Activities of Sajjad KARIM related to 2012/0146(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market PDF (1 MB) DOC (1 MB)
Amendments (131)
Amendment 57 #
Proposal for a regulation
Article 2 – paragraph 2
Article 2 – paragraph 2
Amendment 70 #
Proposal for a regulation
Article 5
Article 5
When an electronic identification using an electronic identification means and authentication is required under national legislation or administrative practice to access a public service online, any in one Member State, the electronic identification means issued in another Member State falling under a scheme, which is included in the list published by the Commission pursuant to the procedure referred to in Article 7 shall be recognised and accepted for the purposes ofArticle 7, shall be recognised in the first Member State for the purposes of accessing that service online, provided that those electronic identification means correspond to an identity assurance level equal to or higher than the identity assurance level required for accessing to thisat service online in the first Member State.
Amendment 71 #
Proposal for a regulation
Article 6 – paragraph 1 – introductory wording
Article 6 – paragraph 1 – introductory wording
1. EAn electronic identification schemes shall be eligible for notification pursuant to Article 7 if all the following conditions are met:
Amendment 72 #
Proposal for a regulation
Article 6 – paragraph 1 – point a
Article 6 – paragraph 1 – point a
(a) the electronic identification means are issued by, on behalf of or under the responsibility of the notifyingunder that scheme are issued: (i) by the notifying Member State, (ii) under a mandate from the notifying Member State, or (iii) independently of the notifying Member State and are recognised by that Member State;
Amendment 73 #
Proposal for a regulation
Article 6 – paragraph 1 – point b
Article 6 – paragraph 1 – point b
(b) the electronic identification means under that scheme can be used to access at least public servicesone service provided by a public sector body requiring electronic identification in the notifying Member State;
Amendment 75 #
Proposal for a regulation
Article 6 – paragraph 1 – point b a (new)
Article 6 – paragraph 1 – point b a (new)
(ba) the electronic identification scheme meets the requirements of the interoperability mode under Article 8l;
Amendment 78 #
Proposal for a regulation
Article 6 – paragraph 1 – point c
Article 6 – paragraph 1 – point c
(c) the notifying Member State ensures that the person identification data are attributed unambiguously to the natural or legal person referred to in Article 3 point1to a sufficiently high level for the identity assurance level in question to the natural or legal person referred to in point 1 of Article 3 at the time of issuance of the electronic identification means under that scheme;
Amendment 80 #
Proposal for a regulation
Article 6 – paragraph 1 – point c a (new)
Article 6 – paragraph 1 – point c a (new)
(ca) the party issuing the electronic identification means under that scheme ensures that the person identification data referred to in point (c) are attributed to a sufficiently high level for the identity assurance level in question to the electronic identification means at the time of the issuance of the electronic identification means;
Amendment 82 #
Proposal for a regulation
Article 6 – paragraph 1 – point d
Article 6 – paragraph 1 – point d
(d) the notifying Member State ensures the availability of an authentication possibility online, so that any time and free of charge so that any relying partyrelying party established outside of the territory of that Member State can validate the person identification data received in electronic form. Member States shall not impose any specific technical requirements on relying parties established outside of their territory intending to carry out such authentication. When either the notified identification scheme or authentication possibility is breached or partly compromised, Member States shall suspend or revoke without delay the notified identification scheme or authentication possibility or the compromised parts concerned and inform the other Member States and the Commission pursuant to Article 7Such authentication shall be provided free of charge when accessing a service online provided by a public sector body. Member States shall not unduly impose any specific technical requirements on relying parties intending to carry out such authentication;
Amendment 83 #
Proposal for a regulation
Article 6 – paragraph 1 – point d a (new)
Article 6 – paragraph 1 – point d a (new)
(da) at least six months prior to notification pursuant to Article 7(1), the notifying Member State provides to other Member States a description of the electronic identification scheme.
Amendment 84 #
Proposal for a regulation
Article 6 – paragraph 1 – point e
Article 6 – paragraph 1 – point e
Amendment 86 #
Proposal for a regulation
Article 6 – paragraph 2
Article 6 – paragraph 2
Amendment 90 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. Member States which notify an electronic identification schemThe notifying Member State shall forward to the Commission the following information and without undue delay, any subsequent changes thereof: (a) a description of the notified electronic identification scheme; (b) the, including its identity assurance levels; (b) the authority or authorities responsible for the notified electronic identification scheme; (c) information on by whom the registrthe entity or entities which manages the verification of the unambiguous person identifiers is managedcation data; (ca) a description of how the requirements of the interoperability framework referred to in Article 8 are met; (d) a description of the authentication possibilityreferred to in point (d) of Article 6; (e) arrangements for suspension or revocation of either the notified identification scheme or authentication possibility or the compromised parts concerned.
Amendment 94 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. If the Commission receives a notification after the period referred to in paragraph 2 has expired, it shall amend the list within three monthspublish in the Official Journal of the European Union the amendments to the list referred to in paragraph 2 within one month from the date of receipt of that notification.
Amendment 95 #
Proposal for a regulation
Article 7 a (new)
Article 7 a (new)
Article 7a 1. When either the electronic identification scheme notified pursuant to Article 7(1) or the authentication referred to in point (d) of Article 6 is breached or partly compromised in a way that would affect the reliability of that scheme for cross border transactions, the notifying Member State shall without delay suspend or revoke the cross border part of that electronic identification scheme or that authentication or the compromised parts concerned and inform other Member States and the Commission. 2. When the breach or compromise referred to in paragraph 1 has been remedied, the notifying Member State shall reestablish the authentication and shall inform other Member States and the Commission without undue delay. 3. If the breach or compromise referred to in paragraph 1 is not remedied within 3 months of the suspension or revocation, the notifying Member State shall notify the withdrawal of the electronic identification scheme to other Member States and to the Commission. The Commission shall publish without undue delay in the Official Journal of the European Union the corresponding amendments to the list referred to in Article 7(2).
Amendment 96 #
Proposal for a regulation
Article 7 b (new)
Article 7 b (new)
Article 7b 1. The notifying Member State shall be liable for any direct damage caused to any natural or non-natural person due to a failure to comply with its obligations under points (c) and (d) of Article 6, unless it can show that it has not acted negligently. 2. The party issuing the electronic identification means shall be liable for any direct damage caused to any natural or non-natural person for failing to ensure, consistent with the application of the identity assurance levels within national schemes: (i) the attribution of the person identification data referred to in point (ca) of Article 6, and (ii) the correct operation of the authentication referred to in point (d) of Article 6, unless it can show that it has not acted negligently. 3. Paragraphs 1 and 2 are without prejudice to the liability under national legislation of parties to a transaction in which electronic identification means falling under the notified scheme are used
Amendment 98 #
Proposal for a regulation
Article 8 – title and paragraph 1
Article 8 – title and paragraph 1
Amendment 100 #
Proposal for a regulation
Article 8 – paragraph 1 a (new)
Article 8 – paragraph 1 a (new)
1a. The interoperability model shall include the necessary minimum technical requirements, the common operational security standards and the levels of identity assurance and standards against which Member States will map their national scheme, certification and governance.
Amendment 102 #
Proposal for a regulation
Article 8 – paragraph 1 b (new)
Article 8 – paragraph 1 b (new)
1b. The interoperability model shall: i) ensure technology neutrality, ii) facilitate the principle of privacy by design, iii) ensure personal data is processed in accordance with Directive 95/46/EC.
Amendment 103 #
Proposal for a regulation
Article 8 – paragraph 1 c (new)
Article 8 – paragraph 1 c (new)
1c. By [insert the date], in order to establish uniform conditions for implementing paragraphs 1, 1a and 1b, the Commission shall adopt implementing acts on standards, protocols for the interoperability model and identity assurance levels.
Amendment 104 #
Proposal for a regulation
Article 8 – paragraph 1 d (new)
Article 8 – paragraph 1 d (new)
1d. Member States shall cooperate in order to ensure the interoperability of electronic identification means falling under a notified electronic identification scheme and to enhance their security.
Amendment 105 #
Proposal for a regulation
Article 8 – paragraph 1 e (new)
Article 8 – paragraph 1 e (new)
1e. The cooperation between Member States shall consist of: i) exchange of information, experience and good practice on eID schemes, ii) peer review of eID schemes; iii) examination of relevant developments in the eID sector.
Amendment 106 #
Proposal for a regulation
Article 2 – paragraph 2
Article 2 – paragraph 2
Amendment 106 #
Proposal for a regulation
Article 8 – paragraph 2 and 2 a (new)
Article 8 – paragraph 2 and 2 a (new)
2. The Commission shall, by means of implementing acts, establish the necessary modalities to facilitate the cooperation between the Member States referred to in paragraphs 1d and 1e with a view to fostering a high level of trust and security appropriate to the degree of risk. 2a. Those implementing acts shall concern, in particular, the exchange of information, experiences and good practice on electronic identification schemes, the peer review of notified electronic identification schemes and the examination of relevant developments arising in the electronic identification sector by the competent authorities of the Member States. Those implementing actsreferred to in paragraphs 1c and 2 of this Article shall be adopted in accordance with the examination procedure referred to in Article 39(2).
Amendment 107 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
Amendment 115 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
1. Qualified tTrust services and qualified certificates provided by qualified trust service providers established in a third country shall be accepted asrecognised as legally equivalent to qualified trust services and qualified certificates provided by a qualified trust service providers established in the territory of the Union if the qualified trust services or qualified certificates originating from the third country are recognised under an agreement between the Union and third countries or international organisations in accordance with Article 218 TFUEcomply with the relevant requirements of this Regulation as determined by a supervisory body established in a Member State.
Amendment 116 #
Proposal for a regulation
Article 10 – paragraph 2
Article 10 – paragraph 2
Amendment 122 #
Proposal for a regulation
Article 13 – paragraph 1
Article 13 – paragraph 1
1. Member States shall designate an appropriate supervisory body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. Supervisory bodies shall be given all supervisory and investigatory powers that are necessary for the exercise of their tasks.
Amendment 124 #
Proposal for a regulation
Article 13 – paragraph 1 a (new)
Article 13 – paragraph 1 a (new)
1a. Member States shall notify to the Commission the names and the addresses of their respective designated supervisory bodies.
Amendment 126 #
Proposal for a regulation
Article 13 – paragraph 2 – introductory wording
Article 13 – paragraph 2 – introductory wording
2. The supervisory body shall be res, insofar as is ponssible for the performance of the following tasks, ensure that:
Amendment 127 #
Proposal for a regulation
Article 13 – paragraph 2 – point a
Article 13 – paragraph 2 – point a
(a) monitoring trust service providers established in the territory of the designating Member State to ensure that they fulfil the requirements laid down in Article 15this Regulation;
Amendment 128 #
Proposal for a regulation
Article 13 – paragraph 2 – point b
Article 13 – paragraph 2 – point b
(b) undertaking supervision of qualified trust services providers established in the territory of the designating Member State and of thed by qualified trust services they provide in order to ensure that they and the qualified trust services provided by them meet the applicablrs meet the requirements laid down in this Regulation; and
Amendment 129 #
Proposal for a regulation
Article 13 – paragraph 2 – point b a (new)
Article 13 – paragraph 2 – point b a (new)
(ba) if relevant pursuant to Article 10, that the trust service providers established in third countries and the trust services they provide fulfil the applicable requirements laid down in this Regulation.
Amendment 130 #
Proposal for a regulation
Article 13 – paragraph 2 – point c
Article 13 – paragraph 2 – point c
Amendment 131 #
Proposal for a regulation
Article 13 – paragraph 2 a (new)
Article 13 – paragraph 2 a (new)
2a. For the purposes of ensuring continuity of the service, the supervisory body may adopt provisions on termination plans in cases where the qualified trust service providers cease their activities.
Amendment 132 #
Proposal for a regulation
Article 13 – paragraph 3
Article 13 – paragraph 3
3. Each supervisory body shall submit a yearly report onAnnually, by the la31st calendar year’s supervisory activities to the Commission and Member States by the end of the first quarter of the following year. It shall include at least: (a) information on its supervisory activities; (b) a summary of breach notifications received from trust service providers in accordance with Article 15(2); (c) statistics on the market and usage of qualified trust services, including information on qualified trust service providers themselves, the qualified trust services they provide, the products they use and the general description of their customersMarch, each supervisory body shall submit to the Commission a report on its previous calendar year's activities together with a summary of breach notifications received from trust service providers in accordance with Article 15(2).
Amendment 133 #
Proposal for a regulation
Article 13 – paragraph 3 a (new)
Article 13 – paragraph 3 a (new)
3a. The Commission shall make the annual report referred to in paragraph 3 available to Member States.
Amendment 134 #
Proposal for a regulation
Article 13 – paragraph 4
Article 13 – paragraph 4
Amendment 135 #
Proposal for a regulation
Article 13 – paragraph 5
Article 13 – paragraph 5
Amendment 136 #
Proposal for a regulation
Article 13 – paragraph 6
Article 13 – paragraph 6
6. The Commission may, by means of implementing acts, define the circumstances, formats and procedures for the report referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).
Amendment 137 #
Proposal for a regulation
Article 14 – paragraph 1
Article 14 – paragraph 1
1. Supervisory bodies shall cooperate with a view to exchangeing good practice and provide each other, within the shortest possible time, with relevant information and mutual. A supervisory body shall, upon a receiving a request from another supervisory body, provide that body with assistance so that their activities can be carried out in a consistent manner. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out inspections related to the security audits as referred to in Articles 15, 16 and 17Supervisory bodies shall also cooperate where a request is made under the Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products1. In addition, mutual assistance may also cover information requests and supervisory measures related to the conformity assessment reports as referred to in Articles 15, 16 and 17. _____________ 1 OJ L 218, 13.8.2008, p. 30.
Amendment 138 #
Proposal for a regulation
Article 14 – paragraph 2
Article 14 – paragraph 2
2. A supervisory body to which a request for assistance is addressed may not refuse to comply with it unless: (a) it is not competent to deal with the request; or (b) compliance with the requesthat request under any of the following conditions: (a) the supervisory body is not competent to provide the requested assistance; (aa) the requested assistance is not proportionate to standard supervisory activities of the supervisory body; (b) if the requested assistance would be incompatible with this Regulation.
Amendment 139 #
Proposal for a regulation
Article 14 – paragraph 3
Article 14 – paragraph 3
Amendment 140 #
Proposal for a regulation
Article 14 – paragraph 4
Article 14 – paragraph 4
Amendment 141 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
1. Trust service providers who are established in the territory of the Union shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. Having regard to state of the art, theseshall manage the risks posed to the security of the trust services they provide in accordance with existing industry best practice and industry standards. Having regard to the latest technological developments, any such measures shall ensure that the level of security is appropricommensurate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of the adverse effects of any incidents. Without prejudice to Article 16(1), any trust service provider mays shall submit the report of a security audit carried out by a recognised independent body to the supervisoryo the supervisory body a conformity assessment report provided by a conformity assessment body to confirm that appropriate security measures have been taken.
Amendment 142 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
2. Trust service providers shall, without undue delay and where feasible not later than 24 hours after having become aware of it, notify the competent supervisory body, and, where appropriate, other relevant bodies, such as the competent national body for information security and other relevant third parties such asor the data protection authoritiesy, of any breach of security or loss of integrity that has a significant impact on the trust service provided and on the personal data maintained therein. Where appropriate, in particular if a breach of security or loss of integrity concerns two or more Member States, the notified supervisory body concerned shall inform the supervisory bodies in the other Member States and the European Network and Information Security Agency (ENISA). The notified supervisory body concerned may alsoshall inform the public or require the trust service provider to do so, where it determines that disclosure of the breach is in the public interest.
Amendment 144 #
Proposal for a regulation
Article 5
Article 5
When an electronic identification using an electronic identification means and authentication is required under national legislation or administrative practice to access a public service online, any in one Member State, the electronic identification means issued in another Member State falling under a scheme, which is included in the list published by the Commission pursuant to the procedure referred to in Article 7 shall be recognised and acceptedin the first Member States for the purposes of accessing this servicat service online, provided that those electronic identification means correspond to an identity assurance level equal to or higher than the identity assurance level required for access to that service online in the first Member State.
Amendment 145 #
Proposal for a regulation
Article 15 – paragraph 3
Article 15 – paragraph 3
Amendment 146 #
Proposal for a regulation
Article 15 – paragraph 4
Article 15 – paragraph 4
4. In order to implement paragraphs 1 and 2, the competent supervisory body shall have the power to issue binding instructions to trust service providerrequire trust service providers to take the necessary action in order to be able to fulfil these requirements.
Amendment 147 #
Proposal for a regulation
Article 15 – paragraph 5
Article 15 – paragraph 5
Amendment 148 #
Proposal for a regulation
Article 15 – paragraph 6
Article 15 – paragraph 6
6. The Commission may, by means of implementing acts, define the circumstances,further specification of the measures referred to in paragraph 1 and the formats and procedures, including deadlines, applicable for the purpose of paragraphs 1 to 3 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).
Amendment 149 #
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
1. Qualified trust service providers shall be audited by a recognised independent body once a yea, annually, at their own expense by a conformity assessment body in order to confirm that they and the qualified trust services provided by them fulfil the requirements set out in this Regulation, and they shall submit the resulting security audiconformity assessment report to the supervisory body.
Amendment 150 #
Proposal for a regulation
Article 16 – paragraph 2
Article 16 – paragraph 2
2. Without prejudice to paragraph 1, the supervisory body may at any time audit the qualified trust service providers to confirm that they and the qualified trust services provided by them still meet the conditions set out in this Regulation, either on its own initiative or in response to a request from the Commission. T. Where personal data protection rules as set out in Directive 95/46/EC appear to have been breached, the supervisory body shall inform the data protection authorities of the results of its audits, in case personal data protection rules appear to have been breached.
Amendment 151 #
Proposal for a regulation
Article 16 – paragraph 3
Article 16 – paragraph 3
3. The supervisory body shall have the power to issue binding instructions torequire qualified trust service providers to remedy any failure to fulfil the requirements indicated in the security audiconformity assessment report.
Amendment 152 #
Proposal for a regulation
Article 16 – paragraph 4
Article 16 – paragraph 4
4. With reference to paragraph 3, if the qualified trust service provider does not remedy any such failure within a time limit set by the supervisory body, it shall lose its qualified status and be informed by tthe supervisory body shall withdraw its qualified status and amend the trusted lists referred to in Article 18 accordingly. The supervisory body tshat its status will be changed accordingly in the trusted lists referred to in Article 18ll inform the trust service provider of the withdrawal of its qualified status.
Amendment 153 #
Proposal for a regulation
Article 6 – paragraph 1 – introductory part
Article 6 – paragraph 1 – introductory part
1. EAn electronic identification schemes shall be eligible for notification pursuant to Article 7 if all the following conditions are met:
Amendment 153 #
Proposal for a regulation
Article 16 – paragraph 5
Article 16 – paragraph 5
Amendment 154 #
Proposal for a regulation
Article 16 – paragraph 6
Article 16 – paragraph 6
Amendment 155 #
Proposal for a regulation
Article 6 – paragraph 1 – point a
Article 6 – paragraph 1 – point a
(a) the electronic identification means are issued by, on behalf of or under the responsibility of the notifying Member State;:
Amendment 155 #
Proposal for a regulation
Article 17 – paragraph 1
Article 17 – paragraph 1
1. QualifiedWhere trust service providers shall notify the supervisory body of their intentiond to start providing a qualified trust service ands, they shall submit to the supervisory body a security audit report carried out by a recognised independent body, as provided for in Article 16(1). Qualified trust service providers may start to provide the qualified trust service after they have submitted the notification and security audit report to the supervisory bodynotification of their intention together with a conformity assessment report provided by a conformity assessment body, as provided for in Article 16(1).
Amendment 156 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
Amendment 157 #
Proposal for a regulation
Article 6 – paragraph 1 – point a
Article 6 – paragraph 1 – point a
(a) the electronic identification means are issued by, on behalf of or under the responsibility of the notifying Member : (i) by the notifying Member State, (ii) under a mandate from the notifying Member State, or (iii) independently of the notifying Member State and are recognised by that Member State;
Amendment 157 #
Proposal for a regulation
Article 17 – paragraph 3 – subparagraphs 1 and 2
Article 17 – paragraph 3 – subparagraphs 1 and 2
3. The supervisory body shall verify the compliance of the qualified trust service provider and of the qualified trust services provided by it with the requirements of theis Regulation. The supervisory body shall indicate, in particular with the requirements provided for qualified trust services providers. If the supervisory body concludes that the trust service provider and the trust services provided by it comply with those requirements, the supervisory body shall grant the qualified status tof the qualifiedtrust service providers and the qualified trust services ithey provide in the trusted lists after the positive conclusion of the verifications and indicate such status in the trusted lists referred to in Article 18, not later than one month after the notification has been done in accordance with paragraph 1.
Amendment 158 #
Proposal for a regulation
Article 17 – paragraph 4
Article 17 – paragraph 4
4. A qQualified trust service which has been subject to the notification referred to in paragraph 1 cannot be refused for the fulfilment of an administrative procedure or formality by the concerned public sector body for not being included in the lists referred to in paragraph 3providers may start to provide the qualified trust service after the status referred to in paragraph 3 has been indicated in the trusted lists.
Amendment 159 #
Proposal for a regulation
Article 6 – paragraph 1 – point b
Article 6 – paragraph 1 – point b
(b) the electronic identification means under that scheme can be used to access at least public servicesone service provided by a public sector body requiring electronic identification in the notifying Member State;
Amendment 159 #
Proposal for a regulation
Article 17 – paragraph 5
Article 17 – paragraph 5
5. The Commission may, by means of implementing acts, define the circumstances, formats and procedures for the purpose of paragraphs 1, 2 and 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).
Amendment 160 #
Proposal for a regulation
Article 18 – paragraph 1
Article 18 – paragraph 1
1. Each Member State shall establish, maintain and publish trusted lists with information related to the qualified trust service providers for which it is competentresponsible together with information related to the qualified trust services provided by them.
Amendment 161 #
Proposal for a regulation
Article 6 – paragraph 1 – point b a (new)
Article 6 – paragraph 1 – point b a (new)
(ba) the electronic identification scheme meets the requirements of the interoperability model under Article 8,
Amendment 161 #
Proposal for a regulation
Article 18 – paragraph 5
Article 18 – paragraph 5
Amendment 162 #
Proposal for a regulation
Article 6 – paragraph 1 – point c
Article 6 – paragraph 1 – point c
(c) the notifying Member State ensures that the person identification data are attributed unambiguously to the natural or legal person referred to in Article 3 point1to a sufficiently high level for the identity assurance level in question to the natural or legal person referred to in point1 of Article 3 at the time of issuance of the electronic identification means under that scheme;
Amendment 162 #
Proposal for a regulation
Article 18 – paragraph 6
Article 18 – paragraph 6
6. The Commission may, by means of implementing acts, specify the information referred to in paragraph 1 and define the technical specifications and formats for trusted lists applicable for the purposes of paragraphs 1 to 4. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).
Amendment 163 #
Proposal for a regulation
Article 19 – paragraph 1
Article 19 – paragraph 1
1. When issuing a qualified certificate, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity and, if applicable, any specific attributes of the natural or legal person to whom a qualified certificate is issued. SuchThe information referred to in the previous subparagraph shall be verified by the qualified service provider or by an authorised third party acting under the responsibility of the qualified service provider: (a) by a physical appearance of the natural person or of an authorised representative of the legnon-natural person, or (b) remotely, using electronic identification means under a notified scheme issued in compliance with point (a).
Amendment 164 #
Proposal for a regulation
Article 19 – paragraph 2 – point a
Article 19 – paragraph 2 – point a
(a) employ staff who possess the necessary expertise, experience, and qualifications and who have received appropriate training regarding security and personal data protection rules and shall apply administrative and management procedures which correspond to European or international standards and have received appropriate training regarding security and personal data protection rules;
Amendment 165 #
Proposal for a regulation
Article 6 – paragraph 1 – point c a (new)
Article 6 – paragraph 1 – point c a (new)
(ca) the party issuing the electronic identification means under that scheme ensures that the person identification data referred to in point (c) are attributed to a sufficiently high level for the identity assurance level in question to the electronic identification means at the time of the issuance of the electronic identification means;
Amendment 165 #
Proposal for a regulation
Article 19 – paragraph 2 – point b
Article 19 – paragraph 2 – point b
(b) bearwith regard to the risk of liability for damages by, maintaining sufficient financial resources or by aobtain appropriate liability insurance scheme;
Amendment 166 #
Proposal for a regulation
Article 19 – paragraph 2 – point c
Article 19 – paragraph 2 – point c
(c) before entering into a contractual relationship, inform any person seeking to use a qualified trust service of the precise terms and conditions regarding the use of that service, including any limitation on its use;
Amendment 167 #
Proposal for a regulation
Article 6 – paragraph 1 – point d
Article 6 – paragraph 1 – point d
(d) the notifying Member State ensures the availability of an authentication possibility online, at any time and free of charge so that any relying party established outside of the territory of that Member State can validate the person identification data received in electronic form. Such authentication shall be provided free of charge when accessing a service online provided by a public sector body. Member States shall not unduly impose any specific technical requirements on relying parties established outside of their territory intending to carry out such authentication. When either the notified identification scheme or authentication possibility is breached or partly compromised, Member States shall suspend or revoke without delay the notified identification scheme or authentication possibility or the compromised parts concerned and inform the other Member States and the Commission pursuant to Article 7;
Amendment 167 #
Proposal for a regulation
Article 19 – paragraph 2 – point e
Article 19 – paragraph 2 – point e
(e) use trustworthy systems to store data provided to them, in a verifiable form so that: –- they are publicly available for retrieval only where the consent of the person to whom the data has been issuedrelates has been obtained, –- only authorised persons can make entries and changes, – information to the stored data, - the data can be checked for authenticity;
Amendment 168 #
Proposal for a regulation
Article 19 – paragraph 2 – point f
Article 19 – paragraph 2 – point f
(f) take appropriate measures against forgery and theft of data;
Amendment 169 #
Proposal for a regulation
Article 6 – paragraph 1 – point d a (new)
Article 6 – paragraph 1 – point d a (new)
(da) the notifying Member State ensures the availability of authentication online, so that any relying party established outside of the territory of that Member State can validate the person identification data received in electronic form. Such authentication shall be provided free of charge when accessing a service online provided by a public sector body. Member States shall not unduly impose any specific technical requirements on relying parties intending to carry out such authentication;
Amendment 169 #
Proposal for a regulation
Article 19 – paragraph 2 – point g
Article 19 – paragraph 2 – point g
(g) record and keep accessible for an appropriate period of time, including after the activities of the qualified trust service provider have ceased, all relevant information concerning data issued and received by the qualified trust service provider, in particular for the purpose of providing evidence in legal proceedings and for the purpose of ensuring continuity of the service in accordance with the termination plans referred to in Article 13(2)(a). Such recording may be done electronically;
Amendment 170 #
Proposal for a regulation
Article 19 – paragraph 2 – point h
Article 19 – paragraph 2 – point h
(h) have an up-to-date termination plan to ensure continuity of service, where applicable, in accordance with arrangements issuprovisions adopted by the supervisory body under point (c) of Article 13(2a);
Amendment 171 #
Proposal for a regulation
Article 19 – paragraph 2 – point i a (new)
Article 19 – paragraph 2 – point i a (new)
(ia) when the qualified trust service includes the issuing of qualified certificates, establish and keep updated a certificate database.
Amendment 172 #
Proposal for a regulation
Article 19 – paragraph 3
Article 19 – paragraph 3
3. QWhen qualified trust service providers issuing qualified certificates shall registerdecide to revoke a certificate, they shall register such revocation in their certificate database and publish the revocation status of the certificate within ten minutes after sin a timely manner (but in any case, within 24 hours) of the decision to revoke being taken. Such revocation shas taken effectll become effective immediately upon its registration in the certificate database.
Amendment 173 #
Proposal for a regulation
Article 19 – paragraph 5
Article 19 – paragraph 5
5. The Commission may, by means of implementing acts, establish reference numbers of standards for trustworthy systems and products which comply with the requirements under paragraph 2, points (d) and (e), of this Article. Compliance with the requirements laid down in Article 19 shall be presumed where trustworthy systems and products meet those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). The Commission shall publish those acts in the Official Journal of the European Union.
Amendment 177 #
Proposal for a regulation
Article 7 – paragraph 1 – point a
Article 7 – paragraph 1 – point a
(a) a description of the notified electronic identification scheme; including its identity assurance levels;
Amendment 181 #
Proposal for a regulation
Article 7 – paragraph 1 – point b
Article 7 – paragraph 1 – point b
(b) the authority or authorities responsible for the notified electronic identification scheme;
Amendment 182 #
Proposal for a regulation
Article 7 – paragraph 1 – point c
Article 7 – paragraph 1 – point c
(c) information on by whom the registrthe entity or entities which manages the verification of the unambiguous person identifiers is managedcation data;
Amendment 185 #
Proposal for a regulation
Article 7 – paragraph 1 – point c a (new)
Article 7 – paragraph 1 – point c a (new)
(ca) a description of how the requirements of the interoperability framework referred to in Article 8 are met;
Amendment 187 #
Proposal for a regulation
Article 7 – paragraph 1 – point d
Article 7 – paragraph 1 – point d
(d) a description of the authentication possibility referred to in point (d) of Article 6(1);
Amendment 191 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. If the Commission receives a notification after the period referred to in paragraph 2 has expired, it shall amend the list within three monthspublish in the Official Journal of the European Union the amendments to the list referred to in paragraph 2 within one month from the date of receipt of that notification.
Amendment 192 #
Proposal for a regulation
Article 7 a (new)
Article 7 a (new)
Article 7a 1. When either the electronic identification scheme notified pursuant to Article 7(1) or the authentication referred to in point (d) of Article 6(1) is breached or partly compromised in a way that would affect the reliability of that scheme for cross border transactions, the notifying Member State shall without delay suspend or revoke the cross border part of that electronic identification scheme or that authentication or the compromised parts concerned and inform other Member States and the Commission. 2. When the breach or compromise referred to in paragraph 1 has been remedied, the notifying Member State shall reestablish the authentication and shall inform other Member States and the Commission without undue delay. 3. If the breach or compromise referred to in paragraph 1 is not remedied within 3 months of the suspension or revocation, the notifying Member State shall notify the withdrawal of the electronic identification scheme to other Member States and to the Commission. The Commission shall publish without undue delay in the Official Journal of the European Union the corresponding amendments to the list referred to in Article 7(2).
Amendment 194 #
Proposal for a regulation
Article 7 b (new)
Article 7 b (new)
Article 7b 1. The notifying Member State shall be liable for any direct damage caused to any natural or non-natural person due to a failure to comply with its obligations under points (c) and (d) of Article 6(1), unless it can show that it has not acted negligently. 2. The party issuing the electronic identification means shall be liable for any direct damage caused to any natural or non-natural person for failing to ensure, consistent with the application of the identity assurance levels within national schemes: (i) the attribution of the person identification data referred to in point (ca) of Article 6(1), and (ii) the correct operation of the authentication referred to in point (d) of Article 6(1). unless it can show that it has not acted negligently. 3. Paragraphs 1 and 2 are without prejudice to the liability under national legislation of parties to a transaction in which electronic identification means falling under the notified scheme are used.
Amendment 196 #
Proposal for a regulation
Article 8 – title
Article 8 – title
Coordination and interoperability
Amendment 197 #
Proposal for a regulation
Article 8 – paragraphs 1, 1 a (new), 1 b (new), 1 c (new), 1 d (new) and 1 e (new)
Article 8 – paragraphs 1, 1 a (new), 1 b (new), 1 c (new), 1 d (new) and 1 e (new)
1. The national electronic identification infrastructures need to provide for interoperability with the electronic identification infrastructures of other Member States. The interoperability between the national electronic identification infrastructures shall be ensured through an interoperability model. 1a. The interoperability model shall include the necessary minimum technical requirements, the common operational security standards and the levels of identity assurance and standards against which Member States will map their national scheme, certification and governance. 1b. The interoperability model shall : i) ensure technology neutrality; ii) facilitate the principle of privacy by design; iii) ensure personal data is processed in accordance with Directive 95/46EC. 1c. By [insert the date], in order to establish uniform conditions for implementing paragraphs 1, 1a and 1b, the Commission shall adopt implementing acts on standards, protocols for the interoperability model and identity assurance levels. 1d. Member States shall cooperate in order to ensure the interoperability of electronic identification means falling under a notified electronic identification scheme and to enhance their security. 1e. The cooperation between Member States shall consist of: i) exchange of information, experience and good practice on eID schemes; ii) peer review of eID schemes; iii)examination of relevant developments in the eID sector.
Amendment 200 #
Proposal for a regulation
Article 8 – paragraph 2
Article 8 – paragraph 2
2. The Commission shall, by means of implementing acts, establish the necessary modalities to facilitate the cooperation between the Member States referred to in paragraphs 1d and 1e with a view to fostering a high level of trust and security appropriate to the degree of risk. Those implementing acts shall concern, in particular, the exchange of information, experiences and good practice on electronic identification schemes, the peer review of notified electronic identification schemes and the examination of relevant developments arising in the electronic identification sector by the competent authorities of the Member States. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).
Amendment 203 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 38 concerning the facilitation of cross border interoperability of electronic identification means by setting of minimum technical requirementsImplementing acts referred to in paragraphs 1b and 2 of this Article shall be adopted in accordance with the examination procedure referred to in Article 39(2).
Amendment 219 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
1. Qualified tTrust services and qualified certificates provided by qualified trust service providers established in a third country shall be accepted as qualified trust services and qualified certificatrecognised as legally equivalent to qualified trust services provided by a qualified trust service providers established in the territory of the Union if the qualified trust services or qualified certificates originating from the third country are recognised under an agreement between the Union and third countries or international organisations in accordance with Article 218 TFUEcomply with the relevant requirements of this Regulation as determined by a supervisory body established in a Member State.
Amendment 221 #
Proposal for a regulation
Article 10 – paragraph 2
Article 10 – paragraph 2
Amendment 231 #
Proposal for a regulation
Article 13 – paragraphs 1 and 1 a (new)
Article 13 – paragraphs 1 and 1 a (new)
1. Member States shall designate an appropriate supervisory body established in their territory or, upon mutual agreement, in another Member State under the responsibility of the designating Member State. Supervisory bodies shall be given all supervisory and inv. 1a. Member States shall notify to the Commission the names and the addresses of their respective destignatory powers that are necessary for the exercise of their tasked supervisory bodies.
Amendment 234 #
Proposal for a regulation
Article 13 – paragraph 2 – introductory part
Article 13 – paragraph 2 – introductory part
2. The supervisory body shall be res, insofar as is ponssible for the performance of the following tasks, ensure that:
Amendment 238 #
Proposal for a regulation
Article 13 – paragraph 2 – point a
Article 13 – paragraph 2 – point a
(a) monitoring trust service providers established in the territory of the designating Member State to ensure that they fulfil the requirements laid down in Article 15this Regulation;
Amendment 240 #
Proposal for a regulation
Article 13 – paragraph 2 – point b
Article 13 – paragraph 2 – point b
(b) undertaking supervision of qualified trust services providers established in the territory of the designating Member State and of thed by qualified trust services they provide in order to ensure that they and the qualified trust services provided by them meet the applicablrs meet the requirements laid down in this Regulation; and
Amendment 243 #
Proposal for a regulation
Article 13 – paragraph 2 – point b a (new)
Article 13 – paragraph 2 – point b a (new)
(ba) if relevant pursuant to Article 10, that the trust service providers established in third countries and the trust services they provide fulfil the applicable requirements laid down in this Regulation;
Amendment 246 #
Proposal for a regulation
Article 13 – paragraph 2 a (new)
Article 13 – paragraph 2 a (new)
2a. For the purposes of ensuring continuity of the service, the supervisory body may adopt provisions on termination plans in cases where the qualified trust service providers cease their activities.
Amendment 247 #
Proposal for a regulation
Article 13 – paragraph 3 – introductory part
Article 13 – paragraph 3 – introductory part
3. EAnnually, by the 31st March, each supervisory body shall submit a yearly report on the lastto the Commission a report on its previous calendar year's supervisory activities to gethe Commission and Member States by the end of the first quarter of the following year. It shall include at least:r with a summary of breach notifications received from trust service providers in accordance with Article 15(2).
Amendment 249 #
Proposal for a regulation
Article 13 – paragraph 3 – point a
Article 13 – paragraph 3 – point a
Amendment 250 #
Proposal for a regulation
Article 13 – paragraph 3 – point b
Article 13 – paragraph 3 – point b
Amendment 252 #
Proposal for a regulation
Article 13 – paragraph 3 – point c
Article 13 – paragraph 3 – point c
Amendment 254 #
Proposal for a regulation
Article 13 – paragraph 3 a (new)
Article 13 – paragraph 3 a (new)
3a. The Commission shall make the annual report referred to in paragraph 3 available to Member States.
Amendment 256 #
Proposal for a regulation
Article 13 – paragraph 4
Article 13 – paragraph 4
Amendment 258 #
Proposal for a regulation
Article 13 – paragraph 5
Article 13 – paragraph 5
Amendment 260 #
Proposal for a regulation
Article 14 – paragraph 1
Article 14 – paragraph 1
1. Supervisory bodies shall cooperate with a view to exchangeing good practice and provide each other, within the shortest possible time, with relevant information and mutual. A supervisory body shall, upon a receiving a request from another supervisory body, provide that body with assistance so that their activities can be carried out in a consistent manner. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out inspections related to the security audits as referred to in Articles 15, 16 and 17Supervisory bodies shall also cooperate where a request is made under the Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products1. In addition, mutual assistance may also cover information requests and supervisory measures related to the conformity assessment reports as referred to in Articles 15, 16 and 17 of this Regulation. ______________ 1 OJ L 218, 13.8.2008, p. 30.
Amendment 262 #
Proposal for a regulation
Article 14 – paragraph 2 – introductory part
Article 14 – paragraph 2 – introductory part
2. A supervisory body to which a request for assistance is addressed may not refuse to comply with it unlesrefuse that request under any of the following conditions:
Amendment 264 #
Proposal for a regulation
Article 14 – paragraph 2 – point a
Article 14 – paragraph 2 – point a
(a) ithe supervisory body is not competent to deal withprovide the request; ored assistance;
Amendment 266 #
Proposal for a regulation
Article 14 – paragraph 2 – point a a (new)
Article 14 – paragraph 2 – point a a (new)
(aa) the requested assistance is not proportionate to standard supervisory activities of the supervisory body;
Amendment 268 #
Proposal for a regulation
Article 14 – paragraph 2 – point b
Article 14 – paragraph 2 – point b
(b) compliance with the requestif the requested assistance would be incompatible with this Regulation.
Amendment 269 #
Proposal for a regulation
Article 14 – paragraph 3
Article 14 – paragraph 3
Amendment 273 #
Proposal for a regulation
Article 14 – paragraph 4
Article 14 – paragraph 4
Amendment 275 #
Proposal for a regulation
Article 15 – paragraph 1 – subparagraph 1
Article 15 – paragraph 1 – subparagraph 1
Trust service providers who are established in the territory of the Union shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. Having regard to state of the art, theseshall manage the risks posed to the security of the trust services they provide in accordance with existing industry best practice and industry standards. Having regard to the latest technological developments, any such measures shall ensure that the level of security is appropricommensurate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of the adverse effects of any incidents.
Amendment 278 #
Proposal for a regulation
Article 15 – paragraph 1 – subparagraph 2
Article 15 – paragraph 1 – subparagraph 2
Without prejudice to Article 16(1), any trust service provider mays shall submit to the report of a security audit carried out by a recognised independent body to the supervisorysupervisory body a conformity assessment report provided by a conformity assessment body to confirm that appropriate security measures have been taken.
Amendment 283 #
Proposal for a regulation
Article 15 – paragraph 2 – subparagraph 1
Article 15 – paragraph 2 – subparagraph 1
Trust service providers shall, without undue delay and where feasible not later than 24 hours after having become aware of it, notify the competent supervisory body, and, where appropriate, other relevant bodies, such as the competent national body for information security and other relevant third parties such asor the data protection authoritiesy, of any breach of security or loss of integrity that has a significant impact on the trust service provided and on the personal data maintained therein.
Amendment 286 #
Proposal for a regulation
Article 15 – paragraph 2 – subparagraph 2
Article 15 – paragraph 2 – subparagraph 2
Where appropriate, in particular if a breach of security or loss of integrity concerns two or more Member States, the notified supervisory body concerned shall inform the supervisory bodies in the other Member States and the European Network and Information Security Agency (ENISA).
Amendment 290 #
Proposal for a regulation
Article 15 – paragraph 2 – subparagraph 3
Article 15 – paragraph 2 – subparagraph 3
The notified supervisory body concerned may alsoshall inform the public or require the trust service provider to do so, where it determines that disclosure of the breach is in the public interest.
Amendment 291 #
Proposal for a regulation
Article 15 – paragraph 3
Article 15 – paragraph 3
Amendment 294 #
Proposal for a regulation
Article 15 – paragraph 4
Article 15 – paragraph 4
4. In order to implement paragraphs 1 and 2, the competent supervisory body shall have the power to issue binding instructions to trust service providerrequire trust service providers to take the necessary action in order to be able to fulfil these requirements.
Amendment 300 #
Proposal for a regulation
Article 15 – paragraph 5
Article 15 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts, in accordance with Article 38, concerning the further specification of the measmay, by means of implementing acts, define further specification of the measures referred to in paragraph 1 and the formats and procedures, including deadlines, applicable for the purpose of paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedures referred to in paragraph 1Article 39(2).
Amendment 302 #
Proposal for a regulation
Article 15 – paragraph 6
Article 15 – paragraph 6
Amendment 307 #
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
1. Qualified trust service providers shall be audited by a recognised independent body once a yea, annually, at their own expense by a conformity assessment body in order to confirm that they and the qualified trust services provided by them fulfil the requirements set out in this Regulation, and they shall submit the resulting security audiconformity assessment report to the supervisory body.
Amendment 309 #
Proposal for a regulation
Article 16 – paragraph 2
Article 16 – paragraph 2
2. Without prejudice to paragraph 1, the supervisory body may at any time audit the qualified trust service providers to confirm that they and the qualified trust services provided by them still meet the conditions set out in this Regulation, either on its own initiative or in response to a request from the Commission. T. Where personal data protection rules as set out in Directive 95/46/EC appear to have been breached, the supervisory body shall inform the data protection authorities of the results of its audits, in case personal data protection rules appear to have been breached.
Amendment 312 #
Proposal for a regulation
Article 16 – paragraph 3
Article 16 – paragraph 3
3. The supervisory body shall have the power to issue binding instructions torequire qualified trust service providers to remedy any failure to fulfil the requirements indicated in the security audiconformity assessment report.