CHAPTER IIITRUST SERVICES
SECTION 4Electronic signatures
Article 25Legal effects of electronic signatures
1
An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.
2
A qualified electronic signature shall have the equivalent legal effect of a handwritten signature.
F13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Article 26Requirements for advanced electronic signatures
An advanced electronic signature shall meet the following requirements:
- (a)
it is uniquely linked to the signatory;
- (b)
it is capable of identifying the signatory;
- (c)
it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
- (d)
it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
Article 27Electronic signatures in public services
F21
If a public sector body requires an advanced electronic signature for the use of an online service offered by or on behalf of that body (but does not require it to be based on a qualified certificate for electronic signature), the body must recognise any advanced electronic signature (whether or not based on a qualified certificate for electronic signature) that complies with the Implementing Decision.
2
If a public sector body requires an advanced electronic signature based on a qualified certificate for electronic signature to use an online service offered by or on behalf of that body, the body must recognise any advanced electronic signature based on a qualified certificate for electronic signature, or any qualified electronic signature, that complies with the Implementing Decision.
3
If a public sector body requires an electronic signature to use an online service offered by or on behalf of that body, the body may not, for the use of that service from a place outside the United Kingdom, require the signature to be at a higher security level than that of a qualified electronic signature.
F34
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F45
In this Article “the Implementing Decision” means Commission Implementing Decision (EU) 2015/1506 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies.
Article 28Qualified certificates for electronic signatures
1
Qualified certificates for electronic signatures shall meet the requirements laid down in Annex I.
F52
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
Qualified certificates for electronic signatures may include non-mandatory additional specific attributes. Those attributes shall not affect the interoperability and recognition of qualified electronic signatures.
4
If a qualified certificate for electronic signatures has been revoked after initial activation, it shall lose its validity from the moment of its revocation, and its status shall not in any circumstances be reverted.
F65
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F76
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Article 29Requirements for qualified electronic signature creation devices
1
Qualified electronic signature creation devices shall meet the requirements laid down in Annex II.
F82
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Article 30Certification of qualified electronic signature creation devices
1
Conformity of qualified electronic signature creation devices with the requirements laid down in Annex II shall be certified by appropriate public or private bodies designated by F9a person appointed for that purpose by the Secretary of State (“the appointed person”).
F102
The appointed person must notify the supervisory body of the name and address of any body the person designates under paragraph 1.
2A
The supervisory body must maintain a list of the names and addresses of the designated bodies notified to it under paragraph 2.
3
The certification referred to in paragraph 1 shall be based on one of the following:
a
a security evaluation process F11that complies with the Implementing Decision; or
b
a process other than the process referred to in point (a), provided that it uses comparable security levels and provided that the public or private body referred to in paragraph 1 notifies that process to the F12supervisory body. That process may be used only in the absence of standards referred to in point (a) or when a security evaluation process referred to in point (a) is ongoing.
F13In this paragraph “the Implementing Decision” means Commission Implementing Decision (EU) 2016/650 laying down standards for the security assessment of qualified signature and seal creation devices.
F144
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Article 31Publication of a list of certified qualified electronic signature creation devices
F151
A body designated under Article 30(1) must notify the supervisory body as soon as reasonably practicable of any certification of conformity that it makes, or cancels, for the purposes of Article 30.
2
The supervisory body must maintain and publish a list of electronic signature creation devices the certification of which is notified to it under paragraph 1.
F163
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Article 32Requirements for the validation of qualified electronic signatures
1
The process for the validation of a qualified electronic signature shall confirm the validity of a qualified electronic signature provided that:
a
the certificate that supports the signature was, at the time of signing, a qualified certificate for electronic signature complying with Annex I;
b
the qualified certificate was issued by a qualified trust service provider and was valid at the time of signing;
c
the signature validation data corresponds to the data provided to the relying party;
d
the unique set of data representing the signatory in the certificate is correctly provided to the relying party;
e
the use of any pseudonym is clearly indicated to the relying party if a pseudonym was used at the time of signing;
f
the electronic signature was created by a qualified electronic signature creation device;
g
the integrity of the signed data has not been compromised;
h
the requirements provided for in Article 26 were met at the time of signing.
2
The system used for validating the qualified electronic signature shall provide to the relying party the correct result of the validation process and shall allow the relying party to detect any security relevant issues.
F173
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Article 33Qualified validation service for qualified electronic signatures
1
A qualified validation service for qualified electronic signatures may only be provided by a qualified trust service provider who:
a
provides validation in compliance with Article 32(1); and
b
allows relying parties to receive the result of the validation process in an automated manner, which is reliable, efficient and bears the advanced electronic signature or advanced electronic seal of the provider of the qualified validation service.
F182
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Article 34Qualified preservation service for qualified electronic signatures
1
A qualified preservation service for qualified electronic signatures may only be provided by a qualified trust service provider that uses procedures and technologies capable of extending the trustworthiness of the qualified electronic signature beyond the technological validity period.
F192
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .