The European directive on electronic signatures

2 years after the directive

Patrick Van Eecke
ICRI, University of Leuven Attorney, Landwell, Brussels

Refresh your memory

Refresh your memory

1. Before the directive
National initiatives: internal market obstacles

2. Directive 1999/93 on electronic signatures

Entry into Force: 19 January 2000. Implementation by Member States: 19 July 2001.

3. Main principles
Everybody is free to run a CSP (CA) Electronic signatures may not be denied legal effect Technology neutral legislation Rules not meant for closed user groups

What happened this year?

European level
EESSI standards Report on value of EESSI standards Commission decision on minimum criteria for SSCD (6-11-2000) No publication of reference numbers for SSCD & Trustworthy systems VAT directive referring to E-sign directive

What happened this year?

National level
Most countries implemented (exc.Finland, Neth.) Ordinances with details still in drafting phase

Accreditation and supervision procedures not activated yet (exc. Austria, Germany, France, Lux, Spain) QC CSPs ?
Public sector initiatives

Country overview

Three ways of implementation

1. Amend existing Electronic Signature legislation (Germany, Italy) 2. Draft new Electronic Signature legislation
1. Specific ES legislation (Belgium, Greece, etc.) 2. Incorporated in broader framework (Ireland, Luxembourg)

3. Adapt basic legislation (France)

Literal/non-literal transposition
Legal value articles / other articles
Copy of the directive (Austria) Free interpretation of the directive (UK)

Status of implementation

Country overview
Austria
Act 1999, amended 2000 Ordinance 2000 Ordinance on 3(4) bodies 2000 Literal transposition Annex 4 transposed No public sector rules QC CSPs

Belgium
Act 2000 + Act 2001 Draft ordinance 2002

Literal transposition No Annex 4 Specific public sector rules QC CSPs

Country overview
Denmark
Act 2000 Executive Order 2000 Literal transposition No Annex 4 No specific public sector rules QC CSPs?

Finland
Still draft bill (expected 12003) literal transposition No annex 4 No specific public sector rules QC CSPs

Country overview
France
Act 2000 Decree 2001 Decree 2002 (on accreditation and SSCD)

Germany
Act & Ordinance 2001 Acts on legal form
Civil (2001) Public (draft) Court proceedings

Literal transposition No annex 4 Specific public sector rules (e.g. taxes) QC CSPs

literal transposition Annex 4 transposed Specific public sector rules (e.g. invoice) Accredited QC CSPs

Country overview
Greece
Decree 2001 Regulation 2002

Ireland
Electronic Commerce Act 2000 Still need for implementing decrees (superv./accred.) No literal transposition No annex 4 Public sector rules? QC CSPs?

Literal transposition Annex 4 Public sector rules (Act

1998: only digital signatures for C2G and G2G)

QC CSPs?

Country overview
Italy
Testo Unico 2000 (digital signature) Decree nr.10 2002 (implementing directive 99/93) Regolamento (to be published) literal transposition Annex 4? (regolamento?) Public sector rules (digital signature, etc) QC CSPs (a lot)

Luxembourg
Law of 2000 on Ecommerce Law of 2000 on accreditation 3 Regulations of 2001

Literal transposition Annex 4 copied Public sector initiatives QC CSPs

Country Overview
The Netherlands
Electronic Signature draft bill (in Parliament) Literal transposition No annex 4 Public sector initiatives QC CSPs?

Portugal
Law 1999! No literal transposition Requirements for CSPs similar to directive Public sector initiatives? QC CSPs?

Country Overview
Spain
Law 14/99 of 1999 Orden of 2000 NEW DRAFT law No literal transposition (additional requirements!) Annex 4 Public initiatives (CERES) QC CSPs (Feste, Camerfirma,

Sweden
Act on Q. electronic signatures of 2001 Act on technical conformity assessment of 2001 literal transposition (less stringent) No annex 4 Public initiatives One QC CSP (PKI partner)

Country overview
United Kingdom
Electronic Communications Act (2000) E-sign regulations (2002) literal (discussion on 5.1 a) No annex 4 Public sector? QC CSPs?

Legal value of electronic signatures (article 5)

Legal value of ES
1. Contracts do not need a signature in order to be valid 2. If a signature is needed, an electronic (qualified) signature will do

3. Typical exceptions: transfer or land, wills, etc:

still need for handwritten signature 4. Super signatures (Italy) 5. Need to implement is questioned (e.g. UK) 6. Literal/non-literal transposition

Case law
First cases on electronic signatures
Italy (High Court - 2001) Germany (BVerfG - 2002) France (2001) Belgium (2002)

Interesting: no electronic signature necessary at all!

Supervision & Accreditation (article 3)

Supervision
More or less same procedures in the MS Notification
to telecom ministry (A, DK, D, GR, Sp, Sw) or economic affairs (B, Lux) or special technology/security division (Fr, It) or independent telecom authority (NL) Technical information (A, DK, GR) or basic information (B, FR) Spain: All CSPs need to register!

Annual report (DK, Gr)

Continuous control or after complaint (all) Sanction
Obligation to correct (all)
Fine (Fi, Sw) Withdrawal of right to issue QC (A, DK Court (B)

Supervision
More or less same procedures in the MS Notification
to telecom ministry (A, DK, D, GR, Sp, Sw) or economic affairs (B, Lux) or special technology/security division (Fr, It) or independent telecom authority (NL) Technical information (A, DK, GR) or basic information (B, FR) Spain: All CSPs need to register!

Annual report (DK, Gr)

Continuous control or after complaint (all) What about self-regulation schemes ??? Sanction
Obligation to correct (all) Fine (Fi, Sw) Withdrawal of right to issue QC (A, DK Court (B)

Voluntary Accreditation
Close to Supervision procedures Same body as Supervision (A, B, DK, D, Ir) No accreditation (Fin)

1. Drafting of accreditation body designation 2. Drafting of accreditation guidelines

Germany France (drafting phase) Belgium (drafting phase)

3. Appointing of accreditation bodies

Secure Signature Creation Device (SSCD)

Article 3.4 & Annex III

Secure SCD
Conformity with Annex III HOW?
Conformity test in one Member State enough for whole of Europe Comm.Decision on minimum criteria used in Austria, Greece, ...

or
Use the published EU criteria nothing published yet

Concerns

Concerns
Misuse of the directive
Example: E-invoicing directive See next slide

Directive technology neutral?

Obstacle for new technologies not making use of certificates, not making use of decentralised key storage directive not that technology neutral at all

Example of problematic use

The E-invoicing directive (december 2001)
E-invoicing is allowed under the condition that an Advanced Electronic Signature is used or EDI.
Problem: in some MS a handwritten signature is not required for a paper invoice

Reaction Commission: the requirement of the AES is not a legal requirement (alternative for h-wr sign.) but a technical requirement (i.e. enhancing the security of electronic invoice)
Member States are allowed to require a qualified electronic signature (See Germany)

Future
Review of the directive: 2 years after implementation, i.e. july 2003.

Prepare your comments!

Further reading
Report The implementation of the European directive on electronic signatures Status report: September 2002

Prepared by Landwell law firms and ICRI,

K.U.Leuven

Visit www.icri.be or www.landwell.be

Questions

If you would have further questions, please do not hesitate to contact:

Patrick Van Eecke ICRI- University of Leuven +32-16.32.54.69 patrick.vaneecke@law.kuleuven.ac.be

Patrick Van Eecke Landwell law firms +32-2.710.78.11 patrick.van.eecke@landwell.be