With the adoption of (EU) Regulation no. 910 of 23 July 2014 (2014/910/EU), “eIDAS”, the legal framework defined by European Directive 1999/93/EC on electronic signatures (and by the relevant national laws implementing it) is currently close to an essential update at European scale. This update is aimed at guaranteeing full interoperability at EU level of electronic signatures, of a full set of third party services (called trust service providers) and identification and authentication services. The Regulation will go into force on 1 July 2016 with the repeal of Directive 1999/93/EC, and will prevail over all conflicting regulations on the national level that will be implicitly repealed. The coming into force of the Regulation revolutionises the current legal framework and creates a new legal and technical context founded on the principle of technological neutrality that, with the use of secondary lawmaking tools, allows the precise identification of the reference standard framework to ensure interoperability and the possibility to flexibly update this framework in order to adapt it to new technologies. The new regulation deals in the public and private sector with identities, signatures, seals, electronic timestamps and documents, electronic delivery services, services to authenticate and certify websites and all the digital services in which trusting the counterparty is essential. The need to have guarantees on the identification of the counterparties, on the legal value of the documents and their transmission and, more generally speaking, on the digital services made available is clear. The term “trust service” means a set of electronic services usually provided against payment that are distinguished as follows:
- creation, verification and validation of electronic signatures, electronic seals, electronic timestamps, electronic certified delivery services, certificates relating to these services;
- creation, verification and validation of website authentication certificates;
- preservation of electronic signatures, seals or certificates relating to these services.
Trust services can be “qualified” if they meet specific requirements set out in the Regulation itself.
The accredited certification authorities (that issue the smart cards for qualified digital and electronic signatures), the accredited registrars and the certified electronic mail managers according to Italian legislation (Digital Administration Code) are considered qualified trust service providers according to the eIDAS Regulation. Every party that provides qualified trust services is subjected both to conformity assessment by a third party body accredited by one of the national accreditation bodies of the Member States (Accredia for Italy)* and to supervision by an authority (AgID for Italy), which, on the basis of the certificate issued following the conformity assessment, may or may not award the qualification**.
The eIDAS Regulation lists the tasks of the supervisory authorities – one per Member State – under Art. 17 and the mutual assistance procedures (Art. 18), with the purpose of establishing a reference framework so that supervision over the European Union territory is as uniform as possible.
Among others, the eIDAS Regulation standardizes the services for creating and verifying electronic signatures, under which mobile or even remote signature services will presumably fall, whose decisive role for the spread of these technologies is recognised by the Regulation. The eIDAS Regulation is an important step taken towards the goal of the digital single market, with the ambition of building a secure and interoperable reference framework for electronic transactions. Since it is a Regulation, its coming into force is not subject to implementation, and this guarantees certain and uniform rules throughout the territory.
*The assessment can be carried out by any European body accredited in one of the member states **The trust service provider is subject to supervision in the member state in which it has registered offices