The Law On Electronic Signature (Esignaturloven)

Original Language Title: Lov om elektronisk signatur (esignaturloven)

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now

Read the untranslated law here:

The law on electronic signature (esignaturloven).

Date LAW-2001-06-15-81 Ministry industry and Fisheries Ministry Recently changed law-2015-06-19-65 from 01.10.2015 published in 2001 booklet 7 entry into force 01.07.2001 Change Announced short title Esignaturloven-esignl.

Chapter overview: chapter I. General rules (§ § 1-7) chapter II. Secure signature creation systems (sections 8-9) chapter III. Requirements for issuers of qualified certificates (§ § 10-16) Chapter IIIa. Voluntary certification schemes, authentication schemes or even Declaration schemes (section 16 a) chapter IV. Supervision and sanctions (§ § 17-24) chapter V. International Relations (section 25) Chapter VI. Entry into force and transitional rules (§ § 26-27) chapter I. section 1 General rules. The purpose the purpose of this law is to facilitate the safe and effective use of the electronic signature by determining the requirements for qualified certificates, to the issuers of these certificates and to secure signature creation systems.

§ 2. The scope of the Act applies to the certificate authorities that are established in Norway. The law regulates the framework conditions for the use of qualified electronic signatures, with the exception of section 6, second sentence, section 7 and section 16 a that apply to all electronic signatures.
The King may by regulation determine that the law should apply to Svalbard and Jan Mayen.

§ 3. Definitions in this law is meant by: 1. electronic signature: data in electronic form which is associated with other electronic data and which is used as the authentication method, 2. advanced electronic signature: an electronic signature as a) is uniquely linked to under cartoonist, b) can identify under cartoonist, c) are made with the help of funds that only under the control of the Subscriber, and d) are associated with other electronic data in such a way that it can be detected if these have been changed after the signing ,


qualified electronic signature: an advanced electronic signature based on a qualified certificate and made of an approved secure signature creation system, 4. sign: the one that has a signature production system and acting on behalf of itself or on behalf of another natural or legal person, 5. signaturfremstillingssdata: 1 unique data, such as codes or private keys, which under the cartoonist using to manufacture an electronic signature ,


signature creation system: software or hardware that is used to represent electronic signature using the signature creation data, 7. signature verification data: unique data, such as codes or public keys, which are used to verify an electronic signature, 8. signature verification system: software or hardware that is used to verify the electronic signature using the signature verification data, 9. certificate: a coupling between the signature verification data and signs that verify identity and under tegners is signed by the certificate issuer , 10.

certificate issuer: a physical or legal person who issues certificates or provides other services related to the electronic signature, 11.

Certification: any scheme in which a third party written confirms that a certificate issuer's products, processes, or services meet the specified requirements, and where the certificate issuer is not entitled to exercise the rights that he or she has the certification before giving received third-party confirmation, 12.

authentication scheme: any scheme in which a third party gives permission for a certificate issuer's products, processes or services marketed or used for specified purposes or under specified conditions, 13.

even the declaration scheme: any scheme in which certificate authorities submit a self declaration to the third party specifying that the specified requirements have been met.

§ 4. The term qualified certificate a qualified certificate should only be used for certificates that meet the requirements in this paragraph and it is issued for a limited period of a certificate issuer that meet the requirements in § § 10-15.
A qualified certificate shall contain the following information: a) a statement that the certificate is issued as a qualified certificate, b) certificate issuer's identity and the State it is established in, c) under the tegnerens name or pseudonym with information on that it is a pseudonym, d) if applicable, further information about the artist if they under, are relevant for the use of the certificate, e) the signature verification data corresponding to the signature creation data under tegnerens control , f) where the certificate is effective and expiration date, g) the certificate identification code, h) certificate issuer's advanced electronic signature, in) any limitations on the certificate's scope, and j) any beløpsmessige constraints in the certificate as to which transactions certificate can be used.

The King may by regulation regulate what the qualifying certificate to contain more closely.

§ 5. Requirements for qualified electronic signatures used in communication with and in the public sector the King can establish closer to rules about which requirements that have to be set to the qualified electronic signatures that will be used when communicating with and in the public sector.

section 6. Legal effects of electronic signature if it is in the law, regulations or otherwise are placed requirements on signature in order to get a specific legal effect and the outline can be completed online, meet a qualified electronic signature is always such a claim. An electronic signature that is not qualified, can fulfill such a claim.

section 7. The collection and use of personal information a certificate issuer may only collect personal information directly from the information applies, or with his explicit consent and only to the extent that is necessary for issuing or maintaining a certificate. The information must not be collected or processed for any other purpose, unless the information relates to has given his explicit consent to the Data Inspectorate should lead. supervision of that this provision is met. To the extent permitted by this Act, the personal data Act § § 42-47 with the regulations applied by The Authority's control after the first period.

Chapter II. Secure signature creation systems section 8. Requirements for secure signature creation systems a secure signature creation system is to ensure that the signature is adequately protected against counterfeiting. Furthermore, a secure signature creation system ensure that the signature creation data: a) in practice can only appear once and with reasonable levels of security remains classified, b) in reasonable extent cannot be inferred, and c) on the reliable show can be protected by the right to sign against other people's use.

A secure signature creation system must not alter the data in electronic form to be signed, or prevent the data displayed for the sign before it is signed.

§ 9. Approval of the secure signature creation system Approval as a secure signature creation system, cf. section 8, be provided by the authority as the King appoints. The King may by regulation provide closer to provisions on organ and whether the requirements for secure signature creation system.
Equated with approval after the first paragraph is the approval of a similar body in another State which is party to the EEA Agreement.
The requirements in section 8 shall be deemed fulfilled when the hardware or the software that is used, in accordance with the standards for electronic signature products that the European Commission sets out and released in the European communities official journal.

Chapter III. Requirements for issuers of qualified certificates, § 10. Business requirements issuers of qualified certificates should exercise and manage the business in a proper way so that it can offer secure, reliable and well functioning certificate services.
Certificate issuer shall at all times have sufficient financial resources to be able to run the business according to the requirements that are set in or in pursuance of this Act.

section 11. Products and systems requirements issuers of qualified certificates to use reliable products and systems that are protected from changes and provides technical and cryptographic security of the supportive processes.
The requirements of the first paragraph shall be deemed fulfilled if the certificate issuer makes use of the products and systems that are approved by a body according to § 9 subsections, or is in accordance with the standards set by the European Commission under section 9, third paragraph.
Certificate issuer should take measures against forgery of certificates. If the certificate issuer represents the signature creation data, guarantee confidentiality to the issuer of these data during the production process.

§ 12. Claims about the directory and retired service Issuers of qualified certificates to ensure a quick and secure directory and retired service and to ensure that it is possible to determine the date and time of the entry into force or the withdrawal of a certificate.

section 13. Requirements for control of the issuers of qualified tegners identity certificates is responsible for the identity of the sign and additional relevant information about the person being controlled through secure routines.
Information about the routines as mentioned in the first paragraph shall be available to the public.

section 14. Requirements for the storage of information issuers of qualified certificates to store all relevant information about qualified certificates in a reasonable period of time, however, at least 10 years after the certificate is registered in the exit list.
Certificate issuer to use reliable systems for storage of certificates in verifiable form, so that a) opplysningens authenticity can be controlled, b)

the certificates are only available to the public in cases where the holder has given his consent, and c) any technical changes, which brings these security requirements in danger, is visible to the operator.

Issuers of qualified certificates must not store or copy signature creation data under tegners.

section 15. Demands for information about the conditions, limitations and the like Before a certificate issuer enters into agreement to issue a qualified certificate to the issuer in writing inform the other side about a) conditions and limitations for the use of the certificate, b) information about any non-governmental certification, approval-or even the Declaration arrangements, and c) procedures for complaint and dispute resolution.

Information in accordance with the first paragraph can be sent electronically, if it happens in the opposing party immediately readable form. This information should also be able to be controlled by the signature the recipient.

section 16. Supplementary requirements the King can by regulation fix closer to rules about which requirements that can be set to the issuers of qualified certificates in order to meet the provisions of § § 10-15.

Chapter IIIa. Voluntary certification schemes, authentication schemes or even Declaration schemes section 16 a. establishment of voluntary certification schemes, authentication schemes or even Declaration schemes the Ministry may by regulations impose voluntary certification, approval-or even the Declaration arrangements with the aim of raising the level of the certificate services to increase confidence in and use of such services.
The Ministry may in the regulations determine which requirements that have to be set for such schemes, designate the responsible body and decide that it is to be paid fees to the Agency. The fees should not exceed the cost of organets business.
To bring the illegal business to the termination or ensure that orders or conditions given in regulation with legal authority in this clause be complied with, the agency designated by the second paragraph impose ongoing coercive by the rules in section 20.

Chapter IV. Supervision and sanctions section 17. Supervision of issuers of qualified certificates, the King can appoint a body to oversee that this law with regulations.
The authority may require the information and documents that are required to perform their duties, and fix a deadline to send them in.
The authority can give the Decree of that relationship that is inconsistent with the provisions given in or pursuant to this Act, to cease and set conditions that must be met in order for the business to be in accordance with the law.
The authority may require that it be carried out IT audit with issuers of qualified certificates and appoint an auditor to carry out the IT audit. Certificate issuer may be ordered to pay for the audit.
The authority can deprive a certificate issuer the right to apply the term qualified certificate, if the certificate issuer grossly or repeatedly fail to comply with the rules.
The King can give closer regulations about the Authority's business.

§ 18. The registration of issuers of qualified certificates a certificate issuer may not issue qualified certificates before the registration message is sent to the audit. Changes in the already registered information and new information to be registered, shall be reported to the authority without undue delay.

§ 19. Access to premises, etc. as part of the audit, its control, require access to the places where it operated business that's under supervision.
The authority can implement the checks it deems necessary, and require the assistance of the staff at the site to the extent that this is needed to get carried out control.
Law of 10. February 1967 on administrative matters section 15 about the procedure by scrutiny, comes to application.

section 20. To ensure that the coercive provisions that are given in or pursuant of this law are observed, the audit can determine that the certificate issuer shall pay a daily ongoing mulkt to the State until the illegal operations are ceased or orders and conditions provided under the legal authority of this Act is executed.
The sum falls does not run before the appeal deadline is out. Be appealed the decision on the coercive, runs no coercive before the complaint is settled unless the appeal body decides differently.
Authority may waive accrued coercive.

§ 21. Punishment of fines punished the intentional or grossly negligent a) fail to register/send message under section 18, b) fail to provide information under section 17, c) treats personal information in violation of sections 7 and 14, or d) gives incorrect or misleading information to the audit.

§ 22. Replace a certificate issuer who issues certificates that are released to be qualified, or that guarantee for such certificates issued by another, is liable for damages for the loss of a physical or legal person as a result of that this had had reasonable grounds to have the confidence that: a) the information specified in the certificate was correct at the time of issue, b) certificate contains all the information required pursuant to section 4 , c) signature signature creation data and verification data belong together in a unique way if the certificate issuer represents both, d) sign outlined correct signature production data at the time when the certificate was issued, or e) certificate is registered in the redraw the list, jf. § 12.

Certificate issuer is liable under subsection except he pays that he, or the one he vouches for, not acted negligently.
Certificate issuer is not liable for damage caused by that the certificate has been used contrary to the apparent limitations in the scope of the certificate or beyond beløpsmessige restrictions.

§ 23. Complain about access authority's decisions after the provisions given in or pursuant to this Act, may be appealed to the authority the King appoints.

section 24. The King in the regulation fee may decide that the certificate authorities that are registreringspliktige under section 18, shall pay the fee. The fees should not exceed the cost of the Authority's business.

Chapter v. international relations section 25. Legal recognition of qualified certificates from issuers established outside Norway certificates from certificate authorities that are established within the EEA, are considered as qualified certificates in accordance with this law if they meet the requirements of a qualified certificate in the country where the Publisher is established.
Qualified certificates from certificate authorities that are established in countries outside the EUROPEAN ECONOMIC AREA, to be given legal recognition on a par with qualified certificates from certificate authorities within the EEA if: a) the issuer meets the requirements of an EEA State and has been approved according to a voluntary certification or approval scheme in the State, b) a certificate issuer that are established within the EEA, and that meets the requirements of the State of establishment , guarantees for the issuer, or c) the certificate or the issuer is recognized according to the multilateral or bilateral agreements between the EU and Norway or third countries or international organisations.

Chapter VI. Effective date and transition rules § 26. Entry into force the law will take effect from the time that the King decides. 1 § 27. Transition rules issuers of qualified certificates shall, within 6 months after the law has come into force to register according to § 18 or within the same time limit stop with calling the certificates for qualified or use designation that gives the impression that they are qualified.