Services Directive – Principles and applicability

Basic principles of the Directive

Finally, the Services Directive of 12 December 2006 (to be transposed by the Member States by 28 December 2009 in accordance with its article 44) introduces a legal framework aiming to harmonise the internal market with regard to the provision of services, both in relation to the exercise of the freedom of establishment for service providers and the free movement of services (article 1 of the Directive). This should facilitate the provision and use of cross-border services in the European Union, thus increasing cross-border competition in service markets, bringing down prices and improving quality and choice for customers.

Applicability to the issue of identity management

While not explicitly relevant to eGovernment or identity management as a whole, the Directive none the less contains one particular provision that will have a direct impact on the state of electronic identity management systems in many Member States. Specifically, article 8 of the Directive states the following:

“Article 8 – Procedures by electronic means

1. Member States shall ensure that all procedures and formalities relating to access to a service activity and to the exercise thereof may be easily completed, at a distance and by electronic means, through the relevant point of single contact and with the relevant competent authorities. 2. Paragraph 1 shall not apply to the inspection of premises on which the service is provided or of equipment used by the provider or to physical examination of the capability or of the personal integrity of the provider or of his responsible staff.

3. The Commission shall, in accordance with the procedure referred to in Article 40(2), adopt detailed rules for the implementation of paragraph 1 of this Article with a view to facilitating the interoperability of information systems and use of procedures by electronic means between Member States, taking into account common standards developed at Community level.”

The first paragraph of this article requires Member States to create in effect an on-line one-stop-shop (a point of single contact – PSC), where service providers can go to meet any requirements covered by the Directive linked to the access or exercise of impacted services in that country. Apart from a number of other issues, a key problem to be resolved is the identification of the service providers.

It should be noted that this paragraph does not require Member States to implement a specific eIDM system that is interoperable with any non-national systems. It would be equally possible to implement a strictly national lower level authentication system that allows non-national entities to meet their obligations electronically and at a distance. Alternatively, Member States could opt to abolish certain requirements that would be difficult to reconcile with this provision.

Theoretically, the most ideal solution would be to implement an interoperable eIDM system that would allow non-national entities to authenticate themselves with an acceptable degree of certainty using their own national eIDM systems. However, in this case there remains the inherent weakness of requiring a reliable non-national eIDM system to interoperate with, which may be non-existent in some countries.

It is clear that the Directive foresees the creation of interoperability mechanisms (both with regard to authentication and document exchange) as a key route to adhering with the provisions of article 8. This is witnessed by the third paragraph of the article, which grants the Commission the authority to ‘adopt

detailed rules for the implementation of paragraph 1 of this Article with a view to facilitating the interoperability of information systems and use of procedures’.

Currently, the issue of identity management is addressed in an oblique manner through the ongoing CROBIES work36 surrounding the “Common Minimum Requirements for a Qualified Certificate Profile supporting Qualified Electronic Signatures” [RD9]. As indicated by the name, this work focuses mainly on improving the interoperability of electronic signatures based on qualified certificates, and not on entity authentication as such; however, there may be a significant impact on identity management issues as well.

The relevant efforts within CROBIES with an eIDM component do not relate primarily to questions of identity management as applied to the signatory but rather to the content and structure of qualified signature certificates as a whole. As such, the CROBIES work is aimed at establishing a better and more harmonised implementation of the TS 102 280 standard (X.509 V.3 Certificate Profile for Certificates Issued to Natural Persons37). One of the main expected impacts will be the mandatory use of a harmonised serialNumber within the Subject field of the certificate, which should ensure that at least a basic resource is available to unambiguously identify signatories. It should be kept in mind however that this work is only envisaged to directly impact qualified certificates, and that the serialNumber as such may not be a directly usable resource to any given e-signatures application. Thus, in this respect, the CROBIES work provides a crucial input to address semantic issues related to the identity and capacity of signatories.

36 _{Cross Border Interoperability of eSignatures [CROBIES] study; see}

http://ec.europa.eu/information_society/policy/esignature