Legislacion Informatica de Eslovenia. Decree on conditions for Electronic Commerce and Electronic Signing

Anexos

Decree on conditions for Electronic Commerce and Electronic Signing

1. General provisions

Article 1

This decree determines:

§ criteria, used for assessment of the compliance with requirements for the operation of the certification service providers, who issue qualified certificates, and contains,
§ detailed provisions of internal rules of such certification service providers,
§ signature creation and verification of the advanced electronic signatures,
§ period of validity of qualified certificates,
§ detailed conditions regarding use of secure time stamps
§ type and use of marks of the accredited certification service providers,
§ conditions for electronic commerce in public administration.

Article 2

Irrespective of the provisions of the other articles of this Decree, hardware, software and the procedures comply with criteria and conditions according to this Decree, if they are in accordance with standards, criteria or conditions, commonly recognized in the European Union and published in the Official Journal of the European Communities.

 

2. Protection of the infrastructure of the certification service provider in general

Article 3

Premises of the certification service provider and the infrastructure shall be, in accordance with the rules of the profession, properly electronically and physically protected from unauthorized entries.

Article 4

(1) Certification service provider shall implement regular security controls of its infrastructure every working day, or every day, in case he provides his services 24 hours a day, 365 days a year.

Certification service provider shall keep a record of all his findings and interventions.

(2) These security controls include verifying, whether the infrastructure is safe, whether all the security systems operate without disturbances and whether in the meantime there had been any intrusions or attempts thereof, by unauthorized persons, trying to get the access to certification service provider/s equipment or data.

Article 5

At least two certification service provider/s employees shall operate with the signature creation data at the same time. The certification service provider shall for this purpose ensure that nobody has all the necessary data and tools by himself, with which he could have access to the equipment where the signature creation data of the certification service provider are stored.

Article 6

Certification service provider shall ensure secure storage of at least two backup copies and other media for such transmission of data to prevent a loss of data or use of data by an unauthorized person. Backup copies shall be stored separately form the certification service provider/s information system for administration of qualified certificates, on another safe location. Certification service provider shall record the information about the storage of the backup copies.

Article 7

Certification service provider shall use and protect his signature creation data for qualified certificates with reasonable care of an expert and physically and electronically protect them in accordance with the established rules of the profession to prevent physical or electronic breaking in or unauthorized access to these data.

Article 8

Certification service provider shall keep one or few separate records in written, where all the information prescribed with this Decree and other information about the procedures and interventions into infrastructure, which affect the reliability of the operation of the certification service provider, shall be entered. The record shall be accessible and kept for at least 5 years.

Article 9

(1) Certification service provider shall draft special minutes about all the initial authorizations and procedures, used for the establishment of his information system for the administration of qualified certificates. Minutes shall by signed by all the participants in these procedures and permanently stored.

(2) If some changes in the authorizations or important changes of settings of the information system for the administration of qualified certificates, which were determined when the system was set up, occur later, all the aforementioned changes shall be documented in minutes.

 

3. Physical protection of infrastructure of the certification service provider

Article 10

Certification service provider shall ensure a proper physical protection of his hardware and supervision of the physical access to his information system for the administration of qualified certificates. He shall promptly enter all the physical accesses to the information system in his record.

Article 11

(1) A contemporary presence of at least two persons, who have a permit for access to the information system, is required for a physical access to the information system of a certification service provider for the administration of qualified certificates.

(2) Entry into premises of the certification service provider, where his information system for the administration of qualified certificates is situated, shall be allowed only to the persons, who discharge their duties and tasks for the certification service provider in these premises. The access shall be in accordance with a written list of persons, who are allowed regularly to enter to individual premises. Persons, to whom a regular entry is not allowed, shall be registered on a special list by persons, who are allowed regularly to enter, and shall be accompanied by such persons all the time.

 

4. Electronic protection of the infrastructure of certification service provider

Article 12

(1) The information telecommunication infrastructure of a certification service provider, linked to another information telecommunication network, shall be protected with reliable safety mechanisms (system for preventing and detecting of breaking in, fire security and similar), which prevent unauthorized accesses through this network and limit the access to the protocols that are essential for the administration with qualified certificates. All the other protocols shall not be able to access.

(2) If the system is designed in a way that the communication with the system of the certification service provider for the administration of qualified certificates goes through another network, this passage shall be in codes.

Article 13

Information system of the certification service provider for the administration of qualified certificates shall be composed only by hardware and software, required for the administration of qualified certificates.

Article 14

After the validity of the signature creation data of the certification service provider, which are not crucial for the verification of data retroactively, expires, the certification service provider shall safely and reliably destroy all the copies.

Article 15

Information of the certification service provider, which could affect the reliability and safety of the operation of the certification service provider, shall not leave the system uncontrolled in a way that could threaten the operation in accordance with the effective regulations and internal rules of the certification service provider. After they have been used, the means of communication shall be removed and then safely and reliably destroyed.

Article 16

(1) Information system of the certification service provider for the administration of qualified certificates shall have incorporated sufficient security mechanisms, which prevent the abuse by the employees and enable a clear division of the tasks from the scope of the Article 21 of this Decree.

(2) Security measures of the information system for the administration of qualified certificates shall ensure a controlled access to information and supervision of the access up to the very individual, namely for all the interventions and functions, which affect the administration of qualified certificates of the certification service provider.

 

5. Technical requirements, which the certification service provider shall meet

Article 17

Certification service provider shall within his technology and procedures ensure the uniqueness of the signature verification data, which means that he shall enable an unequivocal and safe determination of identity of the holder from the electronic creation data.

Article 18

(1) Software, used by the certification service provider, shall correspond to the worldwide enforced security and technical standards (FIPS 140-1 for cryptographic modules, recommendable EAL5 or at least EAL3 of Common criteria /ISO 15408/, recommendations of the group of experts from the European Electronic Signature Standardization Initiative -EESSI and other).

(2) Software, which generates the signature creation data, shall ensure the smallest possibility of misappropriation of the data by the use of momentarily available technologies.

Article 19

Certification service provider shall ensure confidentiality and singleness of the use of data, used to generate a qualified certificate.

 

6. Registry service

Article 20

(1) Employees in registry service of the certification service provider shall reliably ascertain the identity of persons, personally and by use of official documents with a photography of the holder, and collect and communicate the data of the persons, necessary for an issue of a qualified certificate by the certification service provider.

(2) Registry service of the certification service provider shall communicate the acquired data of persons to the other services of the certification service provider in accordance with the law that prescribes protection of personal data.

 

7. Employees of certification service provider

Article 21

(1) Certification service provider shall employ at least three persons with university education; hence at least two persons with university degree in technical or natural science, and at least two persons shall have two years´working experience in the field of the operation of the certification service providers or related fields.

(2) Duties of the employees for performing tasks of certification service provider shall be distributed among several persons, in a way that the employees are prevented from the abuse. The duties shall be determined in a way that the scope of administration of qualified certificates, the scope of the administration with the information system of the certification service provider and the scope of protection and control are clearly separated.

Article 22

Certification service provider shall employ or have a proper counseling contract with a lawyer with university degree and with the State exam of jurisprudence.

Article 23

(1) All the persons from the previous two Articles shall have special expertise in administration and knowledge of technology, security procedures and legal requirements from the field of electronic commerce and operation of the certification service providers, for which they shall be professionally qualified.

(2) Employees in the registry service shall be qualified for a reliable determination of the identity of persons.

Article 24

(1) Besides their employment, the employees of the certification service provider shall not perform same or similar work as they perform within their employment, for other certification service providers, if the latter are not subordinate certification service providers, and they shall not perform work, which is incompatible with the working duties and responsibilities they have towards the certification service provider.

(2) Irrespective of the provision of the preceding paragraph the employee of the certification service provider can perform independent scientific and pedagogic work, work in cultural, artistic, sports, humanitarian and other similar associations and organizations, and journalistic work.

 

8. Technical requirements for secure signature creation and verification of
advanced signature

Article 25

Each use of secure signature creation data shall require from the signatory a conscious and reliable act for presentation to the secure signature creation device (i.e. entry of password, fingerprint or similar), except when the information system is programmed in advance to react automatically.

Article 26

(1) User shall always verify the electronic signature in accordance with the instructions of the signatory. When the signatory also annexed the certificate of the certification service provider to the signature, the user shall verify the electronic signature also in accordance with the instructions of the certification service provider, who issued the certificate, or the certification service provider, who is superior or acknowledges the certification service provider, who issued the certificate.

(2) By verifying the electronic signature with the help of the certificate of the certification service provider, the user shall always verify the validity of the certificate in accordance with the instructions of the certification service provider, who issued the certificate. The user shall also verify whether the certificate is registered in the register of the revoked certificates, if the certification service provider, who issued the certificate, keeps such register.

(3) Advanced signature verification device shall enable the user to clearly determine, which data were signed and to what extend they were signed. If the signed data are connected to other data or they refer to other data and the user can automatically link to these data, the device shall clearly warn the user in case the data were not acquired with verified electronic signature.

 

9. Insurance for the risk of liability

Article 27

The lowest insurance sum, with which the certification service provider, who issues qualified certificates, ensures the risk of liability for damages, is of 50,000.000 tolars.

 

10. Internal rules of certification service providers

Article 28

Internal rules of certification service providers, who issue qualified certificates, shall include a public and a private part. All the essential provisions of internal rules, which affect the relationship among the certification service provider, holders of qualified certificates, issued by him, and third parties, who rely on these certificates, shall be included in the public part of internal rules.

Article 29

In the public part the internal rules shall include at least:

1. provisions about the infrastructure of the certification service provider, which contain basic technical and procedural properties and information about the level of security and reliability of the infrastructure;

2. provisions about the number, structure and qualifications of the employees of the certification service provider;

3. provisions about the requirement of possible subordinate certification service providers, requirement of mutual recognition of the certification service providers;

4. provisions about security requirements and obligations of the holder of qualified certificates and third parties, who rely on qualified certificates;

5. provisions about basic characteristics and content of qualified certificates, issued by the certification service provider;

6. provisions about administration of qualified certificates, which contain above all the provisions about application for an issue and verification of the identity of persons and provisions about issue, extension of validity and revocation of qualified certificates;

7. provisions about the liability of the certification service provider and about the insurance sum;

8. information about the identity of the certification service provider and his infrastructure;

9. provisions about the procedures in case of cessation of the activity of the certification service provider.

Article 30

In the private part the internal rules shall include at least:

1. provisions about the premises of the certification service provider;

2. additional provisions about the employees of the certification service provider, which mostly include the provisions about competences and tasks of individual members of staff, provisions about special authorizations of members of staff, conditions, required from staff and provisions about eventual external co-workers;

3. provisions about physical protection of infrastructure of the certification service provider, which mostly include the provisions about access into the premises of the certification service provider (entry rights, authentication system, etc.); about management of hardware and wastes; and about entering and taking out the equipment and material;

4. provisions about protection of electronic or software system, which mostly include provisions about security settings of servers, use of telecommunication devices and equipment and provisions about registration into system, security copies and similar;

5. provisions about internal supervision, which include mostly operative implementation and following of the events (control of the physical access, control of authorizations, reporting about security problems and similar);

6. provisions about measures in case of unexpected events;

7. provisions about how to keep registers and to draft minutes, including the provisions about the eventual electronic form of records.

Article 31

Public part of internal rules of the certification service providers shall be publicly accessible in the electronic form on internet or on durable means of communication in an electronic or classical form.

 

11. Period of validity of qualified certificates

Article 32

Period of validity of a qualified certificate shall be five years at the most from the day if its issue.

Article 33

(1) A person, who stores data, signed with the electronic signature, shall ensure at the latest one month before the termination of the period, determined for the validity of the data for the electronic signature by the certification service provider in the public part of internal rules, a renewed electronic signature of such data by all persons, who electronically signed the data the first time, or by notary, or he shall ensure a confirmation of the data with a secure time stamp of the certification service provider. If no period of validity was determined, the above-mentioned measures shall be taken with the day the qualified certificate expires.

(2) Certification service provider shall, by issuing a qualified certificate, warn the certificate holder about the renewed electronic signature from the preceding paragraph.

 

12. Secure time stamp

Article 34

(1) Secure time stamp shall contain unequivocal and correct information about the date, exact time (at least to the second) and the certification service provider, who created the secure time stamp.

(2) Secure time stamp may be added or annexed to the document and connected with it, but nevertheless the same requirements shall be met as for the advanced electronic signature with a qualified certificate.

Article 35

Certification service provider, who issues secure time stamps, shall use the information system that is synchronized with a source of the exact time.

 

13. Mark of accredited certification service provider

Article 36

(1) Mark of accredited certification service provider shall be in a form of a circle, with a capital “A„ in the middle and with an inscription “AKREDITIRANI OVERITELJ V REPUBLIKI SLOVENIJI” in the Slovene version; and with an inscription “ACCREDITED CERTIFICATION SERVICE IN THE REPUBLIC OF SLOVENIA”in the English version (enclosure nº 1), along the whole margin of the circle.

(2) The mark may be used in arbitrary size by preserving the same proportions (enclosure nº 1).

Article 37

(1) Accredited certification service provider may use the mark form the preceding Article for his operation on the documents in classical or electronic form.

(2) Certification service provider shall, by operating in Slovene language, always use the Slovene version of the mark, and by operating in other languages he may use the English version of the mark.

 

14. Electronic commerce in public administration

Article 38

All the information solutions for the electronic commerce in public administration shall, by including the use of the electronic signature, use exclusively the certificates of the certification service provider of the Government Center for Informatics, SIGOVCA, or the certificates of his subordinates or the other certification service providers, confirmed by him. The Government Center for Informatics shall develop a hierarchically distributed model of confidence.

Article 39

Administration units shall perform tasks connected to registration and determination of the identity of the persons for the use of electronic commerce with the institutions of public administration. An authorization may be released also to other institutions.

Article 40

(1) A commission operates within the Government Center for Informatics as a counseling body for the questions about the use of electronic commerce and signature in public administration, mostly for examination of security, technical and legal requirements and other questions.

(2) On the basis of Electronic Commerce and Electronic Signature Act the commission gives to the Government of the Republic of Slovenia and to the minister, competent for economy, suggestions for adoption of implementing regulations within their competence, and to inspection and accreditation body the recommendations about determination of security and technical criteria for implementation of the supervision of operation of certification service providers.

Article 41

Members of the commission are nominated by the Government of the Republic of Slovenia from among scientific, technical and legal experts in State administration and outside it on a suggestion by the director of the Government Center for Informatics of the Republic of Slovenia.

 

15. Provisional and final provisions

Article 42

Employees and contractual co-workers of certification service providers, who will begin to operate before January the 1st 2002, shall meet the requirements form Article 23 of this Decree at the latest until the above-mentioned date.

Article 43

This Decree shall enter into force a day after its publication in the Official Journal of the Republic of Slovenia.

Twittear
Compartir
Compartir
0 Compartir

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.