiatives (with url’s to relevant webpages): where can we find the text of the laws and decrees
     and follow the developments in this area in your country?

           The legal recognition of electronic documents and digital signatures is governed by Decree-Law
           290-D/99 of August 2 1999. This law came into force before the Directive for a common framework
           for electronic signatures was approved, so it is not a transposition of The Directive 1999/93/EC of
           The European Parliament and of the Council of 13 December 1999, although most of the solutions
           of the Directive are implemented.
           Decree-Law 375/99 (September 18 1999) governs the legal recognition of electronic invoices. An
           electronic invoice with a digital signature is legally recognized in the same way as a paper invoice.
           The text of both laws are not available in English, however I send an unofficial translation in attach.


  2. Transposition of art. 5.1 of the directive: briefly describe how the equivalence between qualified
     electronic signatures and handwritten signatures has been established.

           Electronic documents have the same legal recognition as hand-written documents when their
           content can be represented as a written statement. An electronic document with an electronic
           signature has the same legal effect as a signed hand-written document


  3. Transposition of art. 5.2: how has this provision of the directive been transposed in your
     national law and what are the consequences? If 5.2 has not been transposed explicitly, what is
     the legal value of (not qualified) electronic signatures in your country?

           No.
           Please see Article 7 of the Decree-Law 290-D/99


  4. Transposition of Annex 1: enacted and draft provisions about the requirements for qualified
     certificates (the question here is whether your law, in comparison with Annex 1, has divergent
     or more precise provisions about this; are there any references to standards?)

           The Portuguese law do not foresee advanced digital signatures.
           Please see Article 7 and 30 of the Decree-Law 290-D/99


  5. Transposition of Annex 2: enacted and draft provisions about the requirements for CSP’s
     issuing qualified certificates (same question as 4: are there already more detailed
     requirements? references to standards?)

           Requirements for CSP’s are very similar to the Directive requirements, please see Chapter III of the
           Decree-Law 290-D/99


  6.   Transposition of Annex 3: enacted and draft provisions about the requirements for secure
       signature-creation devices (same question as 4: are there already more detailed requirements?
       references to standards?)



                                                                                                               47
        No specific provisions


7.   Transposition of Annex 4: have the recommendations of Annex 4 been taken into account by
     your legislator or government (question is: did your country something with these
     recommendations?)

        No entirely, please remember that our Decree-Law 290-D/99 came into force before the Directive
        for a common framework for electronic signatures was approved


8. Transposition of Art. 3.3: describe briefly the “appropriate system that allows for supervision”
   of CSP’s established in your country and issuing qualified certificates to the public. Is there any
   kind of supervision for other CSP’s (not issuing qc’s to the public)?

        Yes, please see Chapter III of the Decree-Law 290-D/99


9. Transposition of Art. 3.4: provisions about the bodies and procedures to determine the
   conformity of secure signature-creation devices with the requirements for qualified electronic
   signatures. Are there more precise provisions or measures on this issue?

        No, please se our answer to question 9.


10. Transposition of Art. 3.2: brief description of the voluntary accreditation scheme(s) for
    certification-service provision: bodies, procedures, costs, standards, output, …


11. Transposition of Art. 3.7: are there already specific requirements for the use of electronic
    signatures in the public sector?

        Yes, please see Article 5 of the Decree-Law 290-D/99


12. Some information about your national market of certification services: major players, well-
    known projects, etc. and a general idea of what will happen next in your country?


        There are two major CSP's operating in Portugal
        The adaptation of the Decree-Law 290-D/99 to the Directive is expected until the end of this year.




        48
Spain


  1. References to relevant laws, decrees, implementation measures, related e-government
     initiatives (with url’s to relevant webpages): where can we find the text of the laws and decrees
     and follow the developments in this area in your country?

          The Ministry in charge of this legislation is the Ministry of Science and Tecnology (Ministerio de
          Ciencia y tecnología). At http://www.mcyt.es/grupos/grupo_setsi.htm you can find the following
          texts:

          REAL DECRETO-LEY 14/1999, (LFE) de 17 de septiembre, sobre firma electrónica. [p. 33593].,
          which is the implementation law of the EU Directive. As you might see, the law was enacted before
          the EU Directive was approved

          ORDEN de 21 de febrero de 2000 por la que se aprueba el Reglamento de acreditación de
          prestadores de servicios de certificación y de certificación de determinados productos de firma
          electrónica., which establishes the accreditation requirements for electronic signature services
          providers

          Also,                                                                                               at
          http://www.mcyt.es/grupos/grupo_carrusel.htm?http://www.setsi.mcyt.es/novedad/firma_electr.htm
          You can find the draft of new law on Electronic Signatures. Since the present law in Spain was
          enacted before the approval, it will require some changes. This new draft introduces also interesting
          new issues, such as the creation of the Electronic Identification Card, or the Electronic certificates
          for companies and entities (not only for individuals).


  2. Transposition of art. 5.1 of the directive: briefly describe how the equivalence between qualified
     electronic signatures and handwritten signatures has been established.


          Article 3.1 of the LFE: Qualified e.s. shall have the same legal value as handwritten signature and
          shall be admissible as evidence in court, provided that (i) it is based in a recognized certificate and
          (ii) has been produced by a safe device of signature generation.
          Article 8 LFE establishes the requirements so that a certificate is considered as recognized, and
          Article 19 LFE establishes the requirements so that a signature generation device is considered as
          safe.
          Moreover, Article 3.1 LFE establishes the following pressumtion: certificates issued by accredited
          e.s. service providers shall be considered as generating qualified e.s.


  3. Transposition of art. 5.2: how has this provision of the directive been transposed in your
     national law and what are the consequences? If 5.2 has not been transposed explicitly, what is
     the legal value of (not qualified) electronic signatures in your country?

          Article 3.2 LFE trnspones article 5.2 of the Directive. According to it, legal effects cannot be denied
          to not qualified e.s., and won’t be excluded as evidence in court, by the single fact of being
          electronic.




                                                                                                              49
4. Transposition of Annex 1: enacted and draft provisions about the requirements for qualified
   certificates (the question here is whether your law, in comparison with Annex 1, has divergent
   or more precise provisions about this; are there any references to standards?)

             Article 8 LFE establishes the requirements for recognized certificates. In comparison with
             Annex I of the Directive here are the changes:

                 Paragraph      in                Article 8 LFE
                 ANNEX            I
                 Directive
                 A                                Same as directive
                 B                                Also requires the indication of the domicile, e mail
                                                  address, tax identification number and registry data of the
                                                  Service Provider (in Spain, all companies, to be created,
                                                  must be registered before the Companies Registry)
                 C                                Also requires that identification is unequivocal. Further,
                                                  the Spanish law forsees that the signatory is acting on
                                                  behalf of a company or legal entities: if so, it must be
                                                  mentioned the document which proves the powers of the
                                                  signatory to act in representation of the company or the
                                                  legal entity
                 D                                Same as directive, but with the consent of the signatory
                 E                                Same as directive
                 F                                Same as directive
                 G                                Same as directive
                 H                                Same as directive
                 I                                Same as directive
                 j                                Same as directive

Reference to standards: there aren’t. However, please see previous comments on accreditation for E.S.
Services Providers


5. Transposition of Annex 2: enacted and draft provisions about the requirements for CSP’s
   issuing qualified certificates (same question as 4: are there already more detailed
   requirements? references to standards?)

             Article 11 LFE establishes the compulsory requirements for providers of Not Qualified
             Certificates. Article 12 LFE establishes requirements for providers of Qualified Certificates,
             requirements that are in addition to the ones established in Article 11.

                 Directive               LFE                 Equivalence
                 (Annex                  Arti
                 II)                     cle
                 A                       12.b               Same as Directive
                 B                       12.c               Same as Directive
                 C                       12.a               Similar to Directive. LFE says “indicate” not
                                                            “guarantee”
                 D                       11.a               Same as Directive. However, it includes the
                                                            possibility that identification of the signatory is
                                                            done by third parties acting on behalf of the
                                                            provider.
                 E                       12.d               Same as Directive
                 F                       12.e               Same as Directive
                 G                       12.f               Same as Directive



        50
                 H                         12.g                  Same as Directive, but including the minimum
                                                                 requirements: insurance guarantee must be
                                                                 for an amount, at least, of 4% of the total sum
                                                                 of the transactions under the overall
                                                                 certificates issued by the provider. If there is
                                                                 not amount limit in the certificated issued,
                                                                 insurance guarantee must cover responsibility
                                                                 for a minimum amount of 6.010.121,04 Euros
                 I                         12.h                  Same as Directive, but time established to
                                                                 keep information is 15 years, and includes the
                                                                 obligation of the provider to bring such
                                                                 information to a judicial proceeding, if required
                 J                         11.c                  Same as Directive
                 K                         12.i                  Same as Directive
                 L                         12.j                  Same as Directive
                 Not                       12.k                  Inform certificate users of the criteria for the
                 existing                                        provision of the services that the provider is
                                                                 aimed to follow, and to respect in the
                                                                 furnishing of its services the obligations
                                                                 established in LFE

         Article 11 establishes the following additional requirements not included in ANNEX II of the
         Directive:
         11.b: Make available to signatory the devices for the creation and verification of the electronic
         signature
         11.d: Inform, before issuing a certificate, about its price, conditions of its use limits in use and
         systems established by the provider to guarantee possible liabilities for damages
         11.e: Keep books and records (register) of certificates issued, including information about its
         possible suspension or termination. Such register shall be accessible by electronic means to third
         parties so authorized by the signatory
         11.f: If ceasing in its activity, provider shall notifiy such circumstance to certificate holders with two
         months prior notice.
         11.g: To register into the Public Registry of Certificate Service Providers
         11.h: Fulfill any other obligations established in the LFE



6.   Transposition of Annex 3: enacted and draft provisions about the requirements for secure
     signature-creation devices (same question as 4: are there already more detailed requirements?
     references to standards?)

         Transposition, is done in article 19 LFE, using nearly the same words as ANNEX III of the Directive


7.   Transposition of Annex 4: have the recommendations of Annex 4 been taken into account by
     your legislator or government (question is: did your country something with these
     recommendations?)

         All recommendations have been included in Article 22.1 LFE, except point a) of ANNEX III.
         However, the Spanish law only applies this requirements to Qualified Electronic Signatures


8. Transposition of Art. 3.3: describe briefly the “appropriate system that allows for supervision”
   of CSP’s established in your country and issuing qualified certificates to the public. Is there any
   kind of supervision for other CSP’s (not issuing qc’s to the public)?



                                                                                                                51
       LFE has established the following developments of Article 3.3 of the Directive:

       Article 7 LFE: creation of a Public Registry of Electronic Certificate Service Providers. All providers
       in Spain must register before this Public Registry (subject to the payment of the corresponding
       taxes for inscription), under the control of the Ministry of Justice.

       Article 16 LFE: Supervision of Providers’ activity was originally assigned to the Ministry of Fomento,
       now being the responsibility of the Ministry of Science and Technolgy, and specifically to the
       Secretaría General de Comunicaciones.Such authority has inspection abilities, and is empowered
       to impose penalties described in articles 26 and 27 LFE, for the infringements described in Articles
       214 to 25 LFE.

       Article 17 LFE: All Certificate Services Providers are forced to cooperate with the above mentioned
       authority in its supervision duties, furnishing all information required and granting access to its
       premises and resources.


9. Transposition of Art. 3.4: provisions about the bodies and procedures to determine the
   conformity of secure signature-creation devices with the requirements for qualified electronic
   signatures. Are there more precise provisions or measures on this issue?

       Please see reference to accreditation systems established in Article 6 LFE, and developed by the
       Orden mentioned in answer to question 1. This Orden assigns also authority on accreditation
       systemas to the Secretaría General de Comunicaciones.
       Besides this, Article 20 LFE indicates that all electronic signature products which comply with
       technical rules whose reference numbers have been published in the EU Official Diary, are
       considered to fulfill requirements established in Article 12 LFE (requirements for providers of
       recognized certificates) and Article 19 LFE (secure devices for creation of signatures).


10. Transposition of Art. 3.2: brief description of the voluntary accreditation scheme(s) for
    certification-service provision: bodies, procedures, costs, standards, output, …

       Please see answers to questions 1 and 9. Full description of these voluntary accreditation services
       is described in Article 6 LFE and in Orden de 21 de febrero de 2001




       52
11. Transposition of Art. 3.7: are there already specific requirements for the use of electronic
    signatures in the public sector?

       Article 5 LFE transposes article 3.7 of the Directive.
       Possible additional requirements for use of e.s. in the public sector can be, amongst others to be
       specified by each public body:
       a) Time stamping
       b) Date stamping
       Such additional requirements must be reasonable, objective, not discriminatory, and shall not be an
       obstacle to furnishing of services to citizens, if in such services several public bodies, either national
       or international, are involved.
       It is also foreseen the possibility of establishing specific regimes for use of e.s. for classified
       information and for tax obligations.


12. Some information about your national market of certification services: major players, well-
    known projects, etc. and a general idea of what will happen next in your country?

       Major certificate product for the public sector is CERES, certification system under the responsibility
       of a public body known as Fabrica Nacional de Moneda y Timbre (responsible for the public service
       on currency and stamps). This certification system is being tried to be the standard for use of e.s.
       with public bodies, and it is the one used for the Tax Agency in tax declarations to be produced
       through Internet, with increasing success.

       In the private sector, besides the most common providers of services (Verysign, Identrus, etc…),
       two national certification systems must be highlighted: FESTE, under the responsibility of the Bar
       Association of Public Notaries, and CAMERFIRMA, under the responsibility of the Natioanl Council
       of Chamber of Commerce.

       Many changes will come in the future, mainly according to the draft of bill of new law on Electronic
       Signatures (please see comments to question 1), specially the cration of an Electronic Identity Card
       (EIC) which include e.s. The aim of the government is to approve the new law as quickly as
       possible, and to legally create the EIC as soon as possible, so that all Spanish nationals are
       provided with e.s. systems. At the present time, the Ministry of Science and Technology has
       already started the public process for contracting the provider of technology for such EIC, and it is
       foreseen that the first tests are done during 2004.




                                                                                                              53
Sweden


 1. References to relevant laws, decrees, implementation measures, related e-government
    initiatives (with url’s to relevant webpages): where can we find the text of the laws and decrees
    and follow the developments in this area in your country?

         a) Act on Qualified Electronic Signatures etc. (Sw. Lag om kvalificerade elektroniska
         signaturer)
                 The Act entered into force 1 January 2001.

         b) Act Concerning Technical Conformity Assessment (Sw. Lag om teknisk kontroll)

         c) All relevant legal instruments and information about them can be found on the web-site of the
         Swedish Government (www.regeringen.se) and on the website of the National Post and Telecom
         Agency (www.pts.se).

         d) The websites of the Swedish Ministry of Industry, Employment and Communications
         (www.naring.regeringen.se), the National Post and Telecom Agency (www.pts.se) and the
         Swedish Board for Accreditation and Conformity Assessment (www.swedac.se) provides
         information on the legal instruments, the developments in this area, implementation measures and
         related e-government initiatives.


 2. Transposition of art. 5.1 of the directive: briefly describe how the equivalence between qualified
    electronic signatures and handwritten signatures has been established.

         In general contracts are legally binding in the majority of cases, irrespective of whether they have
         been concluded verbally, in writing or electronically. There are, however, a number of exceptions
         where a written signature is required, for example, for real property purchases and often in the case
         of applications, etc. in the public sector.

         Art. 5.1 (a): The article of the directive is implemented by paragraph 17 in the Act on Qualified
         Electronic Signatures etc. (below “the Act”).This provision states that: “If a requirement of a
         handwritten signature or its equivalent, contained in a law or regulation may be satisfied by
         electronic means, a qualified electronic signature shall be deemed to fulfill this requirement.” This
         provision implies that in cases, which permit the use of electronic signatures, a qualified signature
         must always be accepted.

         Art. 5.1 (b): In Sweden electronic signatures are permissible as evidence in a court of law in the
         same way as written signatures. Therefore, article 5.1 (b) did not have to be implemented.


 3. Transposition of art. 5.2: how has this provision of the directive been transposed in your
    national law and what are the consequences? If 5.2 has not been transposed explicitly, what is
    the legal value of (not qualified) electronic signatures in your country?

         Art. 5.2 have not been transposed in Swedish national law. As mentioned above, under section 2,
         electronic signatures are permissible in Sweden as evidence in a court of law in the same way as




         54
        written signatures. Furthermore, in Sweden there are no rules that deny legal effectiveness to
        electronic signatures.



4. Transposition of Annex 1: enacted and draft provisions about the requirements for qualified
   certificates (the question here is whether your law, in comparison with Annex 1, has divergent
   or more precise provisions about this; are there any references to standards?)

        The wording of Annex 1 of the Directive is more or less copied into the Act (paragraph 6). Thus, the
        Swedish law neither has divergent nor more precise provisions.


5. Transposition of Annex 2: enacted and draft provisions about the requirements for CSP’s
   issuing qualified certificates (same question as 4: are there already more detailed
   requirements? references to standards?)

         The requirements in the Act (paragraph 9) are not as detailed as the requirements in the Directive.
         Regarding one of the requirements (the requirement that the provider shall use trustworthy systems
         and products that are protected against modification and which ensure technical and cryptographic
         security) the Act states that this requirement shall be deemed to be satisfied by hardware or
         software devices that comply with the standards for electronic signature products, reference
         numbers of which have been established by the Commission of the European Communities and
         published in the Official Journal of the European Communities.


6.   Transposition of Annex 3: enacted and draft provisions about the requirements for secure
     signature-creation devices (same question as 4: are there already more detailed requirements?
     references to standards?)

        The wording of Annex 3 is more or less copied into the Act (paragraph 3). However, in the Act
        (paragraph 4) the same reference to standards, as in paragraph 9 (described under section 5
        above), is made.


7.   Transposition of Annex 4: have the recommendations of Annex 4 been taken into account by
     your legislator or government (question is: did your country something with these
     recommendations?)

         No, Annex 4 in the Directive has not been transposed into Swedish law.


8. Transposition of Art. 3.3: describe briefly the “appropriate system that allows for supervision”
   of CSP’s established in your country and issuing qualified certificates to the public. Is there any
   kind of supervision for other CSP’s (not issuing qc’s to the public)?

        The Swedish National Post and Telecom Agency (PTS) is the authority responsible for supervising
        compliance with the Act. A certification service provider must notify this authority before it may issue
        qualified certificates. The supervisory authority publishes a list of authorized certification service
        providers. It is also empowered, for example, to carry out inspections and impose fines, should the
        service provider fail to fulfill the statutory requirements (paragraph 18-23).




                                                                                                             55
9. Transposition of Art. 3.4: provisions about the bodies and procedures to determine the
   conformity of secure signature-creation devices with the requirements for qualified electronic
   signatures. Are there more precise provisions or measures on this issue?

       No, the corresponding provision in the Act (paragraph 5) is not more precise than the Directive.
       However, the Swedish provision makes a reference to the Technical Conformity Assessment Act.
       According to the Technical Conformity Assessment Act the Swedish Board for Accreditation and
       Conformity Assessment (SWEDAC) is to determine whether the requirements in question have
       been fulfilled.


10. Transposition of Art. 3.2: brief description of the voluntary accreditation scheme(s) for
    certification-service provision: bodies, procedures, costs, standards, output, …

       In Sweden the national accreditation scheme is regulated in the Swedish Act Concerning Technical
       Conformity Assessment. Decisions regarding accreditation is given by the SWEDAC. Accredited
       bodies shall pay a fee to SWEDAC for the accreditation and technical control.


11. Transposition of Art. 3.7: are there already specific requirements for the use of electronic
    signatures in the public sector?

       Certain information, such as custom- and income tax returns, may only be handed in to the
       authority in question electronically after a special permission from the authority. The permissions
       may be given on the conditions that, for example, certain technical procedures must be observed.


12. Some information about your national market of certification services: major players, well-
    known projects, etc. and a general idea of what will happen next in your country?

       In Sweden only one certificate provider, PKI Partner, has made a registration to PTS. However, the
       provider later withdrew its registration.

       PTS considers that the use of qualified electronic signatures on the Swedish market is restrained by
       fees and therefore suggests that the Swedish Government abolish the registration fees that the
       certificate providers have to pay to PTS when making their registrations.




       56
United Kingdom

 1. References to relevant laws, decrees, implementation measures, related e-government
    initiatives (with url’s to relevant webpages): where can we find the text of the laws and decrees
    and follow the developments in this area in your country?


         The most relevant pieces of legislation in the context of this questionnaire are:
         (i) Electronic Communications Act 2000 (“ECA”). This contains provisions regarding the
         admissibility of electronic signatures in evidence (s.7), and authorises Government Ministers to
         issue secondary legislation ("Section 8 Orders") to modify other statutes as necessary to facilitate
         the use of electronic documents. It also contains provisions regarding the establishment of a
         register of approved certification service providers, although this section is not currently in force and
         will not be brought into force if the government considers self-regulatory schemes to be adequate;
         and
         (ii) the Electronic Signatures Regulations 2002 (the “Regulations”), which came into force on 8
         March 2002. These include provisions relating to the liability and supervision of certification service
         providers.
         The ECA can be found at: http://www.legislation.hmso.gov.uk/acts/acts2000/20000007.htm
         The Regulations can be found at: http://www.legislation.hmso.gov.uk/si/si2002/20020318.htm
         The best places online to follow developments in this area are:
         !   the website of the Communication and Information Industries Directorate (part of the
             Department of Trade and Industry): http://www.dti.gov.uk/cii/index.shtml; and
         !   the website of the government “e-envoy”: http://www.e-envoy.gov.uk.


 2. Transposition of art. 5.1 of the directive: briefly describe how the equivalence between qualified
    electronic signatures and handwritten signatures has been established.


         (a) Article 5.1(a)
         The UK government feels that Article 5.1(a) does not need to be implemented explicitly in UK law.
         It feels that the current law already covers the requirements of Article 5.1(a). Their reasoning is that
         in UK law wherever there is a signature requirement in relation to data in electronic form, this is
         already capable of being satisfied by an electronic signature (including the type of signature
         specified           in        Article        5.1(a)).       On           this        point,         see
         http://www.dti.gov.uk/cii/datasecurity/electronicsignatures/esd_note.shtml - the Department of
         Trade and Industry’s note on the transposition of the Directive into UK law. Therefore there is
         nothing in the ECA or the Regulations which addresses the issues raised in 5(1)(a).
         We question the UK government's conclusion on this point. We believe there is a strong argument
         that Article 5.1(a) has not yet been adequately implemented in UK law.
         The ECA does not directly change the legal value and recognition of electronic signatures to make
         them equivalent to handwritten signatures. Rather, the ECA authorises Government Ministers to
         issue Orders (Section 8 Orders) for the purpose of modifying various laws to facilitate the use of
         "electronic communication". The Section 8 Orders currently in force are:
         • The Companies Act 1985 (Electronic Communications) Order 2000. This amends the
         Companies Act 1985 and includes provisions which enable companies and their shareholders to
         communicate electronically;



                                                                                                               57
       • The Unsolicited Goods and Services Act 1971 (Electronic Communications) Order 2001. This
       amends the Unsolicited Goods and Services Act 1971 to enable orders for purchase to be made
       electronically;
       • The National Health Service (Charges for Drugs and Appliances) (Electronic Communications)
       Order 2001; the National Health Service (Pharmaceutical Services) and (Misuse of Drugs)
       (Electronic Communications) Order 2001; and the Prescription Only Medicines (Human Use)
       (Electronic Communications) Order 2001 National Health Service (General Medical Services)
       (Electronic Communications) Order 2001. These orders amend subordinate legislation, enabling
       medical prescriptions to be made electronically
       • The Public Records Act 1958 (Admissibility of Electronic Copies of Public Records) Order
       2001. This amends the Public Record Act 1958, enabling electronic copies of public records to be
       admissible in court.
       It is not entirely clear from the ECA whether or not a Section 8 Order could be used to give explicit
       recognition to an electronic signature. Although we have not analysed all Section 8 Orders to date,
       we have looked closely at the Companies Act 1985 (Electronic Communications) Order 2000. This
       Order does not address the issue of making electronic signatures equivalent to handwritten ones.
       In each circumstance where it modifies the Companies Act to facilitate the use of elecontrinuc
       communication the Order removes the need to produce a signature, rather than directly addressing
       the issue of allowing electronic signatures to be used. The fact that the drafters of this particular
       Section 8 order felt the need to omit the "signature" requirement when using electronic
       communications, merely strengthens our view that the government has not adequately transposed
       Articles 5.1(a) and Article 5.2. See also comments in response to Question 3, below.
       (b) Article 5.1(b)
       Article 5.1(b) of the directive (ensuring that certain advanced electronic signatures are admissible in
       legal proceedings) has been transposed in s.7 ECA.




3. Transposition of art. 5.2: how has this provision of the directive been transposed in your
   national law and what are the consequences? If 5.2 has not been transposed explicitly, what is
   the legal value of (not qualified) electronic signatures in your country?


       As with Article 5.1(a), the UK government felt that Article 5.2 has been implemented through
       section 7 of the ECA and needed no further implementation in the Regulations.
       There are a number of specific UK statutes that impose a signature requirement in the context of
       certain specified legal communications. (E.g., execution of a will.) There is no uniform method in UK
       law of defining what is meant by "signature". Where a statute imposes a signature requirement,
       there remains a serious question about whether an "electronic signature" would suffice to meet this
       requirement. Section 8 Orders (mentioned in the answer to Question 2) are one method that policy-
       makers may use to redress this problem in the long term.
       For these reasons we believe there is a good argument that Article 5.2 has not been adequately
       transposed into UK law.




4. Transposition of Annex 1: enacted and draft provisions about the requirements for qualified
   certificates (the question here is whether your law, in comparison with Annex 1, has divergent
   or more precise provisions about this; are there any references to standards?)
       Annex 1 is implemented verbatim in Schedule 1 of the Regulations.




       58
5. Transposition of Annex 2: enacted and draft provisions about the requirements for CSP’s
   issuing qualified certificates (same question as 4: are there already more detailed
   requirements? references to standards?)
        Annex 2 is implemented verbatim in Schedule 2 of the Regulations.


6.   Transposition of Annex 3: enacted and draft provisions about the requirements for secure
     signature-creation devices (same question as 4: are there already more detailed requirements?
     references to standards?)
        The UK government has taken the view that the approach towards SSCDs taken by Annex 3 is not
        necessarily the only practical route available. It has been reluctant to take a lead in establishing the
        standards necessary for SSCDS. At present it is in negotiations with the Communications and
        Electronic Security Group (CESG), an arm of GCHQ, on how to deal with this issue. It is possible
        that, as a result of these negotiations, that CESG may be empowered by the government to decide
        on the conformity of SSCDs with Annex 3 of the directive.
        It seems likely that, in this matter, the government will follow the approach taken by the European
        Electronic Signatures Standardisation Initiative (ESSI)


7.   Transposition of Annex 4: have the recommendations of Annex 4 been taken into account by
     your legislator or government (question is: did your country something with these
     recommendations?)

            The UK government have, as yet, taken no account of the recommendations of Annex 4.



8. Transposition of Art. 3.3: describe briefly the “appropriate system that allows for supervision”
   of CSP’s established in your country and issuing qualified certificates to the public. Is there any
   kind of supervision for other CSP’s (not issuing qc’s to the public)?


        This article is implemented by Regulation 3, which states that it is the duty of the Secretary of State
        (currently the Secretary of State for Trade and Industry) to review the activities of certification-
        service providers. He must maintain a public register of CSPs which issue qualified certificates to
        the public and in the event that that he obtains evidence of poor conduct by any CSPs, he has an
        obligation to make this evidence available to the public.
        If the government implements Part 1 of the ECA, which at present seems unlikely, a statutory
        voluntary approval regime may be established for all CSPs.
        The tScheme, which the government is currently backing, provides some degree of self-regulation
        for CSPs (see below in question 10)


9. Transposition of Art. 3.4: provisions about the bodies and procedures to determine the
   conformity of secure signature-creation devices with the requirements for qualified electronic
   signatures. Are there more precise provisions or measures on this issue?
        The UK government’s response to Article 3.4 is in effect the same as its response to Annex 3 (see
        above under 6). It is reluctant to take the lead in the issue establishing the standards needed for
        secure signature-creation devices.


10. Transposition of Art. 3.2: brief description of the voluntary accreditation scheme(s) for
    certification-service provision: bodies, procedures, costs, standards, output, …




                                                                                                              59
       The UK government has the power to create a statutory voluntary approval regime through part 1
       of the ECA. However, this part of the act has not yet been implemented. Instead the government is
       currently favouring the tScheme. This is a non-governmental voluntary approvals regime which has
       been established by the Alliance for Electronic Business (an organisation which consists of the
       Confederation of British Industry (CBI), the Federation of Electronics Industry (FEI), the Direct
       marketing Association (DMA) the Computer Services and Software Industry (CSSA) and e-
       centreuk . If the tScheme is successful, the government has said that it will not implement part 1 of
       the Act.
       Details of the tScheme can be found at http://www.tscheme.org/. It describes its own activities as
       follows:
       “tScheme develops sets of criteria called Approval Profiles for commercially offered trust services.
       These allow service providers who are able to demonstrate that their services meet these sets of
       criteria to achieve added business value by using the tScheme approval mark. A contract is put in
       place              to          safeguard             continuing            good             practice.

       To obtain this necessary proof of trustworthiness, a trust service provider is assessed to the
       relevant profiles by an independent tScheme-recognised assessing body. A report is prepared, and
       if this certifies compliance with the tScheme criteria, the trust service is granted approval by
       tScheme Ltd, including the right to display the tScheme mark.”


11. Transposition of Art. 3.7: are there already specific requirements for the use of electronic
    signatures in the public sector?
       The only specific requirements are those affecting the National Health Service through the Section
       8 orders mentioned above. However, by virtue of section 7 of the ECA, the public sector will be as
       obliged as the private to be aware of the legal status of electronic signatures.

       It is the government’s policy for all public services to be provided online by 2005 so there are likely
       to be further developments in the use of electronic signatures in this area.


12. Some information about your national market of certification services: major players, well-
    known projects, etc. and a general idea of what will happen next in your country?
       We have consulted with our colleagues in PwC in London specialising in this area. In their opinion
       there is likely to be be slow but steady growth in the take-up of digital certification services. This will
       result in consolidation in the market, as shown by Viacode voluntarily shutting down operations at
       the end of Aug 2002, even though it was considered to be a major player in the market.
       Niche players are likely to have more success than their mainstream counterparts due to specific
       channels they have chosen to target.
       The tScheme (see above) should have a positive influence as it will add self regulatory discipline to
       the market and raise the level of awareness and maturity that trust service providers should be
       associated with.




       60
Contact details



       Interdisciplinary Centre for Law and Information Technology, K.U.Leuven

           Prof. Dr. Jos Dumortier
           www.icri.be
           Tiensestraat 41, 3000 Leuven, Belgium


       Landwell (Bogaert & Vandemeulebroeke)

           Patrick Van Eecke
           www.landwell.be
           Woluwedal 20, 1932 St Stevens Woluwe, Belgium


       Landwell Global

           www.landwellglobal.com




                                                                                 61

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:11/4/2012
language:Latin
pages:61