Advanced Search

Law No. 455 Of 18 July 2001 On Electronic Signature

Original Language Title:  LEGE nr. 455 din 18 iulie 2001 privind semnătura electronică

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.
LEGE no. 455 455 of 18 July 2001 (* republished *) on electronic signature *)
ISSUER PARLIAMENT
Published in OFFICIAL MONITOR no. 316 316 of 30 April 2014



---------- Note * *) Republicated pursuant to art. 248 248 of Law no. 187/2012 for the implementation of Law no. 286/2009 on Criminal Code , published in the Official Gazette of Romania, Part I, no. 757 of 12 November 2012, corrected in the Official Gazette of Romania, Part I, no. 117 117 of 1 March 2013, as amended, giving the texts a new numbering. Law no. 455/2001 was published in the Official Gazette of Romania, Part I, no. 429 429 of 31 July 2001. + Chapter I General provisions + Section 1 General principles + Article 1 This law establishes the legal regime of the electronic signature and the documents in electronic form, as well as the conditions of the provision of electronic signatures certification services. + Article 2 This law is supplemented by the legal provisions on the conclusion, validity and effects of legal acts. + Article 3 No provision of this law can be interpreted in the sense of limiting the autonomy of the will and the contractual freedom of the parties. + Section 2 Definitions + Article 4 Within the meaning of this law: 1. data in electronic form are representations of information in a conventional form suitable for the creation, processing, sending, receiving or storing it by electronic means; 2. inscribed in electronic form represents a collection of data in electronic form between which there are logical and functional relationships and which render letters, figures or any other characters with intelligible meaning, intended to be read through a computer programme or other similar procedure; 3. electronic signature means data in electronic form, which are attached or logically associated with other data in electronic form and which serve as a method of identification; 4. the extended electronic signature represents that electronic signature that cumulatively meets the following conditions: a) is uniquely linked to the signatory; b) ensure identification of the signatory c) is created by means controlled exclusively by the signatory; d) is related to the data in electronic form, to which it is reported in such a way that any subsequent modification thereof is identifiable; 5. the signatory shall represent a person holding an electronic signature creation device and acting either on his own behalf or as a representative of a third party; 6. electronic signature creation data is any data in electronic form of a uniqueness, such as codes or private cryptographic keys, which are used by the signatory for the creation of an electronic signature; 7. Electronic signature creation device represents configured software and/or hardware, used to implement electronic signature creation data; 8. secure electronic signature creation device represents that electronic signature creation device that cumulatively meets the following conditions: a) the signature creation data, used for its generation, can occur only once and their confidentiality can be ensured; b) the signature creation data, used for its generation, cannot be deducted; c) the signature is protected against falsification by means of technical means available at the time of its d) the signature creation data can be effectively protected by the signatory against their use by unauthorized persons; e) not to modify the data in electronic form, which must be signed, nor to prevent them from being presented to the signatory before the completion of the signing process; 9. electronic signature verification data is data in electronic form, such as public cryptographic codes or keys, which are used for the purpose of checking an electronic signature; 10. electronic signature verification device represents configured software and/or hardware, used to implement electronic signature verification data; 11. certificate represents a collection of data in electronic form certifying the link between the electronic signature verification data and a person, confirming the identity of that person; 12. qualified certificate is a certificate that satisfies the conditions laid down in art. 18 and which is issued by a certification service provider that satisfies the conditions laid down in art. 20 20; 13. certification service provider represents any person, Romanian or foreign, issuing certificates or providing other services related to electronic signature; 14. qualified certification service provider is that certification service provider issuing qualified certificates; 15. electronic signature associated product is software or hardware, intended to be used by a certification service provider for the provision of electronic signature-related services or intended to be used for the creation of, or electronic signature check. + Chapter II Legal regime of documents in electronic form + Article 5 The electronic form, which was incorporated, attached or logically associated with an extended electronic signature, based on a qualified certificate unatspendered or unevoked at the time and generated with the help of a secure device creation of the electronic signature, is assimilated, in terms of its conditions and effects, with the inscription under private signature. + Article 6 The inscription in electronic form, which has been incorporated, attached or logically associated with an electronic signature, recognized by the one to whom it opposes, has the same effect as the authentic act between those who subscribed it and between those who represent them. rights. + Article 7 In cases where, according to the law, the written form is required as a condition of proof or validity of a legal act, an inscribed in electronic form meets this requirement if it has been incorporated, attached or logically associated with a signature. Extended electronics, based on a qualified certificate and generated by means of a secure signature creation device. + Article 8 (1) If one of the parties does not recognize the registration or signature, the court will always order that the verification be done through specialized technical expertise. (2) For this purpose, the expert or specialist is obliged to request qualified certificates, as well as any other necessary documents, according to the law, to identify the author of the document, the signatory or the certificate holder. + Article 9 (1) The party invoking before the court an extended electronic signature must prove that it meets the conditions laid down in art. 4 4 section 4. (2) The extended electronic signature, based on a qualified certificate issued by an accredited certification service provider, is presumed to meet the conditions laid down in art. 4 4 section 4. + Article 10 (. The party invoking before the court a qualified certificate must prove that the certification service provider which issued that certificate meets the conditions laid down in art. 20. (2) The accredited certification service provider is presumed to meet the conditions laid down in art. 20. + Article 11 (1) The party that invokes before the court a secure signature creation mechanism must prove that it meets the conditions laid down in art. 4 4 section 8. (2) The secure signature generation device, approved for the purpose of this law, is presumed to meet the conditions provided in art. 4 4 section 8. + Chapter III Provision of certification services + Section 1 Common provisions + Article 12 (1) The provision of certification services is not subject to any prior authorization and is carried out in accordance with the principles of free and fair competition, in compliance with the normative acts in force. ((2) The provision of certification services by suppliers established in the Member States of the European Union shall be made under the conditions laid down in the European Agreement establishing an association between Romania, of the one part, the European Communities and the Member States of them, on the other hand. + Article 13 (1) 30 days before the commencement of activities related to the certification of electronic signatures persons intending to provide certification services are required to notify the regulatory and supervisory authority specialized in domain as to the start date of these activities. (2) With the notification provided in par. (1), certification service providers are required to communicate to the regulatory and supervisory authority specialized in the field all information relating to the security and certification procedures used, as well as any other information required by the relevant regulatory and supervisory authority. (3) Certification service providers are required to communicate to the regulatory and supervisory authority specialized in the field, at least 10 days in advance, any intention to modify the security and certification procedures, with specifying the date and time at which the amendment takes effect, as well as the obligation to confirm within 24 hours the modification made. (4) In cases of urgency, where the security of certification services is affected, suppliers may make changes to security and certification procedures, and will communicate, within 24 hours, to the regulatory authority and specialized supervision in the field of changes made and justification of the decision taken (5) Certification service providers are obliged to observe, during the course of their activity, the declared security and certification procedures, according to par. ((2), (3) and (4). + Article 14 (1) The certification service provider shall provide access to all information necessary for the correct and safe use of its services. That information will be provided prior to the birth of any contractual relationship with the person applying for a certificate or, as the case may be, at the request of a third party that avails itself of such (2) The information provided in par. (1) will be formulated in writing, in an accessible language, and will be transmitted by electronic means, in conditions that allow their storage and reproduction. (3) The information provided in par. ((1) shall refer at least to: a) the procedure to be followed for the purpose of electronic signature creation and verification b) the tariffs charged; c) the detailed rules and conditions for the use of certificates, including the limits imposed on their use, provided that such limits may be known to third parties; d) the obligations that incumba, according to this law, to the holder of the certificate and the certification service provider; e) the existence of an accreditation, if applicable; f) the contractual conditions for issuing the certificate, including any limitations of the liability of the certification service provider; g) the means of dispute resolution; h) any other information established by the regulatory and supervisory authority specialized in the field. (4) The certification service provider shall submit to the applicant a copy of the certificate. (5) From the moment of acceptance of the certificate by the applicant, the certification service provider will register the certificate in the register provided for in art. 17. + Article 15 (1) Individuals who perform, according to the law, in their own name, certification services, as well as the employee personnel of the certification service provider, natural or legal person, are obliged to keep the information secret entrusted in their professional activity, with the exception of those in respect of which the holder of the certificate accepts to be published or communicated to third parties. (2) The obligation provided in par. ((1) incumba and personnel of the regulatory and supervisory authority specialized in the field, as well as persons empowered by it. (3) Violation of the obligation provided in par. (1) and (2) constitute a criminal offence and shall be punished with imprisonment from 3 months to 2 years or a fine. + Article 16 (1) The regulatory and supervisory authority specialized in the field and certification service providers have the obligation to comply with the legal provisions regarding the processing of personal data. (2) Certification service providers may not collect personal data except from the person applying for a certificate or, with the express consent of it, from third parties. The collection shall be made only to the extent that such information is necessary for the purposes of issuing and preserving the certificate. The data may be collected and used for other purposes only with the express consent of the person requesting the certificate. (. Where a pseudonym is used, the true identity of the holder may not be disclosed by the certification service provider except with the consent of the holder or at the request of a competent public authority. + Article 17 (1) Certification service providers are required to create and maintain an electronic register of certificates issued. (. The electronic register of certificates issued shall make mention of: a) the exact date and time on which the certificate was issued; b) the exact date and time at which the certificate expires; c) where applicable, the exact date and time on which the certificate was suspended or revoked, including the cases leading to suspension or revocation. (3) The electronic register of certificates issued must be permanently available for consultation, including online. + Section 2 Provision of qualified certification services + Article 18 (. The qualified certificate shall contain the following particulars: a) indication that the certificate has been issued as a qualified certificate; b) the identification data of the certification service provider, as well as its citizenship, in the case of individuals, respectively its nationality, in the case of legal entities; c) the name of the signatory or his pseudonym, identified as such, and other specific attributes of the signatory, if relevant, depending on the purpose for which the qualified certificate is issued; d) the personal identification code of the signatory; e) the signature verification data, which correspond to the signature creation data under the exclusive control of the signatory; f) indication of the beginning and end of the period of validity of the qualified certificate; g) the identification code of the qualified certificate; h) extended electronic signature of the certification service provider issuing the qualified certificate; i) where applicable, the limits of the use of the qualified certificate or the value limits of the operations for which it may be used j) any other information established by the regulatory and supervisory authority specialized in the field. (. Each signatory shall be assigned by the certification service provider a personal code to ensure the unique identification of the signatory. (3) The generation of the personal identification code and the identification code of the qualified certificate will be made on the basis of the regulations established by the regulatory and supervisory authority specialized in the field. (4) At the request of the holder the certification service provider will be able to register in the qualified certificate and other information than those mentioned in par. (1), provided that they are not contrary to the law, to good morals or public order, and only after a prior verification of the accuracy of this information. (5) The qualified certificate will expressly indicate that a pseudonym is used, when the holder is identified by a pseudonym. + Article 19 (1) When issuing qualified certificates, certification service providers are required to verify the identity of applicants exclusively on the basis of identity documents. (2) On the issue of each qualified certificate the suppliers have the obligation to issue two copies of it, on paper, of which one copy is made available to the holder, and the other is kept by the suppliers for a period of 10 years. + Article 20 In order to issue qualified certificates, certification service providers shall meet the following conditions: a) have adequate financial, technical and human resources and resources to guarantee the security, reliability and continuity of the certification services offered; b) ensure the rapid and safe operation of the registration of the information provided in art. 17, in particular the rapid and secure operation of a service of suspension and revocation of qualified certificates; c) ensure the possibility to determine precisely the exact date and time of the issuance, suspension or revocation of a qualified certificate; d) verify, with appropriate means and in accordance with the legal provisions, the identity and, where appropriate, the specific attributes of the person to whom the qualified certificate is issued; e) to use personnel with specialized knowledge, experience and qualification, necessary for the provision of the respective services, and, in particular, competence in the field of management, specialized knowledge in the field of signature technology electronic and sufficient practice in relation to the appropriate security procedures; also to apply appropriate administrative and management procedures and meet the recognised standards; f) to use products associated with the electronic signature, with a high degree of reliability, which are protected against the changes and which ensure the technical and cryptographic security of the electronic signature certification activities; g) to adopt measures against the falsification of certificates and to guarantee confidentiality during the process of generating signature creation data, where certification service providers generate such data; h) keep all information on a qualified certificate for a minimum period of 10 years from the date of termination of the validity of the certificate, in particular in order to be able to provide proof of certification in the framework of an eventual dispute; i) not to store, not to reproduce and not to disclose to third parties the signature creation data, unless the signatory so requests; j) to use reliable systems for the storage of qualified certificates, so that: only authorized persons can enter and modify the information from the certificates; the accuracy of the information can be verified; the certificates may be consulted by third parties only if the agreement of their holder exists; any technical amendment, which could jeopardise these security conditions, may be identified by authorised persons; k) any other conditions established by the regulatory and supervisory authority specialized in the field. + Article 21 Qualified certification service providers are required to use only secure electronic signature creation devices. + Article 22 (1) The provider of qualified certification services must have financial resources to cover the damage that they could cause on the occasion of the activities related to the certification of electronic signatures. ((2) The insurance is achieved either by underwriting an insurance policy at an insurance company, or by means of a letter of guarantee from a specialist financial institution, or by another way established by decision of the regulatory and supervisory authority specialized in the field. (3) The insured amount and the amount covered by the guarantee letter are established by the regulatory and supervisory authority specialized in the field. + Section 3 Suspension and termination of certificates + Article 23 ((1) Any certification service provider has the obligation to suspend the certificate within 24 hours from the moment it became aware or had to and could become aware of the occurrence of any of the following cases: a) at the request of the signatory, after a prior verification of its identity; b) if a court order orders the suspension; c) where the information contained in the certificate no longer corresponds to the reality, unless the certificate is revoked; d) in any other situations that constitute cases of suspension of certificates issued, according to the security and certification procedures declared by the supplier on the basis of art. 13. ((2) Any certification service provider has the obligation to revoke the certificate within 24 hours from the moment it became aware or had to and could become aware of the occurrence of any of the following cases: a) at the request of the signatory, after a prior verification of its identity; b) to the death or the prohibition of the signatory; c) where a final judgment orders the revocation; d) if it is unquestionably proven that the certificate has been issued on the basis of erroneous or false information; e) where the essential information contained in the certificate no longer corresponds to the reality; f) when the confidentiality of the signature creation data has been violated; g) where the certificate has been used fraudulently; h) in any other situations that constitute cases of revocation of certificates issued, according to the security and certification procedures declared by the supplier on the basis of art. 13. (3) The certification service provider shall inform the holder of the suspension or revocation of the certificate, together with the reasons behind its decision. (4) The certification service provider will register the mention of suspension or revocation of the certificate in the electronic register of certificates issued provided for in art. 17, within 24 hours from the moment he became aware or had to and could become aware of the adoption of that decision. (5) The suspension or revocation will become opposable to third parties from the date of its registration in the electronic register of certificates. + Article 24 (1) If the certification service provider intends to cease activities related to the certification of electronic signatures or find out that it will be unable to continue these activities, he will inform, at least 30 days. before the termination, the regulatory and supervisory authority specialized in the field of its intention, namely the existence and nature of the circumstance justifying the impossibility of continuing the activities. (2) The certification service provider has the obligation that, if it is unable to continue the activities related to the certification of electronic signatures and could not provide for this situation at least 30 days before the cessation of activities occurred, to inform the specialised regulatory and supervisory authority, within 24 hours of the time when he became aware or had to and could become aware of the impossibility continuing activities. The information must refer to the existence and nature of the circumstance justifying the impossibility of continuing the activities. (3) The certification service provider may transfer, in whole or in part, its activities to another certification service provider. The transfer will operate under the following conditions a) the certification service provider shall notify each non-expired certificate holder, at least 30 days in advance, of its intention to transfer the activities related to the certification of electronic signatures to another supplier of certification services; b) the certification service provider shall mention the identity of the certification service provider to whom it intends to transfer its activities; c) the certification service provider will make known to each certificate holder the possibility to refuse this transfer, as well as the term and conditions under which the refusal can be exercised; in the absence of an express acceptance of the holder, in the deadline specified by the certification service provider, the certificate will be revoked by the latter. (4) The certification service provider, located in one of the cases referred to in par. ((1) and (2), the activities of which are not taken over by another certification service provider, will revoke the certificates within 30 days from the date of notification to the certificate holders and take the necessary measures to ensure conservation its archives, as well as for ensuring the processing of personal data, under the law. (5) There are considered cases of impossibility to continue the activities related to the certification of electronic signatures, within the meaning of this article, dissolution or liquidation, voluntary or judicial, bankruptcy, as well as any other cause of cessation of activity, except for the application of the sanctions provided for in 33 33 para. ((2) and (3). + Chapter IV Monitoring and control + Section 1 Regulatory and supervisory authority + Article 25 The responsibility of applying the provisions of this law and its related regulations lies with the regulatory and supervisory authority specialized in the field *). + Article 26 (1) Within no more than 18 months from the date of publication of the law in the Official Gazette of Romania, Part I, the specialized public authority shall be established, with powers of regulation and supervision in the field, within the meaning of this law. ((2) Until the establishment of the authority referred to in paragraph (1) its attributions, for the purposes of this law, shall be assigned to the Ministry for Information Society ---------- Note *) Currently, the Ministry for Information Society exercises the powers of the regulatory and supervisory authority in the field of electronic signature, provided by Law no. 455/2001 on electronic signature, according to art. 4 4 section 57 of Government Decision no. 548/2013 on the organization and functioning of the Ministry for Information Society, published in the Official Gazette of Romania, Part I, no. 492 of 5 August 2013, as amended. + Article 27 The Ministry for Information Society may delegate, in whole or in part, its supervisory tasks, for the purposes of this law, to another public authority in coordination. + Article 28 (1) On the date of entry into force of this Law, the Register of Certification Service Providers, hereinafter referred to as the Registry, which is constituted and updated by the regulatory and supervisory authority specialized in Domain. From the date of establishment of the specialized public authority provided in art. 26 The register will be taken up and updated by this authority. (. The Register shall be the official record a) of the certification service providers that are based in Romania; b) of certification service providers with headquarters or domicile in another state, whose qualified certificates are recognized according to art. 40. (3) The Register is intended to ensure, by making the records provided by this law, the storage of identification data and information related to the activity of certification service providers, as well as informing the public with Data and information stored. (4) The content and structure of the Register shall be established, by regulations, by the regulatory and supervisory authority specialized in the field. + Article 29 (1) Registration in the Register provided for in art. 28 28 of the identification data and of the necessary information on the activity of the certification service providers referred to in art. 28 28 para. (2) shall be carried out on the basis of individual application, which must be introduced to the regulatory and supervisory authority specialized in the field, at the latest at the start date of the supplier (2) The mandatory content of the application provided in par. (1) and the necessary documentation shall be established by regulations by the regulatory and supervisory authority specialized in the field. + Article 30 (1) The register shall be public and shall be updated permanently (2) The conditions of the young Register, the effective access to the information it contains, the information that may be provided to the applicants and the way of updating it shall be established by the technical and methodological norms issued by the regulation and specialized supervision in the field. + Section 2 Supervision of the activity of certification service providers + Article 31 (1) The regulatory and supervisory authority specialized in the field will be able, ex officio or at the request of any interested person, to verify or order the verification of compliance of the activities of a certification service provider with the provisions of this law or with regulations issued by the regulatory and supervisory authority specialized in the field. (2) The control powers of the regulatory and supervisory authority specialized in the field, according to par. ((1), shall be exercised by the specific staff empowered to do so. (3) In order to exercise control, the control personnel shall be authorized: a) to have free, permanent access to any place where the equipment necessary for the provision of certification services is located, under the law; b) to request any document or information necessary to carry out the control; c) verify the implementation of any security or certification procedures used by the certification service provider; d) to seal any equipment necessary for the provision of certification services or to retain any document related to this activity, for a period not exceeding 15 days, if this measure is required; e) take any other such measures, within the limits of the law. (. The control personnel shall be obliged to: a) do not disclose the data of which he was aware of the exercise of his/her duties; b) maintain the confidentiality of the sources of information in relation to the complaints or complaints received. + Article 32 (1) Certification service providers shall be required to facilitate the exercise of their powers of control by the staff empowered to do so. (2) In case of non-fulfilment of the obligation provided in (1), apart from the application of the sanction provided in art. 44 lit. c), the regulatory and supervisory authority specialized in the field will be able to suspend the activity of the supplier until the date on which it cooperates with the control personnel. + Article 33 (1) If the control is found to comply with the provisions of the present law and regulations issued by the specialized regulatory and supervisory authority in the field, it will require the certification service provider to comply, within the deadline it will set, the legal provisions. In this case, the specialized regulator and supervision authority may order the suspension of the supplier's activity. (2) Failure to meet within the established deadline of the compliance obligation provided in par. (1) is a reason for the regulatory and supervisory authority specialized in the field to order the termination of the activity of the certification service provider and its deletion from the Registry. (3) If a serious violation of the legal provisions is found, the specialized regulatory and supervisory authority in the field may order directly and immediately the cessation of the activity of the certification service provider and the deregistration its from the Registry. + Article 34 (1) If it has an end to the activity of a certification service provider, the specialized regulatory and supervisory authority in the field will ensure either the revocation of certificates of the certification service provider and the signatories, either taking up the activity or at least of the electronic register of certificates issued and of the service of their revocation by another certification service provider, with its consent. ((2) The signatories will be informed immediately by the regulatory and supervisory authority specialized in the field about the cessation of the supplier's activity, as well as about the revocation of certificates or their takeover by another supplier. (3) If the activity of the certification service provider is not taken over by another supplier, the certification service provider shall be obliged to ensure the revocation of all certificates issued by him. The regulatory and supervisory authority specialized in the field will revoke the certificates, at the supplier's expense, if it does not fulfill its obligation. (4) The specialized regulatory and supervisory authority in the field will take over and maintain the archives and the electronic register of certificates issued by the certification service provider whose activity has not been taken over by another supplier. + Article 35 (1) Radiation of certification service providers in the Registry shall be carried out on the basis of communication made by the provider to the specialized regulatory and supervisory authority in the field at least 30 days before the date of termination of the activity His. ((2) Radiation may also be carried out ex officio by the regulatory and supervisory authority specialized in the field, if it finds on any other way that the supplier has ceased its activity. + Section 3 Voluntary accreditation + Article 36 (1) In order to ensure an enhanced degree of security of operations and to properly protect the rights and legitimate interests of certification service recipients, certification service providers wishing to carry out the activity as accredited suppliers may request obtaining an accreditation from the relevant regulatory and supervisory authority in the field. ((. The conditions and procedure for granting, suspending and withdrawing the accreditation decision, the content of that decision, its duration of validity and the effects of the suspension and withdrawal of the decision shall be determined by the regulatory authority and specialized supervision in the field, through regulations, in compliance with the principles of objectivity, transparency, proportionality and non-discriminatory treatment. + Article 37 (1) The providers of certification services accredited under the present law have the right to use a distinctive mention to refer to this quality in all the activities they carry out, related to the certification of signatures. (2) The providers of certification services accredited under the present law are obliged to request a mention in this regard in the Register. + Section 4 Approval + Article 38 (1) The conformity of secure devices for the creation of electronic signature with the provisions of this law shall be verified by the approval agents, legal persons governed by public law or private law, agreed by the regulatory authority and specialized supervision in the field, under the conditions established by regulations issued by it. (. The certificate of approval of the electronic signature-creation device shall be issued following the completion of the verification procedure. The certificate may be withdrawn if the approval agency finds that the secure electronic signature creation device no longer meets one of the conditions laid down in this Law. (3) The conditions and procedure for the approval of the approval agencies shall be established by regulations by the regulatory and supervisory authority specialized in the field. (4) The decision of approval shall be issued by the regulatory and supervisory authority specialized in the field. + Article 39 (1) The regulatory and supervisory authority specialized in the field shall ensure compliance, by the approval agencies, with the provisions of this law, of the regulations issued, as well as of the provisions contained in the decision of approval. (2) The provisions of art. 31 31-32 shall apply accordingly to the control exercised by the regulatory and supervisory authority specialised in the field on the activity of the approval agencies. + Chapter V Recognition of certificates issued by foreign certification service providers + Article 40 The qualified certificate issued by a certification service provider domiciled or established in another State shall be recognised as equivalent in terms of legal effects with the qualified certificate issued by a supplier of certification services with domicile or with headquarters in Romania, if: a) the provider of certification services with domicile or headquarters in another state has been accredited under the accreditation regime, under the conditions provided by this law; b) an accredited certification service provider, domiciled or established in Romania, guarantees the certificate; c) the certificate or certification service provider that issued it is recognized by the application of a bilateral or multilateral agreement between Romania and other states or international organizations, on the basis of reciprocity. + Chapter VI Liability of certification service providers + Article 41 The certification service provider, issuing certificates presented as qualified or guaranteeing such certificates, shall be liable for the damage to any person who bases his/her conduct on the legal effects of the those certificates: a) in respect of the accuracy, at the time of issue of the certificate, of all the information it contains; b) with regard to the assurance that, at the time of issue of the certificate, the signatory identified in the latter held the signature generation data corresponding to the signature verification data referred to in that certificate; c) with regard to ensuring that the signature generation data correspond to the signature verification data, where the certification service provider generates both; d) regarding the suspension or revocation of the certificate, in the cases and in compliance with the conditions provided in art. 24 24 para. ((1) and (2); e) in respect of fulfilling all the obligations provided in art. 13 13-17 and in art. 19-22 19-22, except where the certification service provider proves that, although it did due diligence, it could not prevent the injury from occurring. + Article 42 (. The certification service provider may indicate in a qualified certificate the restrictions of its use and limits of the value of the operations for which it may be used, provided that such restrictions are restricted. can be known to third parties. (2) The certification service provider shall not be liable for damages resulting from the use of a qualified certificate in violation of the restrictions provided therein. + Chapter VII Obligations of certificate holders + Article 43 Holders of certificates shall, without delay, require the revocation of certificates if: a) have lost the electronic signature creation data; b) have reason to believe that the electronic signature creation data has come to the attention of an unauthorized third party; c) the essential information contained in the certificate no longer corresponds to reality + Chapter VIII Contraventions and penalties + Article 44 It constitutes a contravention, if, according to the law, it does not constitute a crime, and is sanctioned with a fine of 500 lei to 10,000 lei the act of the certification service provider that: a) omits to carry out the notification provided in art. 13 13 para. ((1); b) omits to inform the regulatory and supervisory authority specialized in the field on the security and certification procedures used, under the conditions and in compliance with the deadlines provided in art. 13 13; c) it does not fulfill its obligation to facilitate the exercise of control powers by the staff of the specialized regulatory and supervisory authority in the field, namely empowered in this regard; d) carry out the transfer of activities related to the certification of electronic signatures with non-compliance 24 24 para. ((3). + Article 45 It constitutes contravention, if, according to the law, it does not constitute a crime, and is sanctioned with a fine of 1,000 lei to 25,000 lei the act of the certification service provider that: a) does not provide the persons referred to in 14 14 para. (1), under the conditions provided in art. 14 14 para. ((1) and (2), the mandatory information provided in art. 14 14 para. ((3) or do not provide all such information or provide inaccurate information; b) violates the obligations regarding the processing of personal data provided in art. 16 16; c) omits to make the mandatory records, according to the law, in the electronic register of certificates issued, provided in art. 17, or carry out them with non-compliance with the deadline provided 14 14 para. ((5), art. 23 23 para. ((1) or (2) or record inaccurate claims; d) issue certificates presented to the holders as qualified, which do not contain all the mandatory mentions provided in art. 18 18; e) issue qualified certificates containing inaccurate information, information that is contrary to the law, good morals or public order, or information whose accuracy has not been verified under the conditions provided in art. 18 18 para. ((4); f) issue qualified certificates without checking the identity of the applicant, under the conditions provided in art. 19 19; g) omits to take measures such as to ensure confidentiality during the process of generating signature creation data, where the certification service provider generates such data; h) does not keep all information on a qualified certificate for a minimum period of 5 years from the date of termination of the validity of the certificate; i) store, reproduce or disclose to third parties the electronic signature creation data, unless the signatory so requests, if the supplier issues qualified certificates; j) store qualified certificates in a form that does not comply with the conditions provided in art. 20 lit. j); k) use electronic signature creation devices, which do not meet the conditions provided in art. 4 4 section 8, where the certification service provider issues qualified certificates; l) if it intends to cease the activities related to the certification of electronic signatures or in any of the situations provided in art. 24 24 para. (5), when he finds out that he will be unable to continue these activities, he does not inform at least 30 days before the termination of the activities the regulatory and supervisory authority specialized in the field about his intention, namely about the existence and nature of the circumstance justifying the impossibility of continuing activities m) in any of the situations referred to in art. 24 24 para. (5), when in the impossibility of continuing the activities related to the certification of electronic signatures and could not provide for this situation at least 30 days before the cessation of activities occurred, did not inform the authority of specialized regulation and supervision in the field within the period provided in art. 24 24 para. ((2) the existence and nature of the circumstance justifying the impossibility of continuing the activities; n) being in one of the cases provided in art. 24 24 para. ((1) and (2), omits to take the necessary measures to ensure the preservation of its archives or to ensure the processing of personal data under the law; o) do not suspend or revoke the issued certificates, in cases where the suspension or revocation is mandatory, or revoke them with non-compliance with the legal term; p) continue to carry out activities related to the certification of electronic signatures in case the regulatory and supervisory authority specialized in the field ordered the suspension or termination of the activity of the service provider certification; q) issue certificates or carry out other activities related to the certification of electronic signatures, using without having the right to the quality of accredited certification service provider, by presenting a distinctive mention to be reference to this quality or any other means; r) omits to request, within the period provided for in art. 29 29 para. ((1), the registration in the Register of data and information referred to in art. 29. + Article 46 The violation by the approval agency of the obligation to facilitate the exercise of control powers by the personnel of the specialized regulatory and supervisory authority, namely empowered to do so, constitutes contravention and is sanctioned with a fine of 1,500 lei to 25,000 lei. + Article 47 The finding of contraventions and the application of the sanctions provided for in this chapter are the competence of the personnel with control powers within the regulatory authority and specialized supervision in the field. + Article 48 The contraventions provided for in this chapter are applicable to the Law no. 32/1968 * *) on the establishment and sanctioning of contraventions. ---------- Note * *) Law no. 32/1968 on the establishment and sanctioning of contraventions, published in the Official Bulletin, Part I, no. 148 of 14 November 1968, as amended and supplemented, was repealed by Government Ordinance no. 2/2001 on the legal regime of contraventions, published in the Official Gazette of Romania, Part I, no. 410 of 25 July 2001 and corrected by the Official Gazette of Romania, Part I, no. 584 of 18 September 2001, approved with amendments and additions by Law no. 180/2002 , published in the Official Gazette of Romania, Part I, no. 268 of 22 April 2002, with subsequent amendments and completions. + Chapter IX Final provisions + Article 49 ((. The level of charges levied by the approval agencies for the provision of services for the approval of secure electronic signature creation devices, as well as for accessory services shall be freely established, in compliance with provisions Competition law no. 21/1996 , republished. ((2) The agencies mentioned in par. (1) may charge tariffs with different levels for different geographical areas or for services rendered as a matter of urgency, for online registrations, according to their own commercial strategies, in compliance with legal provisions. (3) The approval agencies and their power of attorney shall be prohibited from publication of comparative tables on the level of tariffs and the adoption of any measures aimed at limiting the advertisement for the level of tariffs collected by other agencies for services rendered. + Article 50 (. Approval agencies shall be subject to the provisions of Competition law no. 21/1996 , republished, with regard to the setting of charges levied on services rendered, as well as on acts or acts which have or may have the effect of restricting competition in the market in those services. (. Approval agencies shall also be subject to the provisions of this Regulation. Law no. 11/1991 on combating unfair competition, with subsequent amendments and completions. + Article 51 The amount of fines provided for by this law will be updated by Government decision, depending on the evolution of the inflation index. + Article 52 Within 3 months from the date of publication of the present law in the Official Gazette of Romania, Part I, the regulatory and supervisory authority specialized in the field will develop technical and methodological norms * *) for its application. ---------- Note ** **) See Government Decision no. 1.259/2001 on the approval of technical and methodological rules for the application Law no. 455/2001 on electronic signature, published in the Official Gazette of Romania, Part I, no. 847 of 28 December 2001, as amended. + Article 53 This law will enter into force on the date of its publication in the Official Gazette of Romania, Part I, and shall be implemented 3 months after the date of entry into force. ------