Pursuant to Articles 78 and 83 (1) of the Constitution, upon the Council of Ministers’ proposal,
THE PARLIAMENT OF THE REPUBLIC OF ALBANIA
DECIDED:
CHAPTER I. GENERAL PROVISIONS, DEFINITIONS
Article 1. Purpose
The purpose of this Law is to create the necessary legal framework on the recognition and application of electronic signatures in the Republic of Albania.
Article 2. Use of Electronic Signatures
1. The use of electronic signatures shall be voluntary unless otherwise specified by law.
2. Other legal provisions may require compliance with additional conditions for the use of qualified electronic signatures for the administrative activity of public bodies.
Article 3. Definitions
For the purposes of this Law, the following terms shall have these meanings:
1. “Electronic signature” shall be data in electronic form in, affixed to or logically associated with, other electronic data, which may be used as a means of identifying the signatory and authenticating the signed document.
2. “Advanced electronic signatures” shall be electronic signatures that:
a) are exclusively assigned to a specific owner of the signature code;
b) enable the identification of the owner of the signature code;
c) are produced with secure means which only the owner of the signature code can keep under his exclusive control;
d) are linked to the data in such a manner that enables any subsequent alteration of the data to be easily detected.
3. “Qualified electronic signatures” shall be advanced electronic signatures that:
a) are based on a qualified certificate that is valid at the time of the creation of the signature;
b) have been produced with a secure device for the creation of signatures.
4. “Signature codes” shall be unique electronic data such as private cryptographic codes or algorithms that are used to create an electronic signature.
5. “Signature test codes” shall be any electronic data, such as public cryptographic codes or algorithms, which are used to test and verify an electronic signature.
6. “Certificates” shall be electronic certificates assigning signature test codes to a person and confirming his or her identity.
7. “Qualified certificates” shall be certificates issues in conformity with this Law by certification service providers that comply with the requirements of this Law and other implementation regulations adopted under it.
8. “Certification-service providers” shall be natural persons or legal entities who issue qualified certificates or qualified time stamps.
9. “Signature-code owners” shall be natural persons who have signature codes. In the case of qualified electronic signatures, they must have been assigned the appropriate signature test codes in qualified certificates.
10. “Secure signature creation devices” shall be the hardware and software specially made for qualified electronic signatures that are used to store and apply the relevant signature codes, in conformity with the requirements of this Law and other implementation regulations adopted under it.
11. “Signature application components” shall be the hardware and software specially designed to:
a) assign data to the process of creating or verifying qualified electronic signatures;
b) verify qualified electronic signatures or check qualified certificates and present the results.
12. “Certification service technical components” shall be the hardware and software specially designed to:
a) create signature codes and transfer them into a secure signature-creation device
b) keep qualified certificates available for verification and, if necessary, downloading by the public;
c) create qualified time stamps.
13. “Products for qualified electronic signatures” shall be secure signaturecreation devices, signature-application components, and technical components for certification services.
14. “Qualified time stamps” shall be electronic certificates issued by a certification service operator that confirm that the assigned electronic data have been submitted at a specified time.
15. “The National Electronic Certification Authority” shall be the public authority that is specified in Article 10 of this Law and that is assigned with overseeing the implementation of this Law.
16. “The Minister” shall be the responsible minister for this field.
CHAPTER II. LEGAL VALIDITY OF ELETRCONIC SIGNATURES AND EXCEPTIONS
Article 4. Legal Validity of Electronic Signatures
Legal transactions and documents written by natural persons and public and private legal entities can also be made through an electronic document in conjunction with a qualified electronic signature. The electronic document which bears the name of the signatory and his qualified electronic signature shall have the same legal validity and power of evidence as the simple written form.
Article 5. Contract Qualified Electronic Signature
If the legal transaction is a contract then each of the parties has to sign the same document with each respective qualified electronic signature.
Article 6. Waiver of Rights
The parties can agree to waive their rights this chapter confers them.
Article 7. Exceptions
The electronic signature shall not be used in the following cases:
1. Legal transactions in the area of family law and the law of succession, which are bound to higher form requirements;
2. Other legal transactions which require public legalization, a written notarized act or authorization by a court;
3. Legal transactions that are related to the giving of a bail;
4. Wherever the Law prohibits the use of electronic form.
Article 8. Truthfulness of Document Contents
If a document is signed with a qualified electronic signature it is deemed that the content of the document is true and has not been modified, unless the contrary is proved.
Article 9. Invalidity of electronic signatures
An electronic signature shall be considered invalid if it can be proven that the security requirements of this Law or the implementation regulations adopted under it have not been complied with.
CHAPTER III. AUTHORITY, REGISTRATION AND SUPERVISION
Article 10. National Electronic Certification Authority
1. The National Electronic Certification Authority (the “Authority”) shall be the institution assigned with the task of supervising the implementation of this Law and the regulations adopted under this Law.
2. The Authority shall be a central public institution, established as a legal person, under the minister responsible for interior affairs.
3. The Authority seat shall be in Tirana.
4. The Authority shall be funded by the state budget and revenues collected in the course of its activity.
5. The Authority shall be independent in making decisions on carrying out its functions, which derive from this Law or the implementation regulations adopted under it.
6. The Head of the Authority shall be appointed by the Minister as per the procedures provided for by Law Nº 8549 of 11/11/1999 “On the Status of Civil Servants”.
7. Authority officials shall be civil servants by their status. Employment contracts with those Authority employees that are auxiliary staff members shall be regulated by the Labour Law.
8. Its structure and organizational chart shall be approved by the Prime Minister, upon the Minister’s proposal, in accordance with the legislation in power. The Authority Rules of Procedure shall be approved by the Minister.
Article 11. Registration of Certification Service Providers
The Authority shall perform the registration of the names of registered certification service providers and of certification service providers that have discontinued their activities as per Articles 13 and 46 of this Law. The register shall be updated and published electronically.
Article 12. Supervision
The Authority can conclude agreements with public or private entities for performing the supervising activities. Such an activity shall include specific tasks that cannot be currently performed by the Authority.
Article 13. Discontinuation of Service Provider Activities
The Authority shall forbid a provider to perform its activity temporarily, in part or wholly, if it:
a) does not have the reliability necessary to operate as such;
b) does not have the specialized knowledge necessary for its operations that is required in Article 19 of this Law;
c) does not have the necessary financial cover required in Article 19 of this Law;
d) is using unsuitable products for electronic signatures;
e) does not fulfil the other conditions to operate as certification-service provider under this Law or other implementation regulations adopted under it.
Article 14. Invalidation of Qualified Certificates by the Authority
1. The Authority shall order qualified certificates to be invalidated if:
a) they are not sufficiently secure against forgery;
b) secure signature-creation devices have security defects that would enable qualified electronic signatures to be forged without detection or the falsification of data signed with these to go undetected.
2. The Authority shall determine the invalidity of forged qualified certificates.
3. The cancellation procedure and the notification of third parties shall be regulated by implementation regulations adopted under this Law.
Article 15. Validity of Qualified Certificates
The validity of qualified certificates issued by a certification-service provider shall not be affected by the measures taken against the service provider under Article 13 of this Law.
Article 16. Inspection and Information
1. In the course of exercising its powers, the Authority shall have the right to inspecting, or requesting information from, service providers periodically or whenever it deems it reasonable.
2. The Authority shall inspect or request information whenever:
a) it has information about violations of this Law or other regulations adopted under it;
b) it receives complaints from electronic signature owners or applicants.
Article 17. Cooperation on Inspection
1. Certification service providers and the third parties working for them shall permit the persons acting on behalf of, and with authorization by, the Authority to enter their premises and workshops during normal operating hours even when there has been no prior notice.
2. Certification service providers and the third parties working for them shall provide the necessary information and support, and make available all the written and electronic documentation.
3. In the course of exercising the powers this Law confers the Authority, the Authority shall be supported by central and local public authorities and police authorities, when it is deemed necessary.
CHAPTER IV. CERTIFICATION-SERVICE PROVIDERS
Article 18. Operation of Certification Service
Certification service providers shall not need to obtain prior authorization to operate.
Article 19. Conditions to Operate
1. Certification service providers can any natural persons or legal entities that shall prove that:
a) they have the necessary reliability and specialized knowledge to operate as certification-service operators;
b) they have financial damage indemnification cover under Article 41 of this Law.
2. The conditions and criteria to be met by certification service providers, including those referred to in Paragraph 1 of this Article, shall be set out in implementation regulations issued under this Law.
Article 20. Registration of Certification Service Operation
The person that commences certification service operation shall be registered with the Authority upon commencing such an operation. At the moment of registering the service providers shall submit appropriate proof of meeting the conditions under Article 19 of this Law.
Article 21. Reporting Inability to Meet Conditions
The service provider shall ensure that the conditions under Article 19 of this Law are met throughout the entire duration of operation. Circumstances that render this impossible shall be reported to the Authority without delay.
Article 22. Transfer of Certification Service Tasks
The certification service provider may transfer tasks under this Law and implementation regulations issued under it to third parties if those third parties meet the conditions set out in Article 19 of this Law. The transfer shall not exempt the service provider from the obligations deriving from this Law.
Article 23. Periodical Reporting
Certification service providers shall submit a detailed annual activity report not later than 31 March of the following year. The form and contents of the report shall be prescribed by the authority.
CHAPTER V. ISSUING OF QUALIFIED CERTIFICATES
Article 24. Identification of Persons Applying for Qualified Certificates
1. The certification service providers shall accurately identify persons applying for qualified certificates, and, with the consent of the applicant, it shall be entitled to use personal data it has collected at an earlier date, in order to guarantee reliable identification of the applicant pursuant to this Article.
2. The certification service provider shall confirm the assignment of a signaturetest code to an identified person with a qualified certificate and ensure that this can be verified electronically by anyone using public telecommunication access.
Article 25. Data on the Qualified Certificate as Requested by the Applicant
1. Upon the applicant’s request, a qualified certificate may contain data on his authorization to act on behalf of a third party, and occupational or data on his attributes.
2. Data on the authorization to act for a third party shall be certified by relevant proof, and occupation or other data on the person shall be confirmed by the bodies that are responsible for issuing them.
3. Other personal data may only be included in a qualified certificate upon the request of the applicant.
Article 26. Use of Pseudonym
1. If requested by the applicant the certification-service provider can use a pseudonym instead of his name in the qualified certificate.
2. The pseudonym can also be used for the data on the qualified certificate in conformity with Article 25 of this Law, provided the third party or the responsible body gives prior approval thereof.
Article 27. Protection of Data against Forgery and Ensuring the Secrecy of Codes
1. The certification service provider shall make the necessary arrangements to ensure that data for qualified certificates cannot be falsified or forged without detection.
2. The certification service provider shall ensure that the signature codes are kept completely secret. Signature codes may not be stored outside the secure signature creation device and shall not be accessible directly to the applicant.
Article 28. Reliability of Personnel and Products
For the purposes of certifying qualified electronic signatures, the certification service provider shall employ reliable personnel and products. The implementation regulations adopted under this Law shall prescribe the personnel and equipment security criteria.
Article 29. Signature Creation Device Security
The certification service provider shall obtain suitable proof that the applicant owns the relevant secure signature creation device.
Article 30. Obligation to Inform on Security
1. The certification-service provider shall inform the applicant of the measures needed to increase the security of qualified electronic signatures and shall test them reliably.
2. The certification-service provider shall inform the applicant that the qualified electronic signature data may have to be signed again if the security value of the current signature is reduced by the passage of time.
Article 31. Obligation to Inform on Legal Effect
The certification service provider shall inform the applicant that a qualified electronic signature has the same effect in legal transactions and other documents as a handwritten signature, unless otherwise specified in Article 7 of this Law.
Article 32. Written Information
To fulfil the information obligations under Articles 30 and 31 of this Law, the certification service operator shall provide the applicant with written information, acknowledgement of which the latter shall confirm in writing, as a condition for issuing a qualified certificate.
Article 33. Content of Qualified Certificates
A qualified certificate shall bear a qualified electronic signature and contain the following data:
a) the name of the signature code owner and a supplement shall be added to the name if there is a possibility of confusion with another name, or an unmistakable pseudonym assigned to the signature-code owner and recognizable as such;
b) the assigned signature-test code;
c) the designation of the algorithms with which the signature-test code of the signature-code owner and the signature-test code of the certification-service provider may be used;
d) the current number of the certificate;
e) duration of validity;
f) the name of the certification-service provider and the state in which he is domiciled;
g) information on whether the use of the signature code is limited to certain applications by nature or extent;
h) information that this is a qualified certificate;
f) if necessary, special attributes of the signature-code owner.
Article 34. Special Attributes
1. Attributes may also be included in a special qualified certificate (special attribute qualified certificate).
2. In a qualified special attribute certificate, the data of Article 33 may be replaced with clear reference to data from the qualified certificate to which it refers, if it is not necessary to use the qualified special attribute certificate.
Article 35. Invalidation of Qualified Certificates by the Provider
1. The certification service provider shall invalidate a qualified certificate immediately if:
a) a signature code owner or his authorized representative so demands;
b) the certificate was issued on the basis of false data that are contrary to the provisions of Article 33 of this Law;
c) the certification service provider ceases to operate and the operation is not transferred to another certification service provider;
d) the Authority orders it in accordance with Article 14 of this Law.
2. Further reasons for invalidating can be specified in additional the contract between the parties without prejudice to the reasons set out in Paragraph 1 of this Article.
3. The invalidation act shall specify clearly the time of its entry into force.
4. Invalidation with retroactive effect is not permitted.
Article 36. Revocation by the Owner
The certification service provider shall provide a non-stop service for certificate revocation by the owner, which is operated so that authorized revocations can be executed immediately at any time that it is required.
Article 37. Certificate Invalidation in Case of Special Attribute Conditions Cease to Apply
If a qualified certificate contains data under Article 25 of this Law, the third party or the office responsible for the data or special attributes on the person may demand invalidation of the certificate in question if the conditions for those data cease to apply after being included in the qualified certificate.
Article 38. Issuing of Qualified Time Stamps
The issuing of qualified time stamps by a certification service operator shall meet the same requirements as stated in Article 28 of this Law.
Article 39. Documentation of Security Measures and Qualified Certificates
1. The certification service provider shall document all security measures taken to observe this Law and the implementation regulations adopted under this Law, and document the issued qualified certificates, so that the data and their correctness can be confirmed at any time.
2. The documentation shall be made without delay and in such a manner that it cannot subsequently be altered without detection, particularly in the cases of qualified certificate issuance and invalidation.
Article 40. The Right to Access to the Data Kept with the Service Provider
Upon his request, the signature-code owner shall be given access to the data and the procedural steps concerning him, which are stored with the certification-service provider.
CHAPTER VI. LIABILITY
Article 41. Damages
1. The certification service provider shall reimburse a third party for any damage suffered from relying on the data in a qualified certificate or a qualified time stamp or on information given in accordance with Article 24 of this Law, in the cases when:
a) it infringes the requirements of this Law and the implementation regulations adopted under it;
b) his products for qualified electronic signatures or other technical security facilities fail;
2. Damages shall not be payable if the third party have been aware, or must have been aware, of the facts under Paragraph 1 of this Article.
Article 42. Exemption from Obligation to Damages
Damages need not be reimbursed if the certification service provider proves that it has incurred no culpability.
Article 43. Limitation of Damages
If a qualified certificate restricts the use of the signature code to certain applications by type or extent, damages shall be payable in proportion to the limits of those restrictions.
Article 44. Liability for Transfer
The certification service provider shall also be liable in those cases when it transfers the obligation to provide the services under Article 22 of this Law.
Article 45. Economic Guarantee
The certification service provider shall be obliged to take necessary measures for ensuring that it can meet its statutory obligations for reimbursement of damages caused by:
a) infringement of the law or regulations in power;
b) failure of its products for qualified electronic signatures or other technical security facilities.
Article 46. Steps Following the Cessation of Certification Service by the Certification Service Provider
1. A certification service provider shall report the cessation of its operation immediately to the Authority.
2. In the case of operation cessation, the certification service provider shall immediately:
a) revoke all valid certificates;
b) ensure that valid certificates are taken over by another certification service provider and support the replacement certification service provider in the best way possible, providing it with all the necessary ata;
c) inform the concerned signature code owners of the cessation of its operations and that the certificates are being taken over by another certification service provider.
3. Even in the case of the cessation of operations the certification service provider has to continue the revocation services. If it is not able to fulfil this it shall report this fact to the Authority, which will then take care of the respective revocation services.
CHAPTER VII. DATA PROTECTION
Article 47. Use of Data
1. The certification service provider shall only use the personal data that is necessary to fulfil the certification services and only insofar as it is necessary for the purposes of issuing and maintaining the certificate.
2. Personal data shall be obtained from the signature code owner directly or from a third party with the consent of the owner.
Article 48. Submission of Data
1. The certification service operator shall hand the data on the identity of a signature-code owner to the Authority upon its request:
a) where this is necessary for the prosecution of criminal acts or infringement of regulations, and where such a request comes from bodies assigned by law to proceeding;
b) to avoid threats to national security or public order;
c) to fulfil the tasks legally required of fiscal or customs authorities or other authorities in investigating violations of the law;
d) where the court orders it.
2. When requesting the information, the Authority shall inform the signature code owner that his pseudonym has been revealed as long as this does not restrict the performance of its legal duties, or if the interests of the signature code owner in being informed outweigh the other considerations.
CHAPTER VIII. TECHNICAL SECURITY
Article 49. Signature Creation Device Security
1. Secure signature creation devices shall be used for the protection of signature codes and production of qualified electronic signatures. Such devices shall reliably identify forged signatures and false signed data and provide protection against unauthorized use of signature codes.
2. If the signature codes are themselves produced on a secure signature creation device, the requirements of Article 51 of this Law shall apply.
Article 50. Signature Application Components
1. The presentation of data to be signed requires signature application components that will clearly indicate the production of a qualified electronic signature and enable the data to which the signature refers to be identified.
2. To check signed data, signature application components are needed that will show:
a) the data the signature refers to;
b) whether the signed data have been changed;
c) the signature code owner the signature has been assigned to;
d) the contents of the qualified certificate on which the signature is based, and the appropriate qualified special attribute certificates;
e) the results of the subsequent check of certificates under the provisions of Article 24 (2) of this Law.
3. When the Authority requires it, the signature application components shall make the contents of the data to be signed or already signed sufficiently evident.
4. The signature code owners should use these signature application components or take other suitable steps to secure qualified electronic signatures.
Article 51. Certification Service Technical Components
The technical components for certification services shall contain provisions to:
1. Ensure that signature codes produced and transferred are unique and secret and exclude the possibility of storage outside the secure signature creation device.
2. Protect qualified certificates that are available to be tested or downloaded in accordance with Article 24 (1) of this Law against unauthorized alteration and access.
3. Exclude the possibility of forgery and falsification in the production of qualified time stamps.
Article 52. Organization of Testing and Confirmation
1. The Authority shall recognize a natural person or a legal entity upon application as confirmation organ if it can prove it has the reliability, independence, and specialized knowledge needed to exercise these functions.
2. The recognition of testing and confirmation organs may be:
a) limited in content;
b) for a limited period of time;
c) attached to conditions.
3. The testing organs shall perform their tasks impartially, free of instruction, and professionally.
4. Testing organs shall document the tests and confirmations and hand over this documentation to the competent authority when they cease to operate.
5. Implementation regulations shall specify the conditions, criteria and obligations for testing organs to operate.
Article 53. Compliance with Requirements
1. The testing organ shall give confirmation of compliance with the requirements of Articles 49, 50 and 51of this Law and implementation regulations adopted under this Law.
2. The product manufacturer shall at the time of placing the product on the market, at the latest, deposit a copy of his declaration in writing with the relevant authority stating compliance with the requirements of this Law.
3. Declarations of manufacturers which comply with the requirements of this Law and of other implementation regulations on electronic signatures adopted under this Law shall be made available to interested parties.
Article 54. Recognition and Use of Foreign Electronic Signatures and Products
1. Foreign electronic signatures and foreign electronic signature products shall be recognized and applied in accordance with the agreements on their recognition and data exchange signed by the Republic of Albania with other states.
2. The procedures to establish the security of foreign electronic signatures and foreign products for electronic signatures shall be specified by implementation regulations.
CHAPTER IX. COSTS AND FEES
Article 55. Fees
Upon the responsible Minister’s proposal, the Council of Ministers shall approve the degree and types of fees to be paid by certification service operators or other entities that have liabilities payable to the Authority under this Law. The amount of fees cannot be bigger than the service costs incurred by the Authority.
CHAPTER X. ADMINISTRATIVE MEASURES
Article 56. Contraventions
If not criminal offences, the following violations shall be considered as administrative contraventions and shall be sanctioned as follows:
1. A fine of ALL 2 million for the following violations:
a) failure to report the commencement of operation in accordance with Article 20 of this Law;
b) failure to perform accurate identification of the applicant in accordance with Article 24 (1) of this Law;
c) failure to comply with the requirements of Article 25 (2) for receiving proof of authorization to act on behalf of third parties;
d) failure to take prior approval from third parties in accordance with Article 26 (2) of this Law;
e) failure to comply with the requirements on certification service cessation in accordance with Article 46 of this Law.
2. A fine of ALL 1 million for the following violations:
a) provision of certification services in conflict with the conditions specified in Article 19 of this Law;
b) failure to take the security measures required by Article 27 of this Law;
c) failure to prepare the documentation under Article 39 of this Law;
d) failure to cooperate with the Authority in accordance with Articles 17 and 48 of this Law.
Article 57. Other Measures
Without prejudice to the measures provided for in Article 56, and the circumstances specified in Article 13 of this Law, if the Authority deems it reasonable that the violations are of such a degree or type that pose a threat to the integrity and reliability of the service provider, it can order the temporary, full or in part, cessation of the service operator activity.
Article 58. Appeal and Execution
1. An appeal can be made against the sanctioning with a fine or operation cessation, by means of addressing the Minister, within 10 days from the date when the measure was taken.
2. The Minister shall make a decision within 30 days. The decision can be appealed against at the court within 30 days from the day when it was announced or notified.
3. The review of the administrative contraventions, appeals and execution of decisions can be made in accordance with the Law on Administrative Contraventions.
The fines shall be executive titles receivable by the Authority and transferable to the State Budget.
CHAPTER XI. FINAL PROVISIONS
Article 59. Implementation Regulations
The Council of Ministers shall issue the implementation regulations under Articles 14, 19, 28, 52, 54 and 55of this Law.
Article 60. Entry into force
This Law shall enter into force 15 days after its publication in the Official Gazette.
SPEAKER
Jozefina Topalli (Çoba)