[cooperation-wg] Agenda item on electronic identification and trust services

The European Commission has made a proposal for a Regulation "on electronic identification and trust services for electronic transactions in the internal market" - COM(2012) 238 final. I am very pleased that the co-chairs have put this draft regulation on the agenda and that indeed Andrea Servida, who is responsible in DG Connect for the  Task Force “Legislation Team (eIDAS)”, will make a presentation.

While I most certainly do not wish to prejudge what Andrea will say I think a bit of "marketing" might be useful - to explain a bit more why I personally think this regulation is of importance to the RIPE community now. 

So let me start with a bit of "EU 101".

At its simplest the Commission proposes legislation, after obviously having consulted and reflected and so on, and it is then for the Council (the member states directly) and the Parliament to possibly modify and then adopt the legislation.

There are then three basic instruments open to the Commission. There is the Directive which once agreed at the EU level, is normally transposed into national law. That means further discussion at the national level. There is the Regulation which become EU legislation on adoption. There is the Decision which is directed towards a specific member state or entity.

This proposed Regulation is to an extent a follow-on and replacement for a previous Directive - 1999/93/EC on a "Community framework for electronic signatures". It seems agreed that the signatures Directive did not fully deliver. This Regulation will replace that  "e-signature Directive" from 1999 - and nullify the previously transposed legislation? 

In the press release for this proposal European Commission Vice President Neelie Kroes said "People and businesses should be able to transact within a borderless Digital Single Market, that is the value of Internet. Legal certainty and trust is also essential, so a more comprehensive eSignatures and eIdentification Regulation is needed. ... This proposal will mean you can make the most of your e-ID, if you have one. With mutual recognition of national e-IDs and common standards for trust services and eSignatures, we can prevent a national carve-up of the Internet and online public services and make life easier for millions of businesses and even more citizens. "

So the proposal has been made by the Commission and it is currently being discussed in Council and in Parliament.

I have had though a variety of conversations recently about the proposal and they have thrown up a number of concerns.

The proposal seems complex and different people seem to take quite different things away from it.

This is perhaps linked to questions about the scope of the regulation. There are perhaps two main dimensions to regarding the scope. 

First there are the actors and users. Is it only about the public sector? Is it about the public sector and a particular bit of the private sector or any bit of the private sector, in the EU or elsewhere, that might find it useful? Or will the private sector be specifically precluded from using some of the services?

Secondly the range of services. The regulation includes a number of definitions:

electronic identification;
electronic identification means;
electronic identification scheme;
signatory;
electronic signature;
advanced electronic signature;
qualified electronic signature;
electronic signature creation data;
certificate;
qualified certificate for electronic signature;
trust service;
qualified trust service;
trust service provider;
qualified trust service provider;
product;
electronic signature creation device;
qualified electronic signature creation device;
creator of a seal;
electronic seal;
advanced electronic seal;
qualified electronic seal;
electronic seal creation data;
qualified certificate for electronic seal;
electronic time stamp;
qualified electronic time stamp;
electronic document;
electronic delivery service (including proof of sending or receiving the data);
qualified electronic deliver service;
qualified certificate for website authentication;
validation data.

There are then articles on notification, coordination and liability, and on supervision, mutual assistance and security requirements, and so on. And all this has to be read keeping in mind that legislators like to have "technology neutral" text and not to refer to specific standards for example.

There two other things I would draw to your attention though. 

One is fairly explicit in the proposal and that is that the regulation when adopted will confer on the Commission the power to adopt delegated acts. This kind of thing is not that unusual. But some see this, in this instance, as adding an additional degree of uncertainty, leaving some things unclear.

The other is the issue of "agreed text". Any legislation in the coming years - and that can be 10-15 years or more in this case - and anywhere in the EU will be effectively constrained by these definitions for things like electronic signature and electronic seal and so on. Again this is quite normal. But you need to be aware of it.

I hope all that means that many of you will be there for a productive WG session in Dublin with good questions for Andrea after his presentation. I look forward to seeing you there.

In the meantime, thanks again to the co-chairs and to Andrea for agreeing to speak.

Fáilte go Baile Átha Cliath,

Gordon