Do you have any questions? Contact us.
Community framework for electronic signatures
This Directive establishes the legal framework at European level for electronic signatures and certification services. The aim is to make electronic signatures easier to use and help them become legally recognised within the Member States.
Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures.
This Directive lays down the criteria that form the basis for legal recognition of electronic signatures by focusing on certification services. These comprise the following:
- common obligations for certification service providers in order to secure transborder recognition of signatures and certificates throughout the European Community;
- common rules on liability to help build confidence among users, who rely on the certificates, and among service providers;
- cooperative mechanisms to facilitate transborder recognition of signatures and certificates with third countries.
The Directive defines new ideas:
- the electronic signature, data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication.
the advanced electronic signature, which meets the following requirements:
- it is uniquely linked to the signatory;
- it is capable of identifying the signatory;
- it is created using means that the signatory can maintain under their sole control;
- it is linked to the data to which it relates in such a manner that any subsequent change in the data is detectable.
the qualified certificate, which must in particular include:
- an indication that it is issued as a qualified certificate;
- the identification of the certification service provider;
- the name of the signatory;
- provision for a specific attribute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended;
- signature-verification data corresponding to signature-creation data under the control of the signatory;
- an indication of the beginning and end of the period of validity of the certificate;
- the identity code of the certificate;
- the advanced electronic signature of the issuing certification service provider.
The certificate must also be issued by a certification service provider which meeting specific requirements laid down in the Directive.
Member States must not make the provision of certification services subject to prior authorisation of any kind.
They may introduce or maintain voluntary accreditation schemes aimed at enhancing levels of certification-service provision.
Member States may not limit the number of accredited certification service providers for reasons which fall within the scope of the Directive.
Member States may make the use of electronic signatures in the public sector subject to possible additional requirements.
Member States may not restrict the provision of certification services originating in another Member State in the areas covered by the Directive.
Legal effects of electronic signatures
The main provision of the Directive states that an advanced electronic signature based on a qualified certificate created by a secure-signature-creation device satisfies the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data (for convenience this type of signature is usually called a “qualified signature”. Although the Directive describes it as such, it does not give a definition for it). It is also admissible as evidence in legal proceedings.
In addition, an electronic signature may not legally be refused simply because:
- it is in electronic form;
- it is not based on a qualified certificate;
- it is not based upon a qualified certificate issued by an accredited certification service provider;
- it is not created by a secure signature-creation device.
Member States must ensure that a certification service provider which issues a qualified certificate is liable vis-à-vis any person who reasonably relies on the certificate for:
- the accuracy of all information in the qualified certificate;
- compliance with all requirements of the Directive in issuing the qualified certificate;
- assurance that the holder identified in the qualified certificate held, at the time of the issuance of the certificate, the signature-creation device corresponding to the signature verification device given or identified in the certificate;
- in cases where the certification service provider generates the signature-creation device and the signature-verification device, assurance that the two devices function together in a complementary manner.
The certification service provider must not be liable for damage arising from use of a qualified certificate that exceeds the limitations placed on it.
Member States must ensure that mutual legal recognition of qualified certificates and electronic signatures from third countries is applied if certain reliability conditions are met. The Commission may make proposals to ensure that international standards and agreements are fully implemented.
Member States must ensure that certification service providers and national bodies responsible for accreditation or supervision comply with Directive 95/46/EC on the protection of personal data.
|Act||Entry into force||Deadline for transposition in the Member States||Official Journal|
OJ L 13 of 19.1.2000
Successive amendments and corrections to Directive 1999/93/EC have been incorporated in the basic text. This consolidated version is for reference purpose only.