The European Parliament adopted by 534 votes to 76, with 17 abstentions, a legislative resolution on electronic identification and trust services for electronic transactions in the internal market. Parliament adopted its position at first reading following the ordinary legislative procedure. The amendments adopted in plenary are the result of an agreement negotiated between the European Parliament and the Council. They amend the proposal as follows: Purpose: the Regulation seeks to enhance trust in electronic transactions in the internal market by providing a common foundation for secure electronic interaction between businesses, citizens and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union. A “trust service” means an electronic service normally provided for remuneration which consists in: ·        the creation, verification, and validation of electronic signatures , electronic seals or electronic time stamps, electronic registered delivery services and certificates related to these services or ·        the creation, verification and validation of certificates for website authentication or ·        the preservation of electronic signatures, seals or certificates related to these services. Scope: this Regulation should apply to electronic identification schemes notified by Member States, and to trust service providers established in the Union. This Regulation does not apply to the provision of trust services used exclusively within closed systems resulting from national legislation or from agreements between a defined set of participants. This Regulation should be applied in full compliance with the principles relating to the protection of personal data provided for in Directive 95/46/EC. Mutual recognition: electronic identification systems notified according to the Regulation should specify the assurance levels“low”, “substantial” and/or “high” for electronic identification means issued. The obligation to recognise electronic identification means should only apply when the public sector body in question uses the assurance level “substantial” or “high in relation to accessing that service online. Notification of electronic identification systems: systems notified by the Member States should be accompanied by, among other things, the following information: (i) a description of the notified electronic identification scheme, including its assurance levels and the issuer(s) of electronic identification means under that scheme; (ii) the applicable supervisory regime and information on liability regime with respect to the party issuing the electronic identification means, and the party operating the authentication procedure; (iii) information on the entity or entities which manage the registration of the unique person identification data. Security breach: when either the electronic identification scheme notified or the authentication is breached or partly compromised in a manner that affects the reliability of the cross border authentication of that scheme, the notifying Member State should suspend or revoke without delay that cross border authentication or the compromised parts concerned and inform other Member States and the Commission. Liability: Parliament and the Council introduced a new provision whereby the notifying Member State, the party issuing the electronic identification means, as well as the party operating the authentication procedure, would be liable for damage caused intentionally or negligently to any natural or legal person for failing in a cross border transaction to comply with its obligations under the Regulation. The intention or negligence of a qualified trust service provider should be presumed unless he proves that the damage occurred without the intention or negligence on his part. Cooperation and interoperability: the national electronic identification schemes notified should be interoperable. The interoperability framework should aim to be technology neutral and should not discriminate between any specific national technical solutions for electronic identification within the Member State. Member States should cooperate as regards the interoperability of electronic identification systems and the security of electronic identification systems. Third country trust service providers: according to the amended text, trust services provided by trust service providers established in a third country should be recognised as legally equivalent to qualified trust services provided by qualified trust service providers established in the Union if the trust services originating from the third country are recognised under an agreement concluded between the Union and third countries or international organisations. Accessibility for persons with disabilities: where feasible, trust services provided and end-user products used in the provision of those services should be made accessible for persons with disabilities Supervisory body: Member States should designate a supervisory body or supervisory bodies to carry out the supervisory activities under this Regulation. Member States should be also able to decide, upon a mutual agreement with another Member State, to designate a supervisory body in the territory of that other Member State. Supervisory bodies should cooperate with data protection authorities, for example by informing them about the results of audits of qualified trust service providers, where personal data protection rules appear to have been breached. Supervision of qualified trust service providers: qualified trust service providers should be audited, at least every 24 months, at their own expense by a conformity assessment body. EU trust mark:  an EU trust mark should be created to identify the qualified trust services provided by qualified trust services providers. The use of an EU trust mark by qualified trust service providers should be voluntary and should not lead to any other requirement than those already provided for in this Regulation. By 1 July 2015, the Commission should, by means of implementing acts, lay down specification relating to the form and in particular the presentation, composition, size and design of the EU trust mark for qualified trust services.

The Committee on Industry, Research and Energy adopted the report by Marita ULVSKOG (S&D, SE) on the proposal for a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market. The committee recommended that the position of the European Parliament adopted in first reading following the ordinary legislative procedure should amend the Commission proposal as follows: Scope: this Regulation should apply to notified electronic identification schemes mandated, recognised or issued by or on behalf of Member Sates, and to trust service providers established in the Union. It should also apply to both qualified and non-qualified trust service providers established in the Union. Electronic identification systems: Member States which notify an electronic identification scheme shall forward to the Commission the following information and without undue delay, any subsequent changes thereof: (i) a description of the notified electronic identification scheme and its security assurance level; (ii) information on which entity or entities manage the registration of the appropriate attributes identifiers; (iii) a description of how the requirements of the interoperability framework are met; (iv) a description of the authentication possibility and any technical requirements imposed on relying parties. Security breach: where there is a breach of security that would affect the reliability of that scheme for cross-border transactions, the notifying Member State shall without undue delay suspend or revoke the cross-border function of that electronic identification scheme or that authentication possibility or the compromised parts concerned and inform other Member States and the Commission thereof. Liability: the amended text introduced a new provision providing that the notifying Member State shall be liable for any damage caused to a natural or legal person which could reasonably be expected to arise under normal circumstances as a result of its failure to comply with this Regulation, unless it can show that it has acted with due diligence. Coordination and interoperability: Member States and the Commission shall in particular prioritize interoperability for e-services with the greatest cross border relevance. The provisions intended to guarantee technical interoperability have to be technologically neutral so as not to interfere with the options favoured by Member States when developing their national electronic identification and authentication schemes. Liability of qualified trust service providers: Members took the view that only qualified trust service providers should be subject to the liability scheme, as in Directive 1999/93/EC. Non-qualified service providers should be covered by the general scheme of civil and contractual liability defined in the national law of each Member State.</Amend> Qualified trust services providers from third countries: Members wished to refer to the provision of EU personal data protection law which specifies the adequacy of the level of protection afforded by a third country. Processing of personal data: processing of personal data might be necessary in case of a breach or in order to take appropriate counter measures and should be applied where this is absolutely necessary and be a "legitimate interest" under the Data Protection Directive and thus be lawful. Disabled persons: trust services provided and end user products used in the provision of those services shall be made accessible for persons with disabilities in accordance with Union law. Supervisory body: the designated supervisory body, its addresses and the names of responsible persons shall be communicated to the Commission. Supervisory bodies shall be given adequate resources necessary for the exercise of their tasks. Supervision of trust service providers: qualified trust service providers shall be audited annually by an independent body whose competence to carry out the audit has been demonstrated to confirm that they and the qualified trust services provided by them fulfil the requirements set out in this Regulation, and shall submit the resulting compliance audit report to the supervisory body. Such audit shall also be carried out following any significant technological or organizational changes. If, after three years, the annual audit reports raise no concerns, the audits shall be carried out every two years only. ‘EU’ qualified trustmark: Members introduced the possibility for qualified trust service providers to use an EU trustmark to present and advertise the qualified trust services which they offer that meet the requirements laid down in this Regulation. Parliament already called for the creation of a trustmark in its resolution of 11 December 2012 on completing the Digital Single Market. Electronic documents: Members stated that an electronic document shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic format. A document bearing a qualified electronic signature or a qualified electronic seal, shall have the equivalent legal effect of a paper document bearing a handwritten signature or a physical seal, where this exists under national law, provided the document does not contain any dynamic features capable of automatically changing the document. Implementing measures and delegated acts: the proposed Regulation empowers the Commission in many provisions to adopt delegated acts or implementing measures. Members have reservations to an approach that relies upon acts and measures so heavily. They proposed amendments that will restrict the proposed acts strictly to technical implementation of the legal act in question in a uniform manner.

The Council took note of progress made on a proposed Regulation intended to enhance trust in electronic transactions by setting up a legal framework for electronic identification and other electronic trust services in the internal market. Work on this technically complex draft legislation under the Irish Presidency focused primarily on electronic identification and, to a lesser extent, trust services. One key issue is that of assurance levels for electronic identification, which are required so that electronic means of identification issued in another Member State can be recognised. While a number of delegations favour the principle of matching levels as a basis for recognition, other delegations would prefer to have the required assurance levels set out in the Regulation. There is, however, broad support amongst delegations for a number of general principles regarding electronic identification: initial limitation on services provided by the public sector; ensuring interoperability between national identification infrastructures; technological neutrality; and the need for security breaches to be addressed. A considerable number of other issues will also require further discussion, including: liability with respect to electronic identification and trust services; treatment of trust service providers from third countries; supervision of trust service providers; the effect of certain provisions concerning electronic signatures and electronic seals on national and procedural law; the concept of "electronic document" and the appropriateness of covering electronic documents in this piece of legislation; clarification of definitions; the use of "delegated acts" empowering the Commission to adopt related legal acts on non-essential technical aspects of the Regulation; the deadline for the entry into force of the Regulation.

The Commission presented to ministers a new draft regulation to enable cross-border and secure electronic transactions in the EU, adopted on 4 June 2012. The draft regulation: lays down rules for electronic identification and electronic trust services for electronic transactions with a view to ensuring the proper functioning of the internal market; establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services and website authentication; contribute to building trust and confidence in the on-line market for goods and services and therefore to the completion of the internal market and growth.

PURPOSE: to enhance trust in electronic transactions in the internal market and ensure the mutual recognition of electronic identification, authentication, signatures and other trust services across borders. PROPOSED ACT: Regulation of the European Parliament and of the Council. BACKGROUND: building trust in the online environment is key to economic development. The existing EU legislation, namely Directive 1999/93/EC on a Community framework for electronic signatures, essentially covers electronic signatures only. There is no comprehensive EU cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions that encompasses electronic identification, authentication and signatures. The Digital Agenda for Europe identifies existing barriers to Europe’s digital development and proposes legislation on e-signatures and the mutual recognition of eIdentification and authentication, establishing a clear legal framework so as to eliminate fragmentation and the lack of interoperability, enhance digital citizenship and prevent cybercrime. Legislation ensuring the mutual recognition of electronic identification and authentication across the EU is also a key action in the Single Market Act, as well as the Roadmap for Stability and Growth. The European Parliament stressed the importance of the security of electronic services, especially of electronic signatures, and of the need to create a public key infrastructure at pan-European level, and called on the Commission to set up a European validation authorities gateway to ensure the cross-border interoperability of electronic signatures and to increase the security of transactions carried out using the internet. The aim of this proposal is to enhance existing legislation and to expand it to cover the mutual recognition and acceptance at EU level of notified electronic identification schemes and other essential related electronic trust services. IMPACT ASSESSMENT: three sets of policy options were assessed, dealing respectively with (1) the scope of the new framework, (2) the legal instrument and (3) the level of supervision required. The preferred policy option proved to be enhancing legal certainty, boosting coordination of national supervision, ensuring mutual recognition and acceptance of electronic identification schemes and incorporating essential related trust services. The impact assessment concluded that doing this would lead to considerable improvements to legal certainty, security and trust in terms of cross-border electronic transactions, resulting in less fragmentation of the market. LEGAL BASIS: Article 114 of the Treaty on the Functioning of the European Union (TFEU). CONTENT: the proposed regulation seeks to enable secure and seamless electronic interactions between businesses, citizens and public authorities, thereby increasing the effectiveness of public and private online services, e-business and electronic commerce in the EU. The main points of the proposal are as follows: 1) Electronic identification: the proposal provides for the mutual recognition and acceptance of electronic identification means falling under a scheme, which will be notified, to the Commission on the conditions laid down in the Regulation. It does not oblige Member States to introduce or notify electronic identification schemes, but to recognise and accept notified electronic identifications for those online services where electronic identification is required to get access at national level. Electronic identification schemes shall be eligible for notification if all five of the following conditions are met: ·        the electronic identification means are issued by, on behalf of or under the responsibility of the notifying Member State; ·        the electronic identification means can be used to access at least public services requiring electronic identification in the notifying Member State; ·        Member States must ensure an unambiguous link between the electronic identification data and the person concerned; ·        the notifying Member State ensures the availability of an authentication possibility online, at any time and free of charge. No specific technical requirements, such as hardware or software can be imposed on the parties relying on such authentication; ·        Member States must accept liability for the unambiguity of the link (i.e. that the identification data attributed to the person are not linked to any other person) and the authentication possibility (i.e. the possibility to check the validity of the electronic identification data). The proposal also aims to ensure the technical interoperability of the notified identification schemes through a coordination approach, including delegated acts. 2) Trust services: the proposal sets out the principles relating to the liability of both non-qualified and qualified trust service providers. It builds on Directive 1999/93/EC and extends entitlement to compensation of damage caused by any negligent trust service provider for failure to comply with security good practices which result in a security breach which has a significant impact on the service. It also describes the mechanism for the recognition and acceptance of qualified trust services provided by a provider established in a third country. 3) Supervision: the proposal (i) requires Member States to establish supervisory bodies, clarifying and enlarging the remit of the latter with regard to both trust service providers and qualified trust service providers; (ii) introduces an explicit mechanism of mutual assistance between supervisory bodies in Member States to facilitate the cross-border supervision of trust service providers; (iii) introduces an obligation for both qualified and non-qualified trust service providers to implement appropriate technical and organisational measures for the security of their activities ; (iv) sets out the conditions for the supervision of qualified trust service providers and qualified trust services provided by them ; (v) provides for the establishment of trusted lists containing information on qualified trust service providers who are subject to supervision and to the qualified services they offer. 4) Electronic signature: the proposal enshrines the rules related to the legal effect of natural persons’ electronic signatures, introducing an explicit obligation to give to qualified electronic signatures the same legal effect as handwritten signatures. Furthermore, Member States must ensure the cross-border acceptance of qualified electronic signatures, in the context of the provision of public services. The proposal also sets out: the requirements for qualified signature certificates and the requirements for qualified electronic signature creation devices; the conditions for qualified validation services, and the condition for the long-term preservation of qualified electronic signatures. 5) Electronic seals: the provisions concern the legal effect of electronic seals of legal persons. A specific legal presumption is bestowed on a qualified electronic seal which guarantees the origin and integrity of electronic documents to which it is linked. 6) Electronic time stamp: a specific legal presumption is bestowed on qualified electronic time stamps with regard to the certainty of the time.  7) Electronic documents: there is a specific legal presumption of the authenticity and integrity of any electronic document signed with a qualified electronic signature or bearing a qualified electronic seal. With regard to the acceptance of electronic documents, when an original document or a certified copy is required for the provision of a public service, at the least electronic documents issued by the persons who are competent to issue the relevant documents and that are considered to be originals or certified copies in accordance with national law of the Member State of origin, shall be accepted in other Member States without additional requirements. 8) Website authentication: the proposal ensures that the authenticity of a website with respect to the owner of the site will be guaranteed. BUDGETARY IMPLICATION: EUR 9 408 million for the period 2014-2020 (human resources). The specific budgetary implications of the proposal relate to the tasks allocated to the European Commission. The proposal has no implications on operational expenditure. DELEGATED ACTS: the proposal contains provisions empowering the Commission to adopt delegated acts in accordance with Article 290 of the Treaty on the Functioning of the EU.