Internal Digital Market: New European Framework

The adoption of the Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (1) (“Regulation”) aims to strengthen public confidence in relation to online transactions and thus contribute to their development. The main provisions are applicable as from 1 July 2016. Main changes can be summarised as follows:

The electronic identification schemes ensuring the required level of guarantee and notified to the European Commission ("Commission") by the Member States will be recognised in other Member States to facilitate authentication and cross-border online administrative procedures for citizens.

Qualified trust service providers (“TSP”) will be subject to security requirements which may be specified by the Commission. The qualified TSPs will be published on a trusted list mentioning the services provided. They will be audited every 24 months by an accredited conformity assessment body. Unqualified TSPs will also be required to take adequate security measures. In any case, all TSPs must notify the supervisory body and the data protection authority within 24 hours any breach of security or loss of integrity having a significant impact on the trust services or on the personal data processed.

The so-called ‘qualified’ electronic signature had already been recognised as equivalent to a handwritten signature by the Luxembourg Law of 14 August 2000 on electronic commerce ("2000 Law"). It will from now on be specifically recognised in all the Member States. The Regulation provides guarantee requirements in its annexes in relation to qualified electronic signature creation devices. Certification of compliance with these requirements is based on a security assessment process in accordance with standards established by the Commission Implementing Decision (EU) 2016/650 of 25 April 2016.

The qualified electronic seal guarantees that an electronic document has been delivered by a legal person subject to it containing certain information. The creation device will be subject to the same requirements as that of the qualified electronic signature. The qualified electronic time stamp presumes exact dates and times of certain data while the qualified electronic registered delivery presumes exact dates and times of sending and receiving by identified persons. The Regulation also provides for the possibility to use the qualified website authentication which allows the authentication of the entity owning the website. For all these services, the Commission may establish reference standards to be complied with.

The principle of mutual recognition provided by the Regulation shall apply as from September 2018. It aims to overcome obstacles to public confidence in online services and transactions with public bodies. Thus a means of electronic identification used in one Member State may be recognised in another Member State.

In accordance with the internal market principle, a qualified TSP established in a Member State could always propose trust services in other Member States. By contrast, those established outside the European Union could provide services equivalent to qualified trust services only if a reciprocal agreement were to exist between the European Union and such a third country.

Trust services also obey the principle of non-discrimination: a judge may not disclaim their legal effect or rule out their admissibility as evidence in court because of their electronic form or because they are not ‘qualified’. An equivalent provision already exists for electronic signatures in Article 18 of the 2000 Law.

To conclude, the 2000 Law already contained provisions relating to electronic signatures and to certification service providers. These provisions may be retained in national legislation insofar as they are not completely harmonised with the Regulation and do not prevent the free circulation of trust services in the European Union. However, it should be noted that as a transitional measures, the electronic signature creation devices and qualified certificates which complied with the Directive 1993/93/EC prior to its repeal will be considered as qualified under the Regulation. With regard to the qualified certificate, it will be considered as qualified only until its expiry. Similarly, certification service providers which were issuing qualified certificates in accordance with the Directive 1999/93/EC will remain qualified under the Regulation until their compliance is assessed. The submission of the conformity assessment report to the supervisory body must be carried out no later than 1 July 2017.

(1) Known as "eIDAS"