Royal Decree-Law 14/1999 of 17 September on electronic signatures, which was drawn up taking into account the common position of the Council of Ministers of Telecommunications of the European Union on the Directive establishes a Community framework for electronic signatures, which was finally adopted on 13 December 1999, provides for the establishment of voluntary systems for the accreditation of certification service providers and for the assessment of the conformity of the electronic signature products with the requirements it requires.

In this regard, Article 6 of Royal Decree-Law 14/1999 of 17 September states that the rules governing accreditation and certification systems shall be objective, reasonable and non-discriminatory. Likewise, it notes that the certification functions referred to by the Royal Decree-Law will be exercised by the bodies, in each case competent, referred to in Law 11/1998, of 24 April, General of Telecommunications; in Law 21/1992, of 16 In July, Industry and the other legislation in force on the subject. For its part, Article 22 of Royal Decree-Law 14/1999 of 17 September provides that the Royal Decree referred to in Article 6 of that Decree shall determine the terms on which the conformity of the devices of the verification of an advanced electronic signature with the requirements set out in that Article 22.

Royal Decree-Law 16/1999 of 15 October, adopting measures to combat inflation and facilitating a higher degree of competition in telecommunications, enables the Minister of Public Works to develop, by means of Order, Articles 6 and 22 of Royal Decree-Law 14/1999 of 17 September. This Regulation is hereby approved in the light of the above.

Through this standard, the Ministry of Public Works complies with the legal mandate contained in article 68.1.a) of Law 11/1998, of April 24, General of Telecommunications, of bringing to the citizen " the new services of the society of the information ", giving these an additional element of security in the electronic signature.

With the establishment of these systems, it is intended to encourage the adoption of practices that ensure that services and products related to electronic signatures are offered to the public under satisfactory conditions of quality and technical safety. Accreditation and certification will function as a "quality seal" of service providers and electronic signature products that obtain them, allowing to increase user confidence in the use of this new technology. security for communications and electronic commerce.

This Regulation regulates the operation of the accreditation and certification systems, which, as they have been designed by Royal Decree-Law 14/1999 of 17 September, revolve around three classes of bodies, entities or bodies, namely: the bodies responsible for the accreditation of providers and the issuing of certificates of conformity for electronic signature products, the entities responsible for assessing and issuing a report or certificate and the body which is independent of the accreditation of those assessment entities, the designation of which is carried out in this Regulation. The legal status of accreditations and certificates of conformity, the requirements for obtaining them and the conditions for the recognition of those issued in other States are determined.

In the preparation of this standard, the existing certification models for the conformity assessment of related products and the schemes that are being developed at European level have been taken into account assessment of the security of information and communications technologies.

This provision has been submitted to the procedure for information in the field of technical standards and regulations and regulations concerning the services of the information society provided for in Directive 98 /34/EC of the European Parliament and of the Council. The European Parliament and the Council of 22 June, as amended by Directive 98 /48/EC of 20 July, and Royal Decree 1337/1999 of 31 July, which incorporates these Directives into Spanish law.

On the other hand, some amendments to the Order of 14 October 1999, which regulate the quality conditions in the provision of telecommunications services, are introduced in the single additional provision. First of all, the content of Article 2 is more consistent, preventing the application of the Order from the operators affected by the processing of their securities to take place at a later date than the one for which they have acceded. directly, from 1 December 1998, to the individual licence. In addition, a new provision is added to the Quality Order, which empowers the Secretary-General of Communications to amend Annex I to that Order. In order to allow for the rapid adoption of the definitions and methods of measure approved by the European Telecommunications Standards Institute (ETSI) to replace those currently in force. Finally, two amendments to Article 9 are included to adapt the Order's body to the ETSI standard on definitions and methods of measurement and two errors are corrected in Annex II.

In its virtue, according to the State Council, I have:

Single item. Approval of the Regulation on the accreditation of certification and certification service providers for certain electronic signature products.

Under the development of Articles 6 and 22 of Royal Decree-Law 14/1999 of 17 September on electronic signatures, the Regulation on the accreditation of certification and certification service providers of certain products is approved. electronic signature products, which is listed as an annex to this Order.

Single additional disposition. Amendment of the Order of 14 October 1999 governing quality conditions in the provision of telecommunications services.

One. Corrections are rectified and errors are saved in the Order of 14 October 1999, which regulates the quality conditions for the provision of telecommunications services, in the following terms:

In the final paragraph of Article 2 (1) (b), where it says: "... from the grant of the license.", you must say: "... from the beginning of the service delivery".

In the final paragraph of Article 2 (1) (c), where it says: "... since its granting.", you must say: "... from the beginning of the service delivery".

In point (g) of Article 9 (1), where it says:

"Less than three seconds for 95 per 100 of calls", you must say: "Less than five seconds for 95 per 100 of calls or a mean value less than three seconds".

Article 9 (1) (3) (3) and (2) (2) are deleted as follows: "International f2: less than 2,5 per 100".

In Annex II, paragraph 1, sub-section "Measure", first paragraph, where it states: "The measure shall be expressed in calendar days", it should read: "The measure shall be expressed on working days".

In Annex II, paragraph 3, sub-section "Measure", first paragraph, where it says: "... shall be measured in clock hours", i.e. "... shall be measured at working hours".

Two. A new additional provision is added, with the following wording:

" Additional disposal sixth. Authorisation of the Secretary-General for Communications to amend Annex I.

The Secretary-General of Communications is empowered to amend the contents of Annex I to this Order in order to harmonise it with the definitions and methods of measurement of the parameters required by Directive 98 /10/EC of the European Parliament and of the Council Parliament and the Council on the application of the open network offer to voice telephony and on the universal service of telecommunications in a competitive field, to be adopted by the European institutions in place of the contained in the ETSI ETR 138 document, which is currently referred to in Annex III to that Directive; and to set the time limits necessary for its implementation. "

Single end disposition. Entry into force.

This Order shall enter into force after the period of one month following its publication in the Official Gazette of the State.

Madrid, 21 February 2000.

MONTALVO ARIAS-SALGADO

Ilmo. Mr. Secretary General of Communications.

ANNEX

ACCREDITATION REGULATION FOR CERTIFICATION AND CERTIFICATION SERVICE PROVIDERS FOR CERTAIN ELECTRONIC SIGNATURE PRODUCTS

CHAPTER I

Accreditation and certification system

Article 1. End, object, and scope of application

1. The purpose of this Regulation is to achieve an adequate level of safety, quality and confidence in the provision of certification services and to protect the rights of users, by establishing the accreditation systems for certification and certification services for certain electronic signature products.

2. Regulation of the system of accreditation of certification and certification service providers of electronic signature products for which the General Secretariat of Communications of the European Commission is responsible is the subject of this Regulation. Ministry of Development.

3. Submission to the accreditation and certification systems regulated in this Regulation will be voluntary.

Article 2. Accreditation and certification body.

1. The General Secretariat of Communications of the Ministry of Public Works is the body responsible for, safeguarding communications security, crediting certification service providers and certifying electronic signature products. Those referred to in the following paragraph.

2. The competence of the General Secretariat of Communications to certify electronic signature products shall be exercised over those that meet the following conditions:

That are intended to connect directly or indirectly to the termination points of a public telecommunications network, in order to send, process, or receive signals.

That they are intended to ensure the security of any type of information that is transmitted electronically by telecommunications networks.

3. It is understood that these circumstances are present, in particular, in the signature creation devices and in the advanced electronic signature verification devices.

4. In respect of electronic signature products in which the conditions laid down in paragraph 2 are not met, their certification shall be carried out in accordance with Law 21/1992 of 16 July 1992 on Industry.

Article 3. Prior assessment of service providers and electronic signature products.

1. The granting of the corresponding accreditation or certificate of conformity by the General Secretariat of Communications shall require the prior assessment of the service provider or the electronic signature product for which it is requested, carried out by an entity empowered to act in accordance with Article 6.5 of Royal Decree-Law 14/1999 of 17 September on electronic signatures and this Regulation. At the end of the assessment carried out, the institution shall issue a certificate of compliance with the requirements or an assessment report, in accordance with the rules applicable in each case. In this rule, unless otherwise expressed, the expressions "report" or "assessment report" shall refer to both the certificate and the report itself.

2. The assessment report shall describe the procedure and the rules applied for the procedure and the results of the tests carried out. This report shall be submitted to the person or entity who has requested the assessment.

Article 4. Content of the accreditation or certification decisions.

The resolutions on which the service providers of the electronic signature service are accredited or the products are certified, will confirm that the assessment has been carried out correctly in accordance with the rules laid down in this Regulation. Regulation and that the conclusion reached is consistent with the results of the evaluation. Where this Regulation establishes other requirements for the accreditation of a service provider or the certification of an electronic signature product, the resolution shall also confirm its compliance.

CHAPTER II

Assessment Entities

Article 5. Independence of the assessment bodies.

The assessment bodies of certification service providers and electronic signature products may not have a relationship of dependency with the service providers or the manufacturers or importers of the electronic signature products. electronic signature products that request their intervention in the accreditation or certification process.

Article 6. Accreditation of the assessment bodies.

1. They may act as an assessment entity for certification service providers and electronic signature products, public or private bodies which have been accredited by the National Accreditation Entity (ENAC) or any other accreditation entity, within the framework of the common accreditation scheme promoted by the European Union.

2. Prior to the commencement of the accreditation activity provided for in the previous paragraph, the cooperation agreement provided for in Article 11 of this Regulation shall be signed.

Article 7. Procedure for the accreditation of the assessment bodies.

1. For the accreditation of the assessment entities, ENAC shall take into account the following aspects:

(a) The way in which they guarantee their independence from the manufacturers or importers of electronic signature products and service providers subject to evaluation.

b) Your technical competence.

c) Your premises and equipment.

d) The work procedures they employ.

The aspects referred to in points (b), (c) and (d) shall be assessed on the basis of the activity for which the assessment entities request their accreditation.

2. The aspects referred to in the previous paragraph shall be assessed in accordance with the rules which, on the proposal of the ENAC, are determined by the General Secretariat of Communications, by means of a resolution published in the "Official Gazette of the State". the following ranking order:

1. º Standards, specifications or recommendations approved by European bodies, which are generally applied in the industry.

2. º Standards, specifications or recommendations adopted by international organizations, generally applied.

3. National Standards generally applied.

3. Accreditation shall be granted for the assessment of service providers or electronic signature products, or for both purposes, if the assessment entity is sufficiently trained to carry out the accreditation.

4. The ENAC shall communicate to the General Secretariat of Communications the accreditations of the assessment bodies it grants, in the terms set out in the Partnership Agreement provided for in Article 11.

Article 8. Obligations of the assessment bodies.

The assessment entities must meet the obligations that are required of them among those set out in Chapter III of the Infrastructure for Quality and Industrial Safety Regulation, approved by the Royal Decree 2220/1995, of December 28, and the following are established:

Provide up-to-date information to any person who requests it, in relation to the evaluation function (assessment of suppliers or products) for which they have obtained accreditation.

Pay the expenses incurred for the evaluation performed for your accreditation as an assessment entity.

Do not use accreditation in such a way as to damage the reputation of the body's evaluating body.

Cesar immediately upon the use of the accreditation as of the date on which it is withdrawn.

Indicate, as clearly as possible and in all contracts concluded with your clients, that any of the prior examinations and reports that are carried out do not, in any way, imply an endorsement by the General Secretariat of Communications of the supplier or product assessed.

Article 9. Validity of the accreditations.

The ENAC shall fix the period of validity of the accreditations, in accordance with the provisions of Article 17 (f) of the Regulation of the Infrastructure for Industrial Quality and Safety. It shall also take into account the activity for which an assessment entity is accredited and the technology used by it.

Article 10. Extinction of the accreditations.

1. The accreditation of the assessment entity shall be extinguished for the following reasons:

(a) The expiration of the period for which it was granted.

b) The express waiver of the person concerned.

c) The cessation of activity by the assessment entity.

2. The termination of the accreditation shall be declared by the accreditation body provided for in Article 6.

CHAPTER III

Accreditation and certification body and coordination with other certification systems

Article 11. Partnership between the General Secretariat of Communications and the National Accreditation Entity.

Between the General Secretariat of Communications and ENAC, a collaboration agreement will be concluded to determine the system of information and mutual cooperation regarding the granting of accreditations and the subsequent control of the assessment entities that may be carried out. The participation of the representatives of the General Secretariat of Communications in the management bodies of the ENAC will also be established.

Article 12. Functions of the accreditation and certification body.

The General Secretariat of Communications will ensure the proper functioning of the accreditation and certification system. To this end, and without prejudice to the provisions of the ENAC collaboration agreement, the General Secretariat for Communications may carry out or commission examinations on accredited service providers or electronic signature products. certificates, in order to verify that all requirements are maintained according to which the corresponding accreditation or certification was granted.

To this end, the certification service providers must collaborate with the agents or the staff inspector of the General Secretariat of Communications, in the terms set out in Article 17 of the Royal Decree-Law. 14/1999, of 17 September.

Article 13. Coordination with other accreditation and certification systems.

The accreditation and certification system provided for in this Regulation may be coordinated with others established for the assessment of the security of information technologies or electronic signature products in respect of which the General Secretariat for Communications does not act as an accreditation or certification body, by means of the exchange of information, the sending of observers, the harmonisation, as far as possible, of the assessment criteria implemented or other measures aimed at the joint exploitation of knowledge and experience . The scope of these measures may be implemented by means of a partnership agreement between those responsible for the various accreditation and certification systems mentioned.

CHAPTER IV

Accreditation of certification service providers

Article 14. Concept of service provider of certification.

Electronic signature certification service providers who so wish may apply for accreditation, specifying the scope, general or reference to one or more specific activities, for which accreditation requires. For the purposes of this Regulation, they are certification service providers:

Natural or legal persons who issue certificates to the public.

Natural or legal persons who, in addition to issuing certificates to the public, provide other services related to electronic signatures, such as date and time entry, directory or document file electronic.

Article 15. Accreditation of service providers who issue certificates to the public.

1. For the accreditation of providers who issue recognised certificates to the public, compliance with the requirements laid down in Articles 11 and 12 of Royal Decree-Law 14/1999 of 17 September on electronic signatures shall be required. Compliance with the obligation laid down in Article 12 (g) of Royal Decree-Law 14/1999 of 17 September shall be controlled, in any case, by the General Secretariat of Communications.

Certification service providers who do not issue recognised certificates may be accredited if they fulfil the conditions laid down in Article 11 of Royal Decree-Law 14/1999 of 17 September on signature electronic.

2. In both cases, different levels of accreditation may be recognised, depending on what is established in the rules referred to in Article 17.

Article 16. Requirements for the accreditation of service providers related to the electronic signature, other than the issue of certificates.

1. Service providers who, in addition to issuing certificates to the public, provide any other service related to the electronic signature, may request that their accreditation include these. The accreditation shall be granted if, in accordance with the report issued by the assessment body, they develop the activity concerned with a sufficient degree of reliability. Different levels of accreditation may be recognised, depending on what is laid down in the rules referred to in Article 17.

2. In the accreditation of persons providing a date and time consignment service, the degree of accuracy of the temporary data to be recorded, the availability of temporary data for the parties and the mechanisms used for the purpose shall be assessed in particular. to avoid alteration.

Article 17. Criteria and rules applicable for the assessment of service providers.

The assessment bodies shall determine compliance with the conditions laid down for the accreditation of certification service providers in accordance with the rules laid down in the Official Journal of the European Communities. European. " Failing this, the rules to be determined by the General Secretariat of Communications and the reference numbers of which are published in the "Official State Gazette" shall apply.

To be fixed, the order of precedence set out in Article 7.2 of this Regulation shall be respected.

Article 18. Request for accreditation.

1. The service provider who is interested in obtaining an accreditation shall, in any of the places referred to in Article 38.4 of Law 30/1992, submit an application to the General Secretariat for Communications, containing the Article 70 of Law 30/1992, of 26 November, of the Legal Regime of Public Administrations and of the Common Administrative Procedure.

2. To that request, you must attach the assessment report issued by the accredited assessment body that has examined the activity for which the accreditation is requested.

Article 19. Resolution of the accreditation body.

1. The General Secretariat of Communications shall grant the requested accreditation if the procedure applied for the assessment is appropriate for the activity in question and the other requirements included in this Regulation are met. accreditation.

2. If it considers that the procedure or the rules applied are inadequate, it shall indicate to the service provider, by way of resolution, which tests are to be carried out or which rules should be applied so that the assessment procedure can be accepted.

3. The maximum time limit for resolution and notification shall be six months from the date of entry into any of the records of the Ministry of Public Works. If the General Secretariat of Communications has not notified the decision within this period, the service provider may understand his request.

4. Accreditation decisions for certification service providers shall be published in the "Official Gazette of the State" and notified to the European Commission in accordance with the provisions of Community legislation.

Article 20. Content and validity of the accreditation.

1. The decision granting the accreditation to a service provider shall require the service provider to maintain, at all times, the requirements under which it obtained its accreditation.

2. The accreditation will be valid for four years. Upon maturity, it may be renewed for equal periods, provided that a favourable report of an assessment body is found that the provider continues to meet the conditions required for its accreditation. The provisions of Article 19 shall apply in respect of the maximum time limit for resolution and notification and for the purpose of administrative silence.

Article 21. Amendment of the accreditation.

1. Service providers may request the review of their accreditation in order to access a different level, if they demonstrate, by means of a favourable report from an assessment body, that they fulfil the necessary conditions for this. The time limit for resolving the application shall be six months and the administrative silence, if any, shall be positive.

2. The accreditation resolution may be amended, where the providers cease to comply with the conditions laid down for each type of accreditation. The decision to amend it shall be given in a contradictory file within six months.

3. The resolutions by which the General Secretariat of Communications renew, in accordance with the previous article, extend or rewind the accreditation of a service provider, shall be published in the "Official State Gazette" and shall be notified to the European Commission, in accordance with the provisions of Community legislation.

Article 22. Extinction of accreditation.

1. The accreditation of a service provider shall be extinguished for the following reasons:

(a) The maturity of the granting period, without the request for renewal.

b) The express waiver of the service provider.

(c) The cessation of the certification activity in question, of the service provider.

2. The extinction of the accreditation will be declared by the General Secretariat of Communications, once established.

3. The decision declaring the termination of the accreditation of a service provider shall be published in the Official Gazette of the State and shall be notified to the European Commission in accordance with Community rules.

Article 23. Mutual recognition of accreditations.

1. Accreditations granted to service providers in other States of the European Union for the classes and levels of accreditation equivalent to those laid down in this Regulation shall be recognised in Spain.

2. On the basis of the same criterion, accreditations granted in a Member State other than a Member of the European Union may be recognised as a service provider recognised under an agreement between the European Community and third countries or international organisations.

CHAPTER V

Certification of secure signature creation devices and advanced electronic signature verification devices

Article 24. Requirements for the certification of electronic signature devices.

1. The General Secretariat of Communications may certify, as secure signature creation devices, the devices which, on the basis of the reports issued by an accredited assessment body, comply with the requirements laid down in the Article 19 of the Royal Decree-Law 14/1999 of 17 September.

2. The General Secretariat of Communications may determine the conformity of the advanced electronic signature verification devices with the requirements set out in Article 22.1 of Royal Decree-Law 14/1999 of 17 September, according to What is available in the following Article.

Article 25. Standards for the assessment of electronic signature devices.

The assessment of the compliance of the secure signature creation devices and the advanced electronic signature verification devices with the requirements required in each case shall be carried out in accordance with those rules. the reference numbers of which are published in the Official Journal of the European Communities. Failing this, the rules to be determined by the General Secretariat of Communications and the references of which are published in the Official Gazette of the State shall apply. The order of precedence laid down in Article 2 (2) of this Regulation shall be complied with.

Article 26. Procedure applicable to the granting of the certificate of conformity.

1. Applications for certification of electronic signature creation and verification devices may be submitted by their manufacturers or importers or by service providers.

2. The procedure for obtaining certification shall be the procedure laid down in Articles 18 and 19 of this Regulation, in the light of the fact that the references made to service providers are to manufacturers, importers or marketers of such devices.

3. The resolutions granting the certificates of conformity shall be published in the Official Gazette of the State.

Article 27. The validity of the certificates of conformity.

The certificates of conformity shall specify the period of validity for which they are issued, which shall in no case be more than five years. At the end of the year, the certificates may be renewed, provided that it is established, by means of a favourable report from an assessment body, that the conditions required for the certification of the device concerned are met. The provisions of Article 19 (3) of this Regulation shall apply to this case.

Article 28. Expiration of the certificates.

1. The General Secretariat of Communications may withdraw a certificate of conformity when it finds that the electronic signature or electronic signature verification devices to which it is concerned no longer meet the requirements for granting them.

2. The expiry of the certificate shall, within six months, be given in a contradictory file and shall be published in the Official Gazette of the State.

Article 29. Mutual recognition of certificates.

1. Certificates relating to secure electronic signature and advanced electronic signature verification devices which have been issued by the bodies designated by the Member States of the Union shall be recognised as effective. European.

2. In addition, certificates relating to insurance for the creation of electronic signature and the verification of advanced electronic signatures which have been issued by the bodies designated by States which are not members of the the European Union, when an international agreement on mutual recognition binding on Spain so provides.