Key Benefits:
Decision of 8 May 2003 laying down requirements for the provision of electronic signature services (Electronic signatures Decision)
We Beatrix, at the grace of God, Queen of the Netherlands, Princess of Orange-Nassau, etc. etc. etc.
On the nomination of the State Secretary for Economic Affairs of 13 November 2002, No DGTP/02/03931, Directorate-General for Legislation and Legal Affairs;
Having regard to Directive No 1999 /93/EC of the European Parliament and the Council of the European Union of 13 December 1999 on a common framework for electronic signatures (PbEG 2000, L 13), as well as on the Articles 16.1 , 18.15, 1st and 2nd Member , and 18.17, 1st and Fifth Member, of the Telecommunications Act ;
The Council of State heard (opinion of 12 December 2002, No W 10.02.0509/II);
Having regard to the further report of the State Secretary for Economic Affairs of 7 May 2003, No WJZ/03/00755;
Have found good and understand:
| For the purposes of this Decision and the provisions based thereon, the following definitions shall apply: |
|
| a. Act: |
|
| b. Certification services: |
the issue, management and revocation of qualified certificates by certification service providers, as well as other services related to the use of electronic signatures; |
| c. Key Management Services: |
the generation, storage, supply or destruction of cryptographic key material used for the creation or verification of electronic signatures. |
1 A certification service provider as intended Article 18.15, first paragraph, of the Act Meets the following requirements:
a. He has reliable means and has reliable procedures for the provision of certification services to the public;
b. He applies procedures and processes in the field of administration and management in accordance with a described quality system that is consistent with the latest developments in quality systems;
c. He exclusively uses reliable systems and products that are either procedural or secure in accordance with the state of the art and which guarantee the technical and cryptographic security of the processes they support;
d. he shall take adequate measures against the falsification of qualified certificates issued by him and the issuing of illegal qualified certificates and, if he generates the data for the creation of signatures, ensures the confidentiality of the process by which this is done;
e. he shall make available sufficient financial resources to comply with the requirements of the Law to be able to function;
f. he employs staff who are competent in the field of the services offered, in particular in the field of management, of the technology for electronic signatures, and of the security procedures applied;
g. he verifies, before issuing a qualified certificate, verifying the identity and any specific attributes of the person who is identified as a signatory in that certificate by the validity of the documents presented and by checking the correspondence between the documents and the characteristics of the person by means of visual inspection and, if necessary, by other means suitable for this purpose;
h. he shall determine the date and time of issue and the revocation of a qualified certificate, with an accuracy of one minute or less;
(i) he shall, during the period of validity of the qualified certificate and for a period of at least seven years from the date of expiry of the qualified certificate, store all relevant information in respect of that certificate; Qualified certificate, in particular the information necessary for the certification to be provided in court proceedings, including at least:
1 °. the qualified certificate;
2 °. all the particulars to prove the identity and attributes of the applicant; and
3 °. all historical data on the issue and revocation of the qualified certificate;
j. he shall store certificates for the purposes of their own use and management in a verifiable form and using reliable systems, that:
1 °. only competent persons may enter and amend data;
2 °. the authenticity of the information may be verified;
3 °. the certificates shall only be publicly available in the cases for which the signatory has given its consent; and
4 °. any technical change that may endanger the security regulations mentioned shall be clear to the user;
k. He shall, taking into account the length of time he has disclosed between the request for revocation and publication of such revocation, ensure the safe and prompt withdrawal of the qualifying certificates he has managed upon receipt of a certificate. seeking to do so by the signatory or a person or body designated by it, meeting the procedure for the revocation of a qualified certificate, as published by the certification service provider;
(l) shall publish, during the period of validity of the qualified certificate issued, and for a period of at least six months after the date of expiry of the qualified certificate or, if that time is earlier, after the period of validity of the qualified certificate; time of validity of revocation by electronic means, and such that such publication by all users of the relevant certification service as well as by all parties that rely on the issued qualified certificates may be consulted:
1 °. current and reliable information on the status of the issued qualified certificates; and
2 °. issued qualified certificates provided that the signatory has authorized it;
m. he shall not store the data for the creation of electronic signatures of the persons to whom he has granted key management services; nor shall he copy any such information;
n. He has described complaint handling and dispute settlement procedures, and applies them;
o. it shall take measures to destroy, upon termination of service, the data for the creation of the electronic signature, by which the relevant certification service provider signs the issued qualified certificates, the earliest possible moment when the publication obligation, referred to in paragraph 1, makes this possible;
It shall be such as to make provision for termination of service:
1 °. the qualified certificates issued by him shall be taken over by another registered certification service provider and shall be complied with in respect of this Article, unless this is not reasonably possible, and the Notification of the Signatories to the Agreement;
2 °. where overtaking as referred to in part 1 is not reasonably possible, the qualified certificates shall be notified no later than the time at which the service is terminated, the signatories shall be notified thereof. the parts i, j and q are met for the remainder of the qualified certificates issued by a registered certification service provider;
q. affects, regardless of the reason and circumstances of termination of service, and to the extent that the qualified certificates are not taken over by another certification service provider, provisions for the continuation of the service the publication pursuant to subparagraph 1, in the usual manner and up to a minimum of six months after the date of termination of the service;
r. he shall make written, by means of a durable means of communication and self-movement, the person who wishes to have a qualified certificate in support of his electronic signature and with whom he wishes to enter into an agreement; and on request, the third parties, who rely on the qualified certificate, shall at least inform:
1 °. the exact conditions for the use of the qualified certificate including any restrictions on this use, as well as any changes to the terms and conditions;
2 °. the existence of a voluntary accreditation;
3 °. the procedure for the revocation of the qualified certificate, both at the request of the user and by the user himself, and
4 °. Complaints handling and dispute settlement procedures;
s. he shows through a statement of a competent authority to that he, each of the directors of the company, and the employees who are within his undertaking in the framework of the provision of certification services for processing of confidential or sensitive data, not having been irrevocably sentenced to an unconditional custodial sentence of more than six months by a judge in the Netherlands, not within the last four years for a crime, the Netherlands Antilles or Aruba, and
t. without delay after every breach of security or loss of integrity that has, or may have, significant consequences for the reliability of qualified certificates issued or issued by him for a notification of that infringement; whether that loss to the Consumer and Market Authority, intended in Article 2, 1st paragraph, of the Incomposition Act Authority of Consumer and Market , and to our Minister of Security and Justice, with a notification to both of them:
1 °. the nature and extent of the infringement or loss;
2 °. the estimated time of the commencement of the infringement or loss;
3 °. the possible consequences of the infringement or loss;
4 °. a forecast of the time necessary to investigate the infringement;
5 °. if possible, measures taken or to be taken by the certification service provider in order to mitigate or prevent a recurrence of the consequences of the infringement or loss;
6 °. contact details of the staff member established in the Netherlands who is responsible for doing the notification.
2 The sentence referred to in paragraph 1 shall be treated in the same way as an irrevocable sentence to an unconditional custodial sentence of more than six months by another Judge on the grounds of a crime for which he is subject to the law of the Court of First Law of a provisional detention order following Article 67, first paragraph, of the Code of Criminal Procedure has been authorised;
3 The sentence of an unconditional custodial sentence referred to in paragraph 2 shall be treated in the same way as an order for the enforcement of a custodial sentence of such an unconditional order.
Certificates as referred to in Article 18.15, second paragraph, of the Act contain at least:
(a) the indication that the certificate is issued as a qualified certificate;
b. the identification and the country of establishment of the issuing certification service provider;
c. the name of the signer or a pseudonym identified as such;
d. space for a specific attribute of the signatory, which, if necessary, depends on the purpose of the qualified certificate;
e. data for verifying the signature corresponding to the data for the creation of the signature which is under the control of the signatory;
f. indication of the times of the beginning and the end of the period of validity of the qualified certificate;
g. The identity code of the qualified certificate;
h. The electronic signature of the issuing certification service provider that complies with the criteria of Article 15a, second paragraph, part a to d, of Book 3 of the Civil Code ;
i. any restrictions on the use of the qualified certificate; and
j. any limits with respect to the value of the transactions for which the qualified certificate can be used.
1 An organisation which wishes to be eligible for a designation as intended Article 18.16 of the Act submit an application for that purpose and meet the following requirements:
a. The organisation employs suitably qualified personnel that can be used as an auditor to carry out a conformity assessment of a certification service provider;
b. The organisation's regulations provide sufficient guarantees that a certification service provider evaluated by the designated organisation in accordance with these Regulations complies with Article 18.15, first paragraph, of the Act and that the qualified certificates issued or issued by a certification service provider to the public comply with Article 18.15, second paragraph, of the Act ;
(c) the organisation shall apply conditions which are objective, transparent, proportionate and non-discriminatory;
d. the organisation is accredited on the basis of the EN standard EN 45011: 1998, EN-ISO/IEC 17065:2012 or ISO 17021:2011 or an equivalent standard, which shall include the subject area "Qualified certificates", by the Council for the purpose of Accreditation or any other accreditation body within the meaning of Article 4 of Regulation (EC) No 765/2008.
2 By ministerial arrangement rules are laid down regarding the manner in which and in whom an application for designation as an organization as referred to in Article 18.16 of the Act shall be submitted, together with the information submitted, and the cooperation of any application submitted.
3 A designation may be subject to rules that may relate to the duration of designation, the quality of the organisation and the provision of information.
4 By ministerial arrangement rules may be laid down concerning the provision of information related to evidence of review issued by a designated organisation. Article 18.16, first paragraph, of the Act as well as the cooperation provided by a designated organisation with a view to meeting the requirements of that organisation.
1 The personnel employed by the organisation as an auditor to carry out a conformity assessment of a certification service provider:
a. has training at a minimum of HBO or an equivalent significant experience and additional vocational training and training;
b. has an equivalent of at least four years of full-time practical experience in information technology, at least two years of which is in a function in relation to Public Key Infrastructure and information security;
c. has sufficient understanding of the technical specification ETSI TS 319 411-2, or any equivalent technical specification;
d. has sufficient understanding of the concepts of management systems in general;
e. has sufficient understanding of subjects related to Public Key Infrastructure, management of information security and organisational reliability;
f. has adequate knowledge of the principles and processes related to risk assessment and risk management;
g. has completed a training of at least 5 days on the evaluation of management systems and management of assessment processes;
h. has the following personal characteristics: integer, unbiased, mature attitude, discernment, analytical, tenacious, and realistic;
i. can place complex operations in a broad perspective and understand the role of individual units in large organizations;
j. has knowledge and properties to manage assessment processes;
k. ensures that the proprietary knowledge and skills in the field of Public Key Infrastructure, management of information security and management systems assessment are continuously maintained;
l. has gained prior to independent action as an auditor experience in the whole process of assessment of certification service providers, obtained by participating under supervision of an experienced auditor to at least four years of age. Assessments consisting of a total of at least 20 days, including documentation review, implementation review and assessment report.
2 In addition to the requirements mentioned in the first paragraph, an auditor who acts as the leader of an audit team shall meet the following requirements:
a. he has acted as a qualified auditor in at least three complete assessments of certification service providers;
b. He possesses adequate knowledge and properties to manage the assessment process;
c. He can communicate effectively, both orally and in writing.
3 An assessment team as a whole shall meet the following requirements:
a. In each of the following knowledge areas, at least one auditor shall be qualified within the assessment team to assume responsibility for:
1. the necessary knowledge of the regulations which must be met in the field of certification services and information security;
2 °. the necessary knowledge of the latest state of the art concerning Public Key Infrastructure;
3 °. The necessary knowledge to implement an information security related risk assessment to discontinue vulnerabilities in the certification service provider, understanding their significance for service delivery and reducing and substandard risk. control of these vulnerabilities and
4 °. the necessary knowledge of organisational reliability issues;
b. the assessment team is competent to return indications of vulnerabilities in certification services to the relevant elements of the certification service provider's management system in order to be able to improve them.
4 In order to ensure that the assessment team has all the necessary expertise at its disposal, technical experts with specific knowledge on the subjects mentioned in paragraph 3 (a) to (4), may be enabled to do so in order to ensure that the to assist assessment team, even if they do not meet all criteria for an individual auditor.
5 The technical experts referred to in paragraph 4 shall be accountable to the leader of the audit team at all times and do not function independently of the auditors in the team who are qualified as auditor.
1 An institution which wishes to be eligible for a designation as referred to in Article 4 (2). Article 18.17a, first paragraph, of the Act submit an application for that purpose and meet the following requirements:
a. It applies a review framework to ensure that the rated safe means of making electronic signatures comply with the legal requirements;
b. she is accredited on the basis of the standard NEN-EN 45011: 1998 or the ISO/IEC 17065:2012 standard, which accreditation includes the subject area safe means of creating electronic signatures, by the Council for Accreditation or another 'accreditation body' within the meaning of Article 4 of Regulation (EC) No 1408/71 765/2008;
c. It uses test laboratories that meet standard EN-EN-ISO 17025 for testing of safe means for the creation of electronic signatures according to ISO/IEC 15408:2005.
2 The institution which wishes to be eligible for a designation as referred to in Article 18.17a, first paragraph, of the Act comply, without prejudice to paragraph 1, with the following requirements:
a. It does not engage in activities that may threaten the independence of its judgment and the integrity in the exercise of its task;
b.
1 °. it is independent of organisations involved in the design, manufacture, sale and supply, installation, maintenance or management of safe means, as well as certification service providers and users as far as they are concerned. the use of safe means of electronic signature creation;
2 °; it is financially independent of the parties concerned;
3 °. the Director and the personnel responsible for the assessment of conformity shall not be a designer, manufacturer, supplier or installer of secure means, certification service provider, or agents of any of those parties;
4 °. it is not directly involved in the design, manufacture, sale or maintenance of safe means, nor acts as the agent of the parties involved.
c. employs staff that:
1 °. possess sufficient competence to establish, with a high degree of occupational integrity, the conformity of secure electronic signatures with the requirements for these safe means, intended to be used in this field; Article 5 of this Decision; and
2 °. reliable procedures shall be used;
d. it assesses the conformity in a transparent manner, sets out all relevant information in writing, ensures that all interested parties can make use of its services and applies its procedures without any discrimination;
(e) it has sufficient staff and facilities to ensure that the technical and administrative work which results from its tasks can be carried out properly and rapidly;
f. the personnel responsible for assessing the conformity of the safe means with the requirements,
1. has received appropriate training, in particular in the field of technologies for electronic signatures and the related aspects of the safety of the use of computers;
2 °. possess a proper knowledge of requirements on conformity assessment to be carried out and has sufficient experience of such assessments;
g. it shall ensure the impartiality of staff, inter alia, by not making their pay dependent on the number of conformity assessments carried out or of the results of those assessments;
h. It shall keep sufficient financial resources to comply with the requirements of the Law to be able to function;
(i) she shall treat the information notified to it confidential; and
j. it represents the agreed activities of the institutions by which it is undertaking a part of the conformity assessment and can demonstrate that this institution is capable of providing the service concerned.
3 The institution which is part of an organisation engaged in activities other than the assessment of the conformity of secure electronic signatures with the requirements of electronic signatures; Article 5 , identifiable as a designated institution within that organization, Article 18.17a, first paragraph, of the Act , and separate its activities from the other activities, thereby ensuring the correct assessment of the conformity of secure means.
4 By ministerial arrangement rules are laid down regarding the manner in which and in whom an application for designation as an institution as referred to in Article 18.17a, first paragraph, of the Act the information submitted and the cooperation of an application submitted.
5 A designation may be subject to rules relating to the duration of designation, the quality of the organisation, and the provision of information.
6 By ministerial arrangement rules may be laid down concerning the provision of information relating to certificates issued by a designated institution. Article 18.17a, first paragraph, of the Act as well as the cooperation provided by a designated institution for the purpose of meeting the requirements of that institution.
A safe means for the creation of electronic signatures shall meet the following requirements:
(a) ensure that the data for the creation of electronic signatures can be used in practice only once and the confidentiality of the data is reasonably guaranteed;
(b) ensuring, with reasonable assurance, that the data for the creation of electronic signatures cannot be derived and that the electronic signature is protected against falsification by the date of issuance of the signature; statement of available techniques;
c. to ensure that the data for the creation of electronic signatures by the legitimate signatory can be reliably protected against use by others;
d. it does not change the data to be signed and does not prevent that data from being submitted to the Signatory prior to signature.
Detailed rules may be laid down in the case of ministerial arrangements in relation to the requirements of this Decision.
This Decision shall enter into force on the date on which the Electronic signature law enters into force.
This decision is referred to as: Electronic signatures decision.
Charges and orders that this Decision will be placed in the Official Journal by means of the note of explanatory note accompanying it.
' s-Gravenhage, 8 May 2003
Beatrix
The Secretary of State for Economic Affairs,
J. G. Wine
Published on the 20th of May 2003The Minister of Justice,
J. P. H. Donner
