5.3 Identified interoperability issues
5.3.2 Legal framework is based on concepts that are unique to a specific country
5.3.2.1 Issue
In sections 4.2.1. and 4.2.2. we examined the applicable legal frameworks in each of the surveyed countries, specifically as they related to eGovernment applications. This allowed us to identify some examples of terminological or real difference, where national laws established concepts which have no clear meaning at the European level, including (as noted above):
• Bulgarian law, which uses a definition of electronic signatures that corresponds substantially to the meaning of ‘advanced electronic signature’ under the Directive. The EDESA provides an alternative definition of the ‘advanced electronic signature’, which is in fact similar to that of the so-called qualified electronic signature. Finally, the EDESA introduced the concept of a universal electronic signature (UES), a type of advanced electronic signature (in the sense of the Directive) which is supported by a qualified certificate issued by a CSP registered in Bulgaria. The UES is the only type of electronic signature which has the effect of a handwritten signature in respect to everyone under Bulgarian law, unlike the basic and the advanced electronic signature which have such an effect only between private persons. In practice the UES is commonly required for the eGovernment needs. The UES is thus a uniquely Bulgarian concept.
• In the context of Croatian law, the advanced electronic signature is defined as being based on a qualified certificate.
• French law relies on a specific and comprehensive reference framework, rather than on the concept of qualified certificates/signatures. French CSPs can choose to be evaluated against the requirements of the “Référentiel Intersectoriel de Sécurité” (RGS), part of which was previously called PRIS (Politique de Référencement InterSectorielle, version 2). The RGS aims to define requirements applying to a series of security functions in information systems. It is mandatory for public agencies and for their service providers. Three levels of security are defined for each service: middle (*), strong/standard (**) and strengthened (***). CSPs/CAs may make use of this qualification among public or private application promoters, thus ensuring that the reference framework acts as a voluntary accreditation scheme. To be referenced, the CSP must be first be qualified for a service and for a security level, and secondly the certificate profile must be compliant with the one defined to ensure the interoperability with all online services requiring such type of certificates. The certificates issued for signature purposes at high signature*** level allow a signature to be obtained that is presumed to be reliable, within the scope of the eSignatures Directive, corresponding to the European ETSI and CEN standards which technically reflect the requirements of the European Directive on electronic signatures.
• Lithuanian law relies on the concept of the ‘secure eSignature’, which is identical to the notion of “advanced eSignature” used by the eSignatures Directive.
• Polish law is currently under revision. Among other points, it is being considered to introduce the term of advanced electronic signature, in the same sense as defined in the Directive. Current Polish law instead relies on the term ‘secure electronic signature’, corresponding roughly to an advanced signature created using an SSCD. Separate from this initiative, current draft regulations with regard to the planned Polish eID card envisage that the card will support so-called ‘personal signatures’, a new concept to be introduced. As personal signatures are
currently planned to be considered legally equivalent to hand written signatures, the European equivalent term would appear to be a qualified signature.
• Finally, Slovak law defines only the electronic signature based on asymmetric cryptography (digital signature) and does not define the technologically neutral electronic signature as defined in Art. 2.1 of the Directive. The advanced electronic signature according to the Directive was transposed into the Slovak legal system as an “electronic signature” (much as in Bulgaria) and the qualified electronic signature according to Art. 5.1 of Directive was transposed into the Slovak legal system as “guaranteed electronic signature (zaručený elektronický podpis - ZEP)”.
5.3.2.2 Impact assessment
As long as these are purely terminological issues, this situation may prove to be slightly confusing but ultimately harmless, since signature interoperability will ultimately require that solutions are implemented which automatically assess the adequacy of a signature, and end users will never be expected to actually familiarise themselves with these national concepts anyway. However, if these categories take up such a fundamental role in eGovernment processes that it becomes impossible or unreasonably complex to determine whether a foreign signature meets the applicable requirements, there is a real risk of these diverging concepts becoming a barrier to cross border interoperability. This can in particular be the case when national laws require the use of a signature type which is unknown at the European level. This issue will be examined further below.
5.3.2.3 Potential solutions and ongoing initiatives
There is no objection against the creation of specific national concepts, and in some cases (like e.g. the French Intersectorial Reference Framework (Référentiel Intersectoriel de Sécurité) they can be considered as highly developed and useful examples of a voluntary accreditation scheme. However, national policy makers must be aware that national signature concepts (or national accreditation schemes) can also become interoperability barriers when national policies and laws become too strongly linked to these concepts and schemes, to the extent that foreign signature solutions can no longer enter the market. In that respect, policy makers must make sure that their national regulatory concepts and schemes do not create interoperability barriers towards foreign eSignature solutions. This is not merely a matter of principle, as adverse policies could also be contrary to the eSignature Directive’s rules in relation to prior authorization and the public sector clause (article 3.7). This issue will be further examined below.