Advanced Search

Act Fixing Certain Rules Relating To The Legal Framework For Electronic Signatures And Certification Services

Original Language Title: Loi fixant certaines règles relatives au cadre juridique pour les signatures électroniques et les services de certification

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.
belgiquelex.be - Carrefour Bank of Legislation

9 JULY 2001. - Act setting certain legal framework rules for electronic signatures and certification services



ALBERT II, King of the Belgians,
To all, present and to come, Hi.
The Chambers adopted and We sanction the following:
CHAPTER Ier. - General provision
Article 1er. This Act regulates a matter referred to in Article 78 of the Constitution.
CHAPTER II. - Definitions and scope of law
Section 1re. - Definitions
Art. 2. This Act transposes the provisions of Directive 1999/93/EC of the European Parliament and the Council of 13 December 1999 on a community framework for electronic signatures.
For the purposes of this Act and its enforcement orders, the following means:
1° "electronic signature": a data in electronic form attached or logically linked to other electronic data and used as an authentication method;
2° "Advanced electronic signature": an electronic data, combined or logically linked to other electronic data, used as a method of authentication and meeting the following requirements:
(a) be linked only to the signatory;
(b) permit identification of the signatory;
(c) be created by means that the signatory may keep under its exclusive control;
(d) be linked to the data to which it relates so that any subsequent changes to the data are detected;
3° "certificate": an electronic certificate that links data relating to signature verification to a natural or legal person and confirms the identity of that person;
4° "qualified certificate": a certificate that meets the requirements set out in Schedule I to this Act and is provided by a certification service provider meeting the requirements set out in Schedule II to this Act;
5° "certificate holder": a natural or legal person to which a certification service provider issued a certificate;
6° "signature creation data": unique data, such as private cryptographic codes or keys, which the signatory uses to create an advanced electronic signature;
7° "Secure signature creation device": a software or hardware device configured to implement the signature creation data that meets the requirements of Schedule III to this Act;
8° "signature verification data": data, such as public cryptographic codes or keys, which are used to verify an advanced electronic signature;
9° "signature verification device": a software or hardware device configured to implement the signature verification data;
10° "certification service provider": any natural or legal person who delivers and manages certificates or provides other services related to electronic signatures;
11° "electronic signature product": any hardware or software product, or specific element of this product, intended to be used by a certification service provider for the provision of electronic signature services or for the creation or verification of electronic signatures;
12° "Administration": the administration of the Ministry of Economic Affairs which is responsible for the tasks related to the accreditation and control of certification service providers delivering qualified and established certificates in Belgium;
13° "entity": a body that demonstrates its competence on the basis of a certificate issued by the Belgian accreditation system in accordance with the Act of 20 July 1990 concerning the accreditation of certification and control bodies, as well as test laboratories, or by an equivalent body established in the European Economic Area.
Section 2. - Scope of application
Art. 3. This Act sets out certain rules relating to the legal framework for electronic signatures and defines the legal regime applicable to transactions performed by certification service providers and the rules to be followed by certification service providers and certificate holders without prejudice to the legal provisions concerning the rules of representation of legal persons.
This Act also establishes a voluntary accreditation regime.
CHAPTER III. - General principles
Art. 4. § 1er. In the absence of legal provisions to the contrary, no person may be obliged to file a legal act electronically.
§ 2. No certification service provider may be required to request prior authorization to carry out its activities.
However, certification service providers issuing qualified certificates established in Belgium must provide the following information to the Administration, either within the month following the publication of this Act or before the beginning of their activities:
- their name;
- the geographical address where they are established;
- the contact information to contact them promptly, including their e-mail address;
- where applicable, their professional title and their references and identification numbers (trade register, T.V.A.);
- proof that an insurance has been signed to cover their obligations under Article 14.
The Administration shall issue a receipt to them within five business days of receipt of their communication.
§ 3. The King may, by order deliberately in the Council of Ministers, submit the use of electronic signatures in the public sector to any additional requirements. These requirements must be objective, transparent, proportionate and non-discriminatory and apply only to the specific characteristics of the application concerned. These requirements cannot constitute an obstacle to cross-border services for citizens.
§ 4. Without prejudice to articles 1323 et seq. of the Civil Code, an advanced electronic signature made on the basis of a qualified certificate and designed by means of a secure electronic signature creation device is assimilated to a handwritten signature, whether carried out by a natural or legal person.
§ 5. An electronic signature cannot be deprived of its legal effectiveness and cannot be denied as evidence in court solely on the grounds that:
- the signature in electronic form, or
- that it is not based on a qualified certificate, or
- not based on a qualified certificate issued by an accredited certification service provider, or
- that it is not created by a secure signature creation device.
Art. 5. § 1er. Without prejudice to the Act of 8 December 1992 on the protection of privacy with respect to personal data processing, a certification service provider who delivers certificates to the public may collect personal data only directly from the person concerned or with the explicit consent of the person concerned and only to the extent necessary for the issuance and retention of the certificate. Data cannot be collected or processed for other purposes without the explicit consent of the interested person.
§ 2. When the holder of the certificate uses a pseudonym and when the requirements of the instruction require it, the certification service provider who has issued the certificate is required to disclose any data relating to the identity of the holder in the circumstances and under the conditions provided for in sections 90ter to 90decies of the Code of Criminal Procedure.
CHAPTER IV. - Electronic signature products
Art. 6. Where an electronic signature product complies with standards whose reference numbers are published in the Official Journal of the European Communities in accordance with the procedure set out in Directive 99/93/EC of the Parliament and Council of 13 December 1999 on a Community Framework for Electronic Signatures, that product is presumed to be in compliance with the requirements set out in Schedule II (f) and Appendix III to this Act.
Art. 7. § 1er. The requirements for secure electronic signature creation devices are included in Schedule III to this Act.
§ 2. The conformity of secured electronic signature creation devices with the requirements set out in Schedule III to this Act is certified by competent bodies designated by the Administration and whose list is communicated to the European Commission.
§ 3. The King shall determine the conditions to which the bodies referred to in the preceding paragraph must meet.
§ 4. The conformity established by a body designated by another Member State of the European Economic Area is recognized in Belgium.
CHAPTER V. - Certification service providers delivering qualified certificates
Section 1re. - Qualified certificates
Sub-section 1re. - Missions
Art. 8. § 1er. Prior to the issuance of a certificate, the certification service provider checks the complementarity of the data related to the creation and signature verification.
§ 2. After verifying its identity and, where appropriate, its specific qualities, the certification service provider delivers one or more certificates to any person who makes the request.
§ 3. With respect to legal persons, the certification service provider maintains a register containing the name and quality of the natural person who represents the legal person and who makes use of the signature related to the certificate, so that each use of that signature can establish the identity of the natural person.
Art. 9. The certification service provider provides a copy of the certificate to the applicant.
Art. 10. The certification service provider retains an electronic directory including the certificates it delivers and the time of their expiry.
Sub-section 2
Requirements for qualified certificates
Art. 11. § 1er. Qualified certificates must meet the requirements set out in Schedule I to this Act.
§ 2. Certification service providers who issue qualified certificates must meet the requirements set out in Schedule II to this Act.
Sub-section 3
Revocation of qualified certificates
Art. 12. § 1er. At the request of the certificate holder, previously identified, the certification service provider immediately revokes the certificate.
§ 2. The certification service provider also revokes a certificate when:
1° there are serious reasons to admit that the certificate has been issued on the basis of erroneous or falsified information, that the information contained in the certificate is no longer in conformity with the reality or that the confidentiality of the data relating to the creation of signature has been violated;
2° the courts ordered the measures provided for in Article 20, § 4, b);
3° the certification service provider stops its activities without the resumption of these activities by another certification service provider guaranteeing an equivalent level of quality and safety;
4° the certification service provider is informed of the death of the natural person or the dissolution of the legal person who is the holder of the certification service.
The certification service provider shall inform the certificate holder, except in the event of death, of the revocation and shall cause its decision. A month before the expiry of a certificate, the certification service provider informs its licensee of the certificate.
§ 3. The revocation of a certificate is final.
Art. 13. § 1er. The certification service provider shall take the necessary steps to respond to a request for revocation at any time and without delay.
§ 2. Immediately after the revocation decision, the certification service provider shall record the revocation of the certificate in the electronic directory referred to in Article 10.
Revocation is enforceable to third parties from this registration.
Sub-section 4. - Responsibility of service providers
certification service delivering qualified certificates
Art. 14. § 1er. A certification service provider who delivers to the public a certificate submitted as qualified or that guarantees to the public such a certificate is responsible for the harm to any body or natural or legal person who, in good father of family, reasonably relies on that certificate in respect of:
(a) the accuracy of all information contained in the qualified certificate on the date it was issued and the presence in that certificate of all data prescribed for a qualified certificate;
(b) the assurance that, at the time of the issuance of the certificate, the signatory identified in the qualified certificate held the data relating to the creation of signature corresponding to the signature verification data provided or identified in the certificate;
(c) assurance that the signature creation and signature verification data may be used in a complementary manner in the event that the certification service provider generates these two types of data;
unless the certification service provider proves that he has not committed any negligence.
§ 2. A certification service provider who has issued a certificate submitted as qualified to the public is responsible for the injury to a body or natural or legal person reasonably presuming of the certificate, for failing to register the revocation of the certificate, unless the certification service provider proves that it has not committed any negligence.
§ 3. A certification service provider may specify, in a qualified certificate, the limits set to its use, provided that these limits are discernable by third parties. The certification service provider must not be held responsible for the harm resulting from the use of a qualified certificate that exceeds the limits set to its use.
§ 4. A certification service provider may indicate, in a qualified certificate, the maximum value of transactions for which the certificate may be used, provided that this value is discernable by third parties. The certification service provider is not responsible for the damage resulting from the exceedance of this maximum value.
Subsection 5. - Stop the activities of the providers
certification service delivering qualified certificates
Art. 15. § 1er. The certification service provider that delivers qualified certificates shall notify the Authority within a reasonable time of its intention to terminate its activities as a qualified certification service provider and any action that may lead to the termination of its activities. In this case, it must ensure the resumption of these certificates by another certification service provider that guarantees the same level of quality and safety, or failing that, revokes the certificates two months after advising the licensees. In this case, the certification service provider shall take the necessary steps to meet the requirements of Appendix II, i.
§ 2. The certification service provider who stops its activities for reasons beyond its control or in the event of bankruptcy immediately informs the Administration. It shall, where appropriate, revoke the certificates and take the necessary steps to meet the requirement in Appendix II, i.
Sub-section 6. - Certificates issued as certificates
qualified by foreign certification service providers
Art. 16. § 1er. A qualified certificate issued to the public by a certification service provider that is established in a Member State of the European Economic Area is equivalent to qualified certificates issued by a certification service provider established in Belgium.
§ 2. Certificates issued as qualified certificates to the public by a certification service provider established in a third country are recognized as legal equivalent to certificates issued by a certification service provider established in Belgium:
(a) if the certification service provider meets the requirements of its national regulations transposing Directive 99/93/EC of the Parliament and Council of 13 December 1999 on a community framework for electronic signatures and has been accredited as part of a voluntary accreditation regime established in a Member State of the European Economic Area;
or
(b) if a certification service provider established in the European Community, which meets the requirements of national regulations transposing Directive 99/93/EC of the Parliament and Council of 13 December 1999 on a community framework for electronic signatures, guarantees the certificate;
or
(c) if the certificate or certification service provider is recognized pursuant to a bilateral or multilateral agreement between the European Community and third countries or international organizations.
Section 2. - Certified certification service providers
Art. 17. § 1er. A certification service provider that meets the requirements of Appendix II, issuing qualified certificates that meet the requirements of Appendix I and using creative devices that meet the requirements of Schedule III, may apply for accreditation to the Authority.
The accreditation provided for in this Act is based on an assessment, by an entity referred to in section 2, 13°, of compliance with the requirements of Schedules I, II and III, and, where applicable, with respect to other services and products issued by certification service providers.
§ 2. The King specifies the conditions referred to in § 1er and fixed:
1° the procedure for issuing, suspending and withdrawing accreditation;
2° royalties due to the "Accreditation Fund" for the issuance, management and monitoring of accreditation;
3° the time limits for reviewing the application;
4° the procedure for the control of accredited certification service providers.
§ 3. The choice of using an accredited certification service provider is free.
Art. 18. The Administration:
1° grants and withdraws accreditations. This mission is carried out by rules, services and persons distinct from those referred to in Article 20, § 2;
2° coordinates the consistent and transparent application of the principles and procedures for accreditation under this Act;
3° oversees the audit procedures of the entities referred to in section 2, 13°) and the activities of these entities as part of the accreditation procedures;
4° communicates to the Commission and to the European Economic Area States:
(a) information on the voluntary accreditation regime established under this Act;
(b) the names and addresses of all certification service providers accredited in this framework;
5° executes all the notifications referred to in Article 11 of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a community framework for electronic signatures.
CHAPTER VI. - Certificate holders
Art. 19. § 1er. At the time of the creation of the signature creation data, the certificate holder is solely responsible for the confidentiality of the signature data.
§ 2. In the event of doubt as to maintaining the confidentiality of the data relating to the creation of signature or loss of conformity to the reality of the information contained in the certificate, the holder is required to revoke the certificate.
§ 3. When a certificate has expired or has been revoked, the holder of the certificate may not, after the expiry of the certificate or after revocation, use the relevant signature creation data to sign or certify this data by another certification service provider.
CHAPTER VII. - Control and sanctions
Art. 20. § 1er. The King determines, by deliberate order in the Council of Ministers, the rules relating to the control of certification service providers and the legal means of which the Administration may avail itself.
§ 2. The Authority is responsible for the control of certification service providers who issue qualified certificates to the public. Under certain conditions, established by the King, the Authority is empowered to request certification service providers, all the information necessary for the verification of compliance, by these, with this Act.
§ 3. When the Administration finds that a certification service provider, established in Belgium, who delivers qualified certificates, does not comply with the requirements of this Act, it defaults and sets a reasonable time limit within which the certification service provider must have taken the necessary measures to re-enact the law.
§ 4. If, after the expiry of this period, the necessary measures have not been taken, the Administration will appeal to the courts to:
(a) defend the certification service provider to continue to issue qualified certificates and
(b) direct the certification service provider to immediately inform the holders of the qualified certificates issued by the certification service provider of their non-compliance with the requirements of this Act.
§ 5. If, after the above-mentioned period has passed, the certification service provider accredited under section 17 has not regularized its status, the Administration shall withdraw its accreditation from office.
The certification service provider is required to mention in its electronic directory the withdrawal of the accreditation and to inform the certificate holders without delay.
Art. 21. § 1er. Will be punished by a penalty of eight days to three months in prison and a fine of one thousand to ten thousand francs, or one of these penalties only, anyone who has usurped the quality of accredited certification service provider.
§ 2. By condemning the offence leader referred to in paragraph 1erthe competent court may order the insertion of the judgment, in whole or in extracts, in one or more newspapers, under the conditions it determines, at the expense of the convicted person.
Promulgate this law, order that it be clothed with the seal of the State and published by the Belgian Monitor.
Given in Brussels, 9 July 2001.
ALBERT
By the King:
Minister of Economy,
Ch. PICQUE
Minister of Justice,
Mr. VERWILGHEN
Minister of Telecommunications
and Public Participation,
R. DAEMS
Seal of the state seal:
Minister of Justice,
Mr. VERWILGHEN
____
Notes
(1) Chamber of Representatives:
Regular session 1999-2000.
Parliamentary documents. - Bill No. 322/1.
Regular session 2000-2001.
Parliamentary documents. - Amendment No. 322/2 - Report No. 322/3 - Text adopted by the Commission on Economics, Scientific Policy, Education, National Scientific and Cultural Institutions, Average Classes and Agriculture No. 322/4 - Text adopted in plenary meeting and transmitted to the Senate No. 322/5 - Draft amended by the Senate No. 322/6 - Report No. 322/7 - Text adopted in plenary meeting and submitted to the Senate No.
Annales de la Chambre des Représentants - Full Record : 15 February 2001. - Adoption: 14 June 2001.
Senate:
Regular session 2000-2001.
Documents of the Senate - Project transmitted by the House of Representatives No. 2-662/1 - Amendments No.bones 2-662/2 and 3 - Report No. 2-662/4 - Text amended by Committee No. 2-662/5 - Amendments No. 2-662/6 - Text adopted in plenary meeting and referred to the House of Representatives No. 2-662/7.
Annales of the Senate - May 17, 2001.
Formalities prescribed by Directive 98/34/EC
The formalities prescribed by Directive 98/34/EC of 22 June 1998 of the European Parliament and the Council, providing for an information procedure in the field of technical standards and regulations and rules relating to the services of the information society, were completed (notification 2000/0050/B).

Annex I
Requirements for qualified certificates
All qualified certificates must include:
(a) the indication that the certificate is issued as a qualified certificate;
(b) identification of the certification service provider and the country in which it is established;
(c) the name of the signatory or a pseudonym that is identified as such;
(d) the possibility of including, where appropriate, a specific quality of the signatory, depending on the use to which the certificate is intended;
(e) data relating to the signature verification that corresponds to data for signature creation under the control of the signatory;
(f) the indication of the beginning and end of the validity period of the certificate;
(g) the certificate identity code;
(h) the advanced electronic signature of the certification service provider that issues the certificate;
(i) limitations on the use of the certificate, if applicable and
(j) limits to the value of transactions for which the certificate may be used, if applicable.

ANNEX II
Requirements for certification service providers delivering qualified certificates
Certification service providers must:
(a) demonstrate that they are sufficiently reliable to provide certification services;
(b) ensure the operation of a fast and secure directory service and a secure and immediate revocation service;
(c) ensure that the date and time of issuance and revocation of a certificate can be accurately determined;
(d) verify, by appropriate means and in accordance with national law, the identity and, where appropriate, the specific qualities of the person to whom a qualified certificate is issued;
(e) employ staff with specific knowledge, experience and qualifications to provide services and, in particular, managerial skills, expertise in electronic signature technology and good practice of appropriate security procedures; they shall also apply administrative and management procedures and methods that are appropriate and conform to recognized standards;
(f) use reliable systems and products that are protected against modifications and that provide technical and cryptographic security for their functions;
(g) take measures against counterfeiting of certificates and, in cases where the certification service provider generates data related to the creation of signature, guarantee confidentiality during the process of generating such data;
(h) have sufficient financial resources to operate in accordance with the requirements of this Act, in particular to ensure liability for damages, for example by contracting appropriate insurance;
(i) record all relevant information relating to a qualified certificate during the useful 30-year period, in particular in order to provide evidence of certification in court.
Such recordings may be made by electronic means;
(j) not store or copy the data related to the creation of a signature of the person to which the certification service provider provided key management services;
(k) before establishing a contractual relationship with a person requesting a certificate in support of his or her electronic signature, inform the person through a sustainable means of communication of the specific terms and conditions for the use of the certificates, including the limits imposed on their use, the existence of a voluntary accreditation regime, and the complaint and dispute resolution procedures. This information, which can be transmitted electronically, must be made in writing and in a readily understandable language. Relevant elements of this information must also be made available, upon request, to third parties who are entitled to the certificate;
(l) use reliable systems to store certificates in a verifiable form so that:
(a) only authorized persons may introduce and modify data,
(b) information may be checked for its authenticity,
(c) certificates are available to the public for research only in cases where the certificate holder has given consent and
(d) any technical change that endangers these safety requirements is apparent to the operator.

ANNEX III
Requirements for secure electronic signature creation devices
1. Secure signature creation devices must at least ensure, through appropriate technical and procedures, that:
(a) the data used for the creation of the signature can hardly meet only once and that their confidentiality is reasonably assured;
(b) there may be sufficient assurance that the data used to create the signature cannot be found by deduction and that the signature is protected from falsification by the technical means currently available;
(c) the data used to create the signature may be reliably protected by the legitimate signatory against their use by others.
2. Secure signature creation devices should not modify the data to be signed or prevent such data from being submitted to the signatory prior to the signature process.

ANNEX IV
Recommendations for Secure Signature Verification
During the signature verification process, a sufficient margin of security should be ensured that:
(a) the data used to verify the signature correspond to the data displayed for the auditor;
(b) the signature be verified in a secure manner and the result of that verification is correctly displayed;
(c) the auditor may determine, if necessary, the contents of the signed data;
(d) the authenticity and validity of the certificate required in verifying the signature be verified in a secure manner;
(e) the result of the verification and the identity of the signatory are correctly displayed;
f) the use of a pseudonym is clearly indicated and
(g) any change affecting security may be detected.