New technical standard to harmonise the requirements for the quality of Qualified Electronic Signatures
The EU standard (EN 419241-2) has just been published and will be used to evaluate quality and compliance with the legislation of the entities used in the activation of remote electronic signatures. This is the first of its kind in Europe and is targeted at the Qualified Trust Service Providers who deliver and store European electronic signatures. Cryptomathic has participated in the development of the standard and has thus ensured influence on the requirements.
Electronic and digital signatures come in different flavours and have different levels of assurance and legal status applied to them. The highest standard that a digital signature can achieve in the EU Internal Market is called a Qualified Electronic Signature (QES), which is legally equivalent to a handwritten signature. The QES standard was introduced in 2014 with the eIDAS Regulation on electronic identification and trust services for electronic transactions.
So far, however, there have been no uniform requirements on how to certify the devices used by Trust Service Providers (TSPs), who are responsible for the delivery and storage of remote Qualified Electronic Signatures. This means that each country could freely choose how the quality is assessed and the market has thus followed divergent national requirements.
With the introduction of the new standard, uniform requirements for server systems that provide digital signature services are applicable across the EU. This makes it easier for organisations that have cross-border activities,
including, for example, large banks.
New legislation is on its way
The standard, which was published on March 4, 2019 - called EN 419241-2, Trustworthy Systems Supporting Server Signing Part 2: Protection Profile for QSCD for Server Signing - was developed by the European standardization body, CEN. It is so far voluntary to use, but with a new European law in sight, it can be a good idea to get acquainted with the standard already now. The EU Commission is working on updating an earlier law and it is expected that the Commission will refer to EN 419 241-2 and, in this way, make the standard mandatory.
If you want to create remote Qualified Electronic Signatures, the signature key must be managed in a device that is certified to the new standard and where the device is located and handled in an environment that is under the control of a Qualified Trust Service Provider.
In this way, it will be the national supervisory authorities that guarantee the security of the overall system.
A template for quality
The standard is a so-called Protection Profile, which can be considered as a kind of template to meet the legislative requirements, that defines how to certify according to Common Criteria. With the Protection Profile in place, Qualified TSPs do not need to worry about how to comply with the legislation – they can simply follow what is stated in the standard. In order to designate an electronic signature as being qualified, the standard imposes requirements on the system that activates the signature key, such as for identifying the person behind the signature, what is signed and the key itself being used for signing.
The combination of the strong legislation and standards has also made countries from outside of the EU to take notice in this area. America, Asia, Norway and Switzerland follow this space and it is likely that the principles of the standard will spread outside of EU borders. If an organisation operates internationally or globally, it would be wise to take a closer look at the standard.
Contact us at firstname.lastname@example.org for more information on the EU 419241-2 standard