At the end of July the Council of Ministers of EU approved new legislation which for almost three years of preparations became common as eIDAS. The regulation on electronic identification and trustworthy services for electronic transactions in the internal market and on the abolition of directive 1999/93/EC which is the whole official name of eIDAS was a few days ago published in the Official Reports and so we can have a look at which essential changes it brings and how it will affect the electronic services and the Internet in the Czech Republic.
Electronic signature and change of our law
The new regulation focuses immediately on several areas. The most extensive one is electronic signature. In its case eIDAS cancels the current directive 1999/93/EC on principles of the Community for Electronic Signatures. The area regulated by the directive which is transposed to the Czech legal order above all by means of Act No. 227/2000 Coll., on Electronic Signature, will thus be replaced by regulation which is (in contrast to the directive) directly implementable and the area regulated by the regulation should not therefore be regulated by the national legislation. This will mean that the Czech Republic will in two years at the latest (to the very 1st July 2016 when the regulation will become effective, respectively will become applicable) revoke or significantly revise our Act on Electronic Signature in such a way that it regulates only such matters which are left in the authority of member states (e.g. to set the rules of temporary suspension of qualified certificates for electronic signature).
New areas of regulation
Despite the fact that the harmonization of the Czech legislation and practice will require at the electronic signature a lot of laborious work, it is still an area which was already regulated here. The regulation, however, focuses also on new areas collectively called “services creating confidence“ which were up to now left in the authority of member states. Besides the already mentioned e-signatures, electronic marks or clock stamps, these services include also:
– services of electronic recommended delivery (e-Delivery) which will include our data boxes (respectively the information system of data boxes);
– services for the storing of electronic signatures, seals or certificates connected with these services;
– services for creating, attestation of conformity and validation of certificates for the authentication of internet pages, that is to say SSL certificates. I already wrote about the preparations of regulation on our blog in the past and therefore let us come at least in points to have a look at what the new regulation brought.
The regulation also attends to the area of electronic identification and authentication. Here it focuses, however, only on cross-border services at which it is based on the initiative of member states. These can, but need not, log in to the given systems.
The base of the international recognition of eID will certainly be comprised of vast pilot projects STORK 2.0 and e-SENS the realization of which includes also our association. Within the framework of the project STORK 2.0, the service myID was consequently recognized as (so far the only) authentication tool which can be used just for cross-border electronic services.
Regulation of SSL certificates
Despite the efforts of various organizations including e.g. RIPE NCC, it was finally not possible to remove the regulation of SSL certificates from the regulation – the Commission consequently in the end carried its point. The qualified certificates for the authentication of internet pages are described in article 45 (formerly 37) according to which the qualified certificates for authentication of internet pages must match the requirements defined in annex IV. Here in my opinion the regulation is based on the contemporary practice and it should not represent more significant changes for providers which is evidenced also by the provision according to which the Commission can by means of implementing acts determine the reference numbers of standards for qualified certificates for the authentication of internet pages. If the qualified certificate for the authentication of internet pages agrees with these standards, the conformity with the requirements set in annex IV is supposed. These implementing acts are accepted by review procedure according to article 48 paragraph 2.
Bigger impact than that of the text of the very article 45 can be that of the inclusion of providers of SSL certificates in the group of providers of services creating confidence which is regulated by the regulation in a similar way (although here will be also several changes thanks to the regulation), as do at present the Directive 1999/93/EC and our Act 227/2000 Coll., qualified certification authorities. In case of certificates issued by some of our authorities this should not be a problem, at foreign authorities such as e.g. GeoTrust, Symantech or Thawte their use, however, (above all for electronic services of public administration) is conditioned by the regulation by concluding relevant international contracts, see article 14, paragraph 1:
Services creating confidence provided by providers of services creating confidence domiciled in the third country are recognized as legally equal to qualified services creating confidence provided by qualified providers of services creating confidence domiciled in the Union if the services creating confidence coming from the third country are recognized on the basis of agreement concluded between the Union and the corresponding third country or international organization in accordance with article 218 of the Treaty of Functioning of EU.
Here the situation will certainly be still interesting because according to accessible information no international agreement including also “services creating confidence“ has not been concluded yet. So far furthest, but still only at the level of “dialogue“, could be the treaty with US. Here the areas regulated by eIDAS could be included in the upcoming commercial agreement between EU and US, the so-called TTIP (The Transatlantic Trade and Investment Partnership). This did not happen yet and it is therefore only a question of time whether eIDAS will not force some providers of electronic services (above all the public administration) to change the providers of their SSL certificates. That one of GeoTrust, that is to say, uses e.g. also the information system of data boxes.