Activities of Amelia ANDERSDOTTER related to 2012/0146(COD)
Plenary speeches (1)
European single market for electronic communications - Measures to reduce the cost of deploying high-speed electronic communications networks - Electronic identification and trust services for electronic transactions in the internal market (debate)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market PDF (1 MB) DOC (1 MB)
Amendments (145)
Amendment 51 #
Proposal for a regulation
Recital 1
Recital 1
(1) Building trust in the online environment is key to economic and social development. Lack of trust, in particular because of a perceived lack of legal certainty, makes consumers, businesses and administrations hesitate to carry out transactions electronically and to adopt new services.
Amendment 52 #
Proposal for a regulation
Recital 2
Recital 2
(2) This Regulation seeks to enhance trust in electronic transactions in the internal market by enabling secure and seamlessproviding a common foundation for legally secure electronic interactions to take place between businesses, citizens and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union.
Amendment 53 #
Proposal for a regulation
Recital 3
Recital 3
(3) Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, essentially covered electronic signatures without delivering a comprehensive cross- border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions. This Regulation enhances and expands the acquis of the Directivaddresses these lacunae.
Amendment 54 #
Proposal for a regulation
Recital 5
Recital 5
(5) The European Council invited the Commission to create a digital single market by 2015 to make rapid progress in key areas of the digital economy and to promote a fully integrated digital single market by facilitating the cross-border use of online services, with particular attention to facilitating secure electronic idauthentification and authidentification.
Amendment 55 #
Proposal for a regulation
Recital 6
Recital 6
(6) The Council invited the Commission to contribute to the digital single market by creating appropriate conditions for the mutual recognition of key enablers across borders, such as electronic authentication or identification, electronic documents, electronic signatures and electronic delivery services, and for interoperable eGovernment services across the European Union.
Amendment 56 #
Proposal for a regulation
Recital 7 a (new)
Recital 7 a (new)
(7a) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)1 calls on the Commission to adopt measures were required to ensure that terminal equipment is constructed in a way that is compatible with the right of users to protect and control the use of their personal data, in accordance with Directive 1999/5/EC of the European Parliament and of the Council of 9 March 1999 on radio equipment and telecommunications terminal equipment and the mutual recognition of their conformity2 and Council Decision 87/95/EEC of 22 December 1986 on standardisation in the field of information technology and communications3. The European multi-stakeholder platform on ICT standardisation established through Commission Decision of 28 November 2011 setting up the European multi- stakeholder platform on ICT standardisation4 further seems a plausible agent to use for such purposes to the extent that data protection authorities and the European Data Protection Board are adequately resourced to participate in standardisation procedures which relate to information and communication technologies dealing with personal data as defined in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data5. _________________ 1 OJ L 201, 31.7.2002, p. 37. 2 OJ L 91, 7.4.1999, p. 10. 3 OJ L 36, 7.2.1987, p. 31. 4 OJ C 349, 30.11.2011, p. 4. 5 OJ L 281, 23.11.1995, p. 31.
Amendment 57 #
Proposal for a regulation
Recital 8
Recital 8
(8) Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market requests Member States to establish ‘'points of single contact’' (PSC) to ensure that all procedures and formalities relating to access to a service activity and to the exercise thereofccess to a service activity and in particular in relation to transactions can be easily completed, at a distance and by electronic means, for the appropriate services through the appropriate point of single contact and with the appropriate authorities. Many online services accessible through PSCs require electronic identification, authentication and signature.
Amendment 58 #
Proposal for a regulation
Recital 9
Recital 9
(9) In most cases service providers from another Member State cannot use their electronic authentication or identification to access these services because the national electronic authentication or identification schemes in their country are not recognised and accepted in other Member States. ThisAn additional problem is that currently deployed systems do not allow for citizens and beneficiaries of these services to cultivate trust in the service provider by effective mutual authentication or identification. These electronic barriers excludes service providers from enjoying the full benefits of the internal market. Mutually recognized and accepted electronic authentication or identification means will facilitate cross- border provision of numerous services in the Internal Market and enable businesses to go cross-border without facing many obstacles in interactions with public authorities.
Amendment 59 #
Proposal for a regulation
Recital 12
Recital 12
(12) Member States should remain free to use or introduce means, for electronic authentication or identification purposes, for accessing online services. They should also be able to decide whether to involve the private sector in the provision of these means. Member States should not be obliged to notify their electronic identification schemes. The choice to either notify all, some or none of the electronic identification schemes used at national level to access at least public online services or specific services is up to the Member States.
Amendment 60 #
Proposal for a regulation
Recital 13
Recital 13
(13) Some conditions need to be set in the Regulation with regard to which electronic authentication or identification means have to be accepted and how the schemes should be notified. These should help Member States to build the necessary trust in each other's electronic identification schemes and to mutually recognise and accept electronic identification means falling under their notified schemes. The principle of mutual recognition and acceptance should apply if the notifying Member State meets the conditions of notification and the notification was published in the Official Journal of the European Union. However, the access to these online services and their final delivery to the applicant should be closely linked to the right to receive such services under the conditions set by national legislation.
Amendment 61 #
Proposal for a regulation
Recital 14
Recital 14
(14) Member States should be able to decide to involve the private sector in the issuance of electronic identification means and to allow the private sector the use of electronicissuing electronic authentication or identification means. Private sector parties should also be allowed to use electronic authentication and identification means under a notified scheme for authentication or identification purposes when needed for online services or electronic transactions. The possibility to use such electronic identification means would enable the private sector to rely on electronic identification and/or authentication already largely used in many Member States at least for public services and to make it easier for businesses and citizens to access their online services across borders. In order to facilitate the use of such electronic authentication or identification means across borders by the private sector, the authentication possibility provided by the Member States should be available to relying parties without discriminating between public orand private sector.
Amendment 62 #
Proposal for a regulation
Recital 15
Recital 15
(15) The cross border use of electronic identification means under a notified scheme requires Member States to cooperate in providing technical interoperability. This rules out anyechnical requirements on users stemming from the inherent specific national technical rules requiring non-national parties for instance to obtain specific hardware or software to verify and validate the notified electronic identification. Technical requirements on users, on the other hand, stemming from the inherent specifications of whatever token is used (e.g. smartcards) are inevitables of whatever token is used (e.g. smartcards) are inevitable. Member states whose identification mechanisms rely on specific hardware or software to verify and validate the notified electronic identification must provide such certification tokens at no additional cost for Union principals who are not their nationals or residents.
Amendment 65 #
Proposal for a regulation
Recital 16
Recital 16
(16) Cooperation of Member States should serve the technical interoperability of the notified electronic authentication or identification schemes with a view to foster a high level of trust and security appropriate to the degree of risk. The exchange of information and the sharing of best practices between Member States with a view to their mutual recognition should help such cooperation.
Amendment 67 #
Proposal for a regulation
Recital 19
Recital 19
(19) Member States should remain free to define other types of trust services in addition to those making part of the closed list of trust services provided for in this Regulation, for the purpose of recognition at national level as qualified trust services. (This amendment applies throughout the text. Adopting it will necessitate corresponding changes throughout.)
Amendment 68 #
Proposal for a regulation
Recital 22
Recital 22
Amendment 71 #
Proposal for a regulation
Recital 24 a (new)
Recital 24 a (new)
(24a) A trust service provider operates in a particularly sensitive environment where many other parties rely on the integrity of their services. In particular, it is presumed by its customers that they are always trustworthy. Therefore it is important that they avoid conflicts of interest. In the interest of good governance within the context of electronic signatures and electronic identification, trust service providers should not in general be operated or owned by entities providing services that require their trust services. Over-sight shall be provided by a competent supervisory body.
Amendment 73 #
Proposal for a regulation
Recital 28
Recital 28
(28) All Member States should follow common essential supervision requirements to ensure a comparable security level of qualified trust services. To ease the consistent application of these requirements across the Union, Member States should adopt comparable procedures and should exchange information on their supervision activities and best practices in the field.
Amendment 75 #
Proposal for a regulation
Recital 31
Recital 31
(31) To enable the Commission and the Member States to assess the impact of this Regulation, supervisory bodies should be requested to provide statistics on and the use of qualified trust services.
Amendment 76 #
Proposal for a regulation
Recital 33
Recital 33
(33) To ensure sustainability and durability of qualified trust services with clearly public missions and to boost users' confidence in the continuity of qualified trust services, supervisory bodies should ensure that the data of qualifiedsuch trust service providers are preserved and kept accessible for an appropriate period of time even if a qualifiedsuch a trust service provider ceases to exist.
Amendment 78 #
Proposal for a regulation
Recital 34
Recital 34
(34) To facilitate the supervision of qualified trust services providers, for example when a provider is providing its services in the territory of another Member State and is not subject to supervision there, or when the computers of a provider are located in the territory of another Member State than the one where it is established, a mutual assistance system between supervisory bodies in the Member States should be set up.
Amendment 79 #
Proposal for a regulation
Recital 35
Recital 35
(35) It is the responsibility of trust service providers to meet the requirements set out in this Regulation for the provisioning of trust services, in particular for qualified trust services. Supervisory bodies have the responsibility to supervise howthat trust service providers meet these requirements.
Amendment 80 #
Proposal for a regulation
Recital 36
Recital 36
(36) In order to allow an efficient initiation process, which should lead to the inclusion of qualified trust service providers and the qualified trust services they provide into trusted lists, preliminary interactions between prospective qualified trust service providers and the competent supervisory body should be encouraged with the view of facilitating the due diligence leading to the provisioning of qualified trust services.
Amendment 81 #
Proposal for a regulation
Recital 37
Recital 37
Amendment 82 #
Proposal for a regulation
Recital 38
Recital 38
(38) Once it has been subject to a notification, a qualified trust service cannot be refused for the fulfilment of an administrative procedure or formality by the concerned public sector body, for not being included in the trusted lists established by the Member States. For the present purpose a public sector body refers to any public authority or other entity entrusted with the provision of eGovernment services such as online tax declaration, request for birth certificates, participation to electronic public procurement procedures, etc.
Amendment 83 #
Proposal for a regulation
Recital 38 a (new)
Recital 38 a (new)
Amendment 84 #
Proposal for a regulation
Recital 40
Recital 40
(40) It should be possible to entrust qualified electronic signature creation devices to the care of a third party by the signatory, provided that appropriate mechanisms and procedures are implemented to ensure that the signatory has sole control over the use of his electronic signature creation data, and the qualified signature requirements are met by the use of the device.
Amendment 85 #
Proposal for a regulation
Recital 41
Recital 41
(41) To ensure legal certainty on the validity of the signature it is essential to detail which components of a qualifiedn electronic signature must be assessed by the relying party carrying out the validation. Moreover, defining the requirements of qualified trust service providers that can provide a qualified validation service to relying parties not willing or unable to carry out themselves the validation of qualified electronic signatures, should stimulate the private or public sector to invest in such services. Both elements should make qualified electronic signature validation easy and convenient for all parties at Union level.
Amendment 86 #
Proposal for a regulation
Recital 42
Recital 42
Amendment 87 #
Proposal for a regulation
Recital 43
Recital 43
Amendment 89 #
Proposal for a regulation
Recital 44
Recital 44
Amendment 90 #
Proposal for a regulation
Recital 46
Recital 46
Amendment 91 #
Proposal for a regulation
Recital 47
Recital 47
Amendment 92 #
Proposal for a regulation
Recital 49
Recital 49
Amendment 94 #
Proposal for a regulation
Recital 53
Recital 53
(53) To ensure legal certainty to the market operators already using qualified certificates issued in compliance with Directive 1999/93/EC, it is necessary to provide for a sufficient period of time for transitional purposes. It is also necessary to provide the Commission with the means to adopt the implementing acts and delegated acts before that date.
Amendment 95 #
Proposal for a regulation
Article 1 – paragraph 1
Article 1 – paragraph 1
1. This Regulation lays down rules for certain electronic authentication or identification and electronic trust services for electronic transactions with a view to ensuring the proper functioning of the internal market.
Amendment 97 #
Proposal for a regulation
Article 1 – paragraph 2
Article 1 – paragraph 2
2. This Regulation lays down the conditions under which Member States shall recognise and accept electronic authentication or identification means ofor natural and legal persons falling under a notified electronic authentication or identification scheme of another Member State.
Amendment 98 #
Proposal for a regulation
Article 1 – paragraph 3
Article 1 – paragraph 3
3. This Regulation establishes a legal framework for certain electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic deliveryassociated trust services and websithe authentication of certain aspects of networked services.
Amendment 103 #
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Regulation applies to electronic authentication and identification provided by, on behalf or under the responsibility of Member States and to the associated trust service providers established in the Union.
Amendment 108 #
Proposal for a regulation
Article 3 – point 1
Article 3 – point 1
(1) ‘electronic identification’ means the process of using personan electronic authentication using identification data in electronic form unambiguously representing a natural or legal person where: (a) the identification data can only be used by the relying party for identifying the person if specified conditions are met (conditional electronic identification) or (b) the identification data can be used by the relying party for identifying the person (unconditional electronic identification);
Amendment 111 #
Proposal for a regulation
Article 3 – point 1 a (new)
Article 3 – point 1 a (new)
(1a) 'transaction' means a session or contact between the person and a relying party;
Amendment 112 #
Proposal for a regulation
Article 3 – point 1 b (new)
Article 3 – point 1 b (new)
(1b) 'unlinkable electronic authentication' means a process of using data in electronic form on attributes of a natural or legal person where the provided attributes and additionally available information do not allow the transaction to be linked to a person or any other transaction;
Amendment 113 #
Proposal for a regulation
Article 3 – point 1 c (new)
Article 3 – point 1 c (new)
(1c) 'context specific electronic authentication' means the process of using data in electronic form on personal attributes of a natural or legal person where the provided attributes allow verification that the same person has electronically authenticated in the same context on a previous transaction;
Amendment 114 #
Proposal for a regulation
Article 3 – point 2
Article 3 – point 2
(2) ‘'electronic idauthentification means’' means a material or immaterial unit containing data as referred to in point 1a of this Article, and which is used to access services online as referred to in Article 5; (This amendment applies throughout the text. Adopting it will necessitate corresponding changes throughout.)
Amendment 115 #
Proposal for a regulation
Article 3 – point 3
Article 3 – point 3
(3) ‘'electronic idauthentification scheme’' means a system for electronic idauthentification under which electronic idauthentification means are issued to persons as referred to in point 1 of this Article; (This amendment applies throughout the text. Adopting it will necessitate corresponding changes throughout.)
Amendment 116 #
Proposal for a regulation
Article 3 – point 4
Article 3 – point 4
(4) ‘authentic'electronic validation’' means an electronic process that allows the validation of the electronic idauthentification of a natural or legal person; or of the origin and integrity of an electronic data;
Amendment 117 #
Proposal for a regulation
Article 3 – point 4 a (new)
Article 3 – point 4 a (new)
(4a) 'identification data' means any set of attributes the knowledge of which specifies a single physical person, e.g. the combination of name and residential address or name and date of birth or any information leading to such, e.g. a passport number or unique person number;
Amendment 118 #
Proposal for a regulation
Article 3 – point 4 b (new)
Article 3 – point 4 b (new)
(4b) 'issuer' means an entity that vouches for the validity of one or more attributes of a person, by issuing an electronic identification means to a holder;
Amendment 119 #
Proposal for a regulation
Article 3 – point 4 c (new)
Article 3 – point 4 c (new)
(4c) 'validation service' means the entity responsible for a authentication possibility ensured by a notifying Member State according to point (d) of Article 6(1);
Amendment 120 #
Proposal for a regulation
Article 3 – point 4 d (new)
Article 3 – point 4 d (new)
(4d) 'holder' means a natural or legal person to whom an electronic authentication means is issued;
Amendment 121 #
Proposal for a regulation
Article 3 – point 4 e (new)
Article 3 – point 4 e (new)
(4e) 'relying party' means a natural or legal person to whom the holder of an electronic authentication means verifies attributes;
Amendment 124 #
Proposal for a regulation
Article 3 – point 8
Article 3 – point 8
Amendment 126 #
Proposal for a regulation
Article 3 – point 11
Article 3 – point 11
Amendment 128 #
Proposal for a regulation
Article 3 – point 13
Article 3 – point 13
Amendment 129 #
Proposal for a regulation
Article 3 – point 14
Article 3 – point 14
(14) ‘'trust service provider’' means a natural or a legal person who provides one or more trust services as defined in this regulation;
Amendment 130 #
Proposal for a regulation
Article 3 – point 15
Article 3 – point 15
Amendment 131 #
Proposal for a regulation
Article 3 – point 18
Article 3 – point 18
Amendment 132 #
Proposal for a regulation
Article 3 – point 21
Article 3 – point 21
Amendment 133 #
Proposal for a regulation
Article 3 – point 22
Article 3 – point 22
Amendment 134 #
Proposal for a regulation
Article 3 – point 24
Article 3 – point 24
Amendment 135 #
Proposal for a regulation
Article 3 – point 26
Article 3 – point 26
Amendment 136 #
Proposal for a regulation
Article 3 – point 29
Article 3 – point 29
Amendment 138 #
Proposal for a regulation
Article 3 – point 30
Article 3 – point 30
Amendment 140 #
Proposal for a regulation
Article 4 a (new)
Article 4 a (new)
Article 4a Data procession and protection 1. Trust service providers, issuers, validation services, relying parties and supervisory bodies shall ensure fair and lawful processing in accordance with Directive 95/46/EC when processing personal data. 2. Trust service providers, issuers, validation services shall process personal data according to Directive 95/46/EC. Such processing shall be strictly limited to the minimum data needed to issue and maintain an eID or certificate, validate an electronic authentication or to provide a trust service. 3. Trust service providers, issuers, validation services shall guarantee the confidentiality and integrity of data related to a person to whom the eID is issued or the service is provided. 4. Without prejudice to the legal effect given to pseudonyms under national law, Member States shall not prevent issuers from indicating in electronic authentication means a pseudonym instead of or in addition to the holder's name or prevent trust service providers indicating in electronic signature certificates a pseudonym instead of the signatory's name. 5. Validation services must not collect or retain data beyond the extent necessary for the process of validation. Validation services must not profile signatories, relying parties or any other customers. Logs may be retained for the purpose of detecting fraud and intrusions but for no more than 90 days.
Amendment 142 #
Proposal for a regulation
Article 5
Article 5
1. When an electronic idauthentification using an electronic identification means and authentication is requirauthentication means is required under national legislation or administrative practise to access a service online, a notified electronic authentication means of the same or higher assurance level issued in another Member State shall be recognised under national legislation or administrative practice to access a service onlinef the same sector online. Additionally, any electronic idauthentification means issued in another Member State falling under a scheme included in the list published by the Commission pursuant to the procedure referred to in Article 7 shall be recognised and accepted for the purposes of accessing this service. 2. A Member State may limit recognition and acceptance of notified electronic authentication means to a specific sector or sectors. 3. A Member State may withdraw recognition and acceptance of electronic authentication means in the event of security compromise, including the issuance of certificates to impostors or a technical vulnerability in the mechanism.
Amendment 151 #
Proposal for a regulation
Article 6 – title
Article 6 – title
Conditions of notification of electronic authentication or identification schemes
Amendment 152 #
Proposal for a regulation
Article 6 – paragraph 1 – introductory part
Article 6 – paragraph 1 – introductory part
1. Electronic authentication or identification schemes shall be eligible for notification pursuant to Article 7 if all the following conditions are met:
Amendment 156 #
Proposal for a regulation
Article 6 – paragraph 1 – point a
Article 6 – paragraph 1 – point a
(a) the electronic authentication or identification means are issued by, on behalf of or under the responsibility of the notifying Member State;
Amendment 160 #
Proposal for a regulation
Article 6 – paragraph 1 – point b
Article 6 – paragraph 1 – point b
(b) the electronic authentication or identification means can be used to access at least public services requiring electronic identification in the notifying Member State;
Amendment 163 #
Proposal for a regulation
Article 6 – paragraph 1 – point c
Article 6 – paragraph 1 – point c
(c) the notifying Member State ensures that the person identification data are attributed unambiguously tore is a mechanism to establish that authenticating data unambiguously verify the desired credentials of the natural or legal person referred to in Article 3 point 1;
Amendment 166 #
Proposal for a regulation
Article 6 – paragraph 1 – point d
Article 6 – paragraph 1 – point d
(d) the notifying Member State ensures the availability of an authentication possibility online, at any time and free of charge so that anyfree of charge. The notifying Member State ensures the availability of end-to- end authentication services online, available on the basis of open standards for the use of relying party canies to validate the person authentication or identification data received in electronic form. Member States shall not impose any specific technical requirements on relying parties established outside of their territory intending to carry out such authentication. When either the notified identification scheme or authentication possibility is breached or partly compromised,make efforts to allow for unlinkable electronic authentication. For this Member States must either provide for an authentication possibility online or otherwise provide all necessary specifications and reference implementations for relying parties to verify an electronic authentication or an electronic identification with proportionate effort. If a Member State becomes aware that a notified identification scheme or authentication possibility is breached or partly compromised, then regardless of whether that scheme or possibility is operated under its own responsibility or that of another Member States, it shall suspend or revoke without delayimmediately notify the Commission and all other Member States of the security failure pursuant to Article 7. Member States shall suspend or revoke reliance on the notified identification scheme or authentication possibility or the compromised parts concerned and inform the other Member States and the Commission pursuant to; other affected parties shall be notified in accordance with the obligations laid out in Article 7; 15(2).
Amendment 170 #
Proposal for a regulation
Article 6 – paragraph 1 – point d a (new)
Article 6 – paragraph 1 – point d a (new)
(da) validation services must provide at the discretion of the holder a signed or sealed proof of attributes selected by the holder. In case of an anonymous authentication the provided proof must not be linkable to the holder or to any other proof or personal attributes provided. In cases of context specific electronic authentication linkability is permissible only within the specific context;
Amendment 173 #
Proposal for a regulation
Article 6 – paragraph 1 – point e – point i
Article 6 – paragraph 1 – point e – point i
(i) the unambiguous attribution of the person idat the data provided for the electronic authentification data referred to in point (c)means unambiguously verify the attributes of a single natural or legal person, and
Amendment 176 #
Proposal for a regulation
Article 7 – paragraph 1 – introductory part
Article 7 – paragraph 1 – introductory part
1. Member States which notify an electronic authentication or identification scheme shall forward to the Commission the following information and without undue delay, any subsequent changes thereof:
Amendment 179 #
Proposal for a regulation
Article 7 – paragraph 1 – point a
Article 7 – paragraph 1 – point a
(a) a description of the notified electronic authentication or identification scheme;
Amendment 180 #
Proposal for a regulation
Article 7 – paragraph 1 – point b
Article 7 – paragraph 1 – point b
(b) the authorities responsible for the notified electronic authentication or identification scheme;
Amendment 183 #
Proposal for a regulation
Article 7 – paragraph 1 – point c
Article 7 – paragraph 1 – point c
(c) information on by whom the registration of the unambiguous person identifierappropriate attributes is managed;
Amendment 188 #
Proposal for a regulation
Article 7 – paragraph 1 – point e
Article 7 – paragraph 1 – point e
(e) arrangements for suspension or revocation of either the notified idauthentification scheme or authentication possibility or the compromised parts concerned.
Amendment 189 #
Proposal for a regulation
Article 7 – paragraph 1 – point e a (new)
Article 7 – paragraph 1 – point e a (new)
Amendment 198 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. Member States shall cooperate in order to ensure the interoperability of electronic identification means falling under a notified scheme and to enhance their security. Interoperability standards shall be public together with the cryptographic algorithms, protocols and key management standards. All audit reports shall be published together with all breach notifications following the responsible disclosure period set out in Article 15(2).
Amendment 201 #
Proposal for a regulation
Article 8 – paragraph 2
Article 8 – paragraph 2
2. The Commission shall, by means of implementing acts, establish the necessary modalities to facilitate the cooperation between the Member States and the publication and peer-review mechanisms referred to in paragraph 1 with a view to fostering a high level of trust and security appropriate to the degree of risk. Those implementing acts shall concern, in particular, the exchange of information, experiences and good practice on electronic identification schemes, the peer reviewindependent, third-party auditing of notified electronic identification schemes and the examination of relevant developments arising in the electronic identification sector by the competent authorities of the Member States. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). Or. en (See also Article 7(1)(f)(new))
Amendment 202 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
Amendment 206 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. A trust service provider shall be liable for any direct damage caused to any natural or legal person due to failure to comply with the obligations laid down in Article 15(1), unless the trust service provider can prove that he has not acted negligently.or where it by operational or technical failure issues a certificate or other authentication credential incorrectly, whether by issuing a certificate or credential to the wrong person or by issuing a certificate or credential with incorrect attributes
Amendment 209 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
Amendment 220 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
1. Qualified tTrust services and qualified certificates provided by qualified trust service providers established in a third country shall be accepted as qualified trust services and qualified certificates provided by a qualified trust service providers established in the territory of the Union if the qualified trust services or qualified certificates originating from the third country are recognised under an agreement between the Union and third countries or international organisations in accordance with Article 218 TFUEU.
Amendment 222 #
Proposal for a regulation
Article 10 – paragraph 2
Article 10 – paragraph 2
2. With reference to paragraph 1, such agreements shall ensure that the requirements applicable to qualified trust services and qualified certificates provided by qualified trust service providers established in the territory of the Union are met by the trust service providers in the third countries or international organisations, especially with regard to the protection of personal data, security and supervision, including the requirement for openness set out in Article 8 and the liability requirement set out in Article 9.
Amendment 224 #
Proposal for a regulation
Article 11
Article 11
Amendment 228 #
Proposal for a regulation
Article 12 – title
Article 12 – title
Accessibility for persons with disabilitiespecial needs
Amendment 229 #
Proposal for a regulation
Article 12
Article 12
Trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilitiespecial needs whenever possible.
Amendment 242 #
Proposal for a regulation
Article 13 – paragraph 2 – point b
Article 13 – paragraph 2 – point b
(b) undertaking supervision of qualified trust service providers established in the territory of the designating Member State and of the qualified trust services they provide in order to ensure that they and the qualified trust services provided by them meet the applicable requirements laid down in this Regulation;
Amendment 244 #
Proposal for a regulation
Article 13 – paragraph 2 – point c
Article 13 – paragraph 2 – point c
Amendment 248 #
Proposal for a regulation
Article 13 – paragraph 3 – introductory part
Article 13 – paragraph 3 – introductory part
3. Each supervisory body shall spubmitlish a yearly report on the last calendar year's supervisory activities to the Commission and Member States by the end of the first quarter of the following year. It shall include at least:
Amendment 251 #
Proposal for a regulation
Article 13 – paragraph 3 – point b
Article 13 – paragraph 3 – point b
(b) a summary ofll breach notifications received from trust service providers in accordance with Article 15(2);
Amendment 257 #
Proposal for a regulation
Article 13 – paragraph 4
Article 13 – paragraph 4
4. Member States shall notify to the Commission and other Member Statespublish the names and the addresses of their respective designated supervisory bodies.
Amendment 265 #
Proposal for a regulation
Article 14 – paragraph 2 – point a
Article 14 – paragraph 2 – point a
(a) iIt is not competentin possession of the required expertise to deal with the request; or
Amendment 274 #
Proposal for a regulation
Article 15 – paragraph 1 – subparagraph 1
Article 15 – paragraph 1 – subparagraph 1
Trust service providers who are established in the territory of the Union shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. Having regard to state of the art, these measures shall ensure that the level of security is appropriate to the degree of risk. In particular, mMeasures shall be taken to prevent and minimise the impact of security incidents and to inform stakeholders of adverse effects of any incidents. , including both signatories and relying parties, of all security breaches that might affect them. Trust service providers must also take, at their own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service.
Amendment 280 #
Proposal for a regulation
Article 15 – paragraph 1 – subparagraph 2
Article 15 – paragraph 1 – subparagraph 2
Without prejudice to Article 16(1), any trust service provider may submitshall publish the report of a security audit carried out by a recognisedn independent body to the supervisory bodywhose competence to carry out the audit has been demonstrated to confirm that appropriate security measures have been taken. Or. en (See also amendment to article 15(1), subparagraph 1.)
Amendment 282 #
Proposal for a regulation
Article 15 – paragraph 2 – subparagraph 1
Article 15 – paragraph 2 – subparagraph 1
In case of a breach of the security of the network, the provider of a trust service must inform both signatories and relying parties and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved. Trust service providers shall, without undue delay and where feasible not later than 24 hours after having become aware of it, notify, the competent supervisory body, the competent national body for information security and other relevant third parties such as, where personal data is involved in the incident, the data protection authorities of any breach of security or loss of integrity that has a significantn impact on the trust service provided and on the personal data maintained therein. They shall notify not just security breaches in their own systems but any security breaches they observe in the systems of other trust service providers.
Amendment 288 #
Proposal for a regulation
Article 15 – paragraph 2 – subparagraph 3
Article 15 – paragraph 2 – subparagraph 3
The supervisory body concerned mayshall also inform the public or require the trust service provider to do so, where it determines that disclosure of the breach is in the public interest. Publication shall normally be as soon as reasonably practical; however the trust service provider may request a delay so that vulnerabilities can be fixed. If the supervisory body grants this, it may be for no longer than 45 days and the trust service provider must agree to indemnify all relying parties, wherever in the world they are located, against losses directly arising from the delay in notification.
Amendment 295 #
Proposal for a regulation
Article 15 – paragraph 4
Article 15 – paragraph 4
4. In order to implement paragraphs 1 and 2, the competent supervisory body shall have the power to issue binding instructions to trust service providers. All such instructions must be published.
Amendment 297 #
Proposal for a regulation
Article 15 – paragraph 4 a (new)
Article 15 – paragraph 4 a (new)
4a. If the provisions laid down in this article are not sufficiently implementable in a particular technological context, the Commission or any other stakeholder may request a clarification through the mechanism for adoption of technological requirements laid out in Chapter IIIa.
Amendment 298 #
Proposal for a regulation
Article 15 – paragraph 5
Article 15 – paragraph 5
Amendment 301 #
Proposal for a regulation
Article 15 – paragraph 6
Article 15 – paragraph 6
Amendment 304 #
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
1. Qualified tTrust service providers shall be audited by a recognisedonce a year by an independent body once a yearwhose competence to carry out the audit has been demonstrated to confirm that they and the qualified trust services provided by them fulfil the requirements set out in this Regulation, and shall submitmake the resulting security audit report public and transmit it to the supervisory body. In the event that the audit may contain confidential business information, the publication of sensitive sections may be delayed by the supervisory body, but for no more than one year.
Amendment 311 #
Proposal for a regulation
Article 16 – paragraph 2
Article 16 – paragraph 2
2. Without prejudice to paragraph 1, the supervisory body may at any time audit the qualified trust service providers to confirm that they and the qualified trust services provided by them still meet the conditions set out in this Regulation, either on its own initiative or in response to a request from the Commission. The supervisory bodytrust service provider shall inform the data protection authorities of the results of its audits, in case personal data protection rules appear to have been breached.
Amendment 314 #
Proposal for a regulation
Article 16 – paragraph 3
Article 16 – paragraph 3
3. The supervisory body shall have the power to issue binding instructions to qualified trust service providers to remedy any failure to fulfil the requirements indicated in the security audit report. Such instructions shall be published.
Amendment 315 #
Proposal for a regulation
Article 16 – paragraph 4
Article 16 – paragraph 4
Amendment 317 #
Proposal for a regulation
Article 16 – paragraph 5
Article 16 – paragraph 5
Amendment 318 #
Proposal for a regulation
Article 16 – paragraph 6
Article 16 – paragraph 6
Amendment 320 #
Proposal for a regulation
Article 17
Article 17
Amendment 337 #
Proposal for a regulation
Article 18
Article 18
Amendment 341 #
Proposal for a regulation
Article 19
Article 19
Amendment 356 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
2. A qualifiedn electronic signature shall have the equivalent legal effect of a handwritten signature. In particular, a forged signature shall be null and void. The risk of determining whether a signature is forged shall fall on the relying party.
Amendment 361 #
Proposal for a regulation
Article 20 – paragraph 3
Article 20 – paragraph 3
Amendment 362 #
Proposal for a regulation
Article 20 – paragraph 4
Article 20 – paragraph 4
Amendment 364 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
Amendment 366 #
Proposal for a regulation
Article 20 – paragraph 6
Article 20 – paragraph 6
Amendment 367 #
Proposal for a regulation
Article 20 – paragraph 7
Article 20 – paragraph 7
Amendment 370 #
Proposal for a regulation
Article 21
Article 21
Amendment 375 #
Proposal for a regulation
Article 22
Article 22
Amendment 378 #
Proposal for a regulation
Article 23 – paragraph 1
Article 23 – paragraph 1
1. Qualified eElectronic signature creation devices may be certified by appropriate public or private bodies designated by Member States provided that they have been submitted to a security evaluation process carried out in accordance with one of the standards for the security assessment of information technology products included in a list that shall be established by the Commission by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.
Amendment 379 #
Proposal for a regulation
Article 24 – title
Article 24 – title
Publication of a list of certified qualified electronic signature creation devices
Amendment 380 #
Proposal for a regulation
Article 24 – paragraph 1
Article 24 – paragraph 1
1. Member States shall notify to the Commission without undue delay, information on qualified electronic signature creation devices which have been certified by the bodies referred to in Article 23. They shall also notify to the Commission, without undue delay, information on electronic signature creation devices that would no longer be certified.
Amendment 382 #
Proposal for a regulation
Article 24 – paragraph 2
Article 24 – paragraph 2
2. On the basis of the information received, the Commission shall establish, publish and maintain a list of certified qualified electronic signature creation devices.
Amendment 383 #
Proposal for a regulation
Article 24 – paragraph 3
Article 24 – paragraph 3
Amendment 384 #
Proposal for a regulation
Article 25
Article 25
Amendment 386 #
Proposal for a regulation
Article 26
Article 26
Amendment 389 #
Proposal for a regulation
Article 27
Article 27
Amendment 391 #
Proposal for a regulation
Article 28
Article 28
Amendment 400 #
Proposal for a regulation
Article 29
Article 29
Amendment 407 #
Proposal for a regulation
Article 30
Article 30
Amendment 411 #
Proposal for a regulation
Article 31
Article 31
Amendment 413 #
Proposal for a regulation
Article 32
Article 32
Amendment 414 #
Proposal for a regulation
Article 33
Article 33
Amendment 417 #
Proposal for a regulation
Article 34
Article 34
Amendment 423 #
Proposal for a regulation
Article 35
Article 35
Amendment 424 #
Proposal for a regulation
Article 36
Article 36
Amendment 426 #
Proposal for a regulation
Article 37
Article 37
Amendment 429 #
Proposal for a regulation
Chapter III a (new)
Chapter III a (new)
Chapter IIIa Standardisation Article 37a Mechanism for adoption of technological requirements (1) Where provisions of this Regulation can be implemented only by requiring specific technical features in electronic authentication or identification schemes, Member States shall inform the Commission in accordance with the procedure provided for by Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on information society services. (2) The elaboration of technical requirements, specifications and standards shall further be subjected to the review mechanisms incorporated in Directive 1999/5/EC and Council Decision 87/95/EEC of 22 December 1986 on standardisation in the field of information technology and communications.
Amendment 431 #
Proposal for a regulation
Article 38 – paragraph 2
Article 38 – paragraph 2
2. The power to adopt delegated acts referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(313(5) and 37(315(5) shall be conferred on the Commission for an indeterminate period of time from the entry into force of this Regulation.
Amendment 432 #
Proposal for a regulation
Article 38 – paragraph 3
Article 38 – paragraph 3
3. The delegation of power referred to in Articles 8(3), 13(5), 15(5), 16(5), 18(5), 20(6), 21(4), 23(3), 25(2), 27(2), 28(6), 29(4), 30(2), 31, 35(313(5) and 37(315(5) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
Amendment 438 #
Proposal for a regulation
Article 41 – paragraph 4
Article 41 – paragraph 4
4. Qualified cCertificates issued under Directive 1999/93/EC shall be considered as qualified certificates for electronic signatures under this Regulation until they expire, but for no more than five years from the entry into force of this Regulation.
Amendment 439 #
Proposal for a regulation
Annex I
Annex I
Annex deleted
Amendment 442 #
Proposal for a regulation
Annex II
Annex II
Annex deleted
Amendment 443 #
Proposal for a regulation
Annex III
Annex III
Annex deleted
Amendment 445 #
Proposal for a regulation
Annex IV
Annex IV
Annex deleted