Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures
This Directive establishes the legal framework at European level for electronic signatures and certification services. The aim is to make electronic signatures easier to use and help them become legally recognized within the Member States.
SUMMARY
This Directive lays down the criteria that form the basis for legal recognition of electronic signatures by focusing on certification services. These comprise the following:
- common obligations for certification service providers in order to secure transborder recognition of signatures and certificates throughout the European Community;
- common rules on liability to help build confidence among users, who rely on the certificates, and among service providers;
- cooperative mechanisms to facilitate transborder recognition of signatures and certificates with third countries.
The Directive defines new ideas:
- the electronic signature, data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication.
-
the advanced electronic signature, which meets the following requirements:
- it is uniquely linked to the signatory;
- it is capable of identifying the signatory;
- it is created using means that the signatory can maintain under their sole control;
- it is linked to the data to which it relates in such a manner that any subsequent change in the data is detectable. -
the qualified certificate, which must in particular include:
- an indication that it is issued as a qualified certificate;
- the identification of the certification service provider;
- the name of the signatory;
- provision for a specific attribute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended;
- signature-verification data corresponding to signature-creation data under the control of the signatory;
- an indication of the beginning and end of the period of validity of the certificate;
- the identity code of the certificate;
- the advanced electronic signature of the issuing certification service provider.
The certificate must also be issued by a certification service provider which meeting specific requirements laid down in the Directive.
Market access
Member States must not make the provision of certification services subject to prior authorization of any kind.
They may introduce or maintain voluntary accreditation schemes aimed at enhancing levels of certification-service provision.
Member States may not limit the number of accredited certification service providers for reasons which fall within the scope of the Directive.
Member States may make the use of electronic signatures in the public sector subject to possible additional requirements.
Member States may not restrict the provision of certification services originating in another Member State in the areas covered by the Directive.
Legal effects of electronic signatures
The main provision of the Directive states that an advanced electronic signature based on a qualified certificate created by a secure-signature-creation device satisfies the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data (for convenience this type of signature is usually called a “qualified signature”. Although the Directive describes it as such, it does not give a definition for it). It is also admissible as evidence in legal proceedings.
In addition, an electronic signature may not legally be refused simply because:
- it is in electronic form;
- it is not based on a qualified certificate;
- it is not based upon a qualified certificate issued by an accredited certification service provider;
- it is not created by a secure signature-creation device.
Liability
Member States must ensure that a certification service provider which issues a qualified certificate is liable vis-à-vis any person who reasonably relies on the certificate for:
- the accuracy of all information in the qualified certificate;
- compliance with all requirements of the Directive in issuing the qualified certificate;
- assurance that the holder identified in the qualified certificate held, at the time of the issuance of the certificate, the signature-creation device corresponding to the signature verification device given or identified in the certificate;
- in cases where the certification service provider generates the signature-creation device and the signature-verification device, assurance that the two devices function together in a complementary manner.
The certification service provider must not be liable for damage arising from use of a qualified certificate that exceeds the limitations placed on it.
International aspects
Member States must ensure that mutual legal recognition of qualified certificates and electronic signatures from third countries is applied if certain reliability conditions are met. The Commission may make proposals to ensure that international standards and agreements are fully implemented.
Data protection
Member States must ensure that certification service providers and national bodies responsible for accreditation or supervision comply with Directive 95/46/EC on the protection of personal data.
RELATED ACTS
Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions “Action Plan on e-signatures and e-identification to facilitate the provision of cross-border public services in the Single Market”[COM(2008) 798 final – Not published in the Official Journal].
In this communication, the Commission proposes an Action Plan aimed at assisting Member States in implementing mutually recognized and interoperable electronic signatures and e-identification solutions, in order to facilitate the provision of cross-border public services in an electronic environment. This is essential to avoid fragmentation of the single market.
Electronic signatures and e-identification are essential elements in enabling businesses and citizens to access public services. In particular, cross-border access to these services requires interoperable electronic signatures and e-identification solutions at European level. However, different legal, technical and organizational issues hinder the interoperability of identification systems. Similarly, although electronic signatures enjoy legal recognition in Europe as a result of the Directive detailed above, different technical and organizational issues also hinder its interoperability.
The Action Plan is structured in three parts:
- actions targeted at improving the interoperability of qualified electronic signatures and advanced electronic signatures based on qualified certificates, which will clarify the regulatory framework and increase confidence in Certification Service Providers established in another country.
- actions in the medium term to encourage the interoperability of advanced electronic signatures, which, in particular, would enable the validity of a signature received from another country to be easily verified.
- actions in the medium term aimed at making e-identification interoperable.
Commission report of 15 March 2006 on the operation of Directive 1999/93/EC on a Community framework for electronic signatures [COM(2006) 120 final – not published in the Official Journal].
The report indicates that EU Member States have implemented the general principles of the Directive.
The Commission notes that transposition of the Directive into the legislation of the Member States has met the need for the legal recognition of electronic signatures. It therefore considers that the Directive's objectives have been fulfilled and that no need for its revision has emerged at this stage. The Commission nonetheless plans to consult the Member States and relevant stakeholders to address a number of issues, particularly on interoperability problems, technical aspects and standardization.
The Commission notes that, in the event, there has been far less use of qualified electronic signatures than expected. The main reason for this is economic, in that service providers have little incentive to develop a multi-application electronic signature and prefer to offer solutions for their own services. A number of applications in the future might nonetheless trigger market growth, particularly in relation to eGovernment services.
Commission Decision 2003/511/EC of 14 July 2003 on the publication of reference numbers of generally recognized standards for electronic signature products in accordance with Directive 1999/93/EC of the European Parliament and of the Council
[Official Journal L 175, 15.7.2003].
This Decision gives the references of three generally recognized standards for electronic signature products which presume compliance with the qualified electronic signature.
Commission Decision 2000/709/EC of 6 November 2000 on the minimum criteria to be taken into account by Member States when designating bodies in accordance with Article 3(4) of Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for electronic signatures [Official Journal L 289 of 16.11.2000].
This Decision sets out the criteria that Member States must take into account when designating national bodies to evaluate the conformity of secure signature-creation devices.
Last updated: 17.12.2008