This is the original version (as it was originally made). This item of legislation is currently only available in its original format.
BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
United Kingdom Statutory Instruments |
||
You are here: BAILII >> Databases >> United Kingdom Statutory Instruments >> The Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019 URL: http://www.bailii.org/uk/legis/num_reg/2019/uksi_201989_en_1.html |
[New search] [Printable PDF version] [Help]
This is the original version (as it was originally made). This item of legislation is currently only available in its original format.
Statutory Instruments
Exiting The European Union
Electronic Communications
Sift requirements satisfied
7th January 2019
Made
22nd January 2019
Laid before Parliament
23rd January 2019
Coming into force in accordance with regulation 1
The Secretary of State makes these Regulations in exercise of the powers conferred by section 8(1) of, and paragraph 21 of Schedule 7 to, the European Union (Withdrawal) Act 2018(1).
The requirements of paragraph 3(2) of Schedule 7 to that Act (relating to the appropriate Parliamentary procedure for these Regulations) have been satisfied.
1.-(1) These Regulations may be cited as the Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019.
(2) These Regulations come into force on exit day.
(3) In these Regulations, "the eIDAS Regulation" means Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
2.-(1) In the Schedule-
(a)Part 1 amends the eIDAS Regulation;
(b)Part 2 amends or revokes other retained direct EU legislation;
(c)Part 3 amends the agreement on the European Economic Area, so far as it applies or adapts measures amended or revoked by Part 1 or 2;
(d)Part 4 amends related domestic legislation.
(2) An amendment or revocation made by the Schedule has the same extent as the provision amended or revoked.
Margot James
Minister for Digital and the Creative Industries
Department for Digital, Culture, Media and Sport
22nd January 2019
Regulation 2
1. The eIDAS Regulation is amended as follows.
2. In Article 1-
(a)in the words before point (a)-
(i)omit "internal";
(ii)omit "electronic identification means and";
(b)omit paragraph (a).
3. In Article 2-
(a)omit paragraph 1;
(b)in paragraph 2, for "resulting from national law" substitute "by operation of law";
(c)in paragraph 3, for "national or Union" substitute "the".
4.-(1) Article 3 is amended as follows.
(2) Omit point (4).
(3) In point (6), omit "an electronic identification or".
(4) In point (8), for the words from "means" to the end substitute "has the same meaning as in the Public Contracts Regulations 2015 (S.I. 2015/102)(2) (see the definition of "bodies governed by public law" in regulation 2(1) of those Regulations);".
(5) After point (41) insert-
"(42) ‘the equivalent EU law' means Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC(3), or any instrument replacing that Regulation, as it has effect in EU law from time to time.".
5. Omit Article 4.
6. Omit Article 5.
7. Omit Chapter II.
8. In Article 13-
(a)in paragraph 1, in the first subparagraph, after "trust service providers" insert "established in the United Kingdom or in the EU";
(b)in paragraph 3, for "national rules on liability" substitute "general principles of liability in tort or delict".
9. Omit Article 14.
10. Omit Article 15.
11. Omit Article 16.
12.-(1) Article 17 is amended as follows.
(2) Omit paragraphs 1 and 2.
(3) In paragraph 3-
(a)in the words before point (a), after "supervisory body" insert "(as assigned to the Information Commissioner by regulation 3 of the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696)(4))";
(b)in points (a) and (b), for "territory of the designating Member State" substitute "United Kingdom".
(4) In paragraph 4-
(a)omit point (a);
(b)in point (c), omit "other supervisory bodies and";
(c)omit point (d);
(d)in point (h), omit "national";
(5) For paragraph 5 substitute-
"1. The Secretary of State may give directions to the supervisory body requiring it to establish, maintain and update a trust infrastructure in accordance with the directions.".
(6) Omit paragraphs 6 to 8.
13. For Article 18 substitute-
1. The supervisory body may give information and assistance to, and otherwise co-operate with, a public authority in the EU if the supervisory body considers that to do so would be in the interests of effective regulation or supervision of trust services (whether inside or outside the United Kingdom).
2. Nothing in paragraph 1 authorises the processing of personal data other than in accordance with the data protection legislation.
In this paragraph, "processing", "personal data" and "the data protection legislation" have the meanings given by section 3 of the Data Protection Act 2018(5).".
14.-(1) Article 19 is amended as follows.
(2) In paragraph 1, after "trust service providers" insert "established in the United Kingdom".
(3) In paragraph 2-
(a)in the first subparagraph-
(i)after "trust service providers" insert "established in the United Kingdom";
(ii)omit the words from "and, where applicable" to "data protection authority,";
(b)omit the third subparagraph.
(4) Omit paragraphs 3 and 4.
15. In Article 20-
(a)in paragraph 3, for "lists" substitute "list";
(b)omit paragraph 4.
16. In Article 21-
(a)in paragraph 1, after "providers" insert "established in the United Kingdom";
(b)in paragraph 2, in the second subparagraph, for "lists" substitute "list";
(c)in paragraph 3, for "lists" substitute "list";
(d)omit paragraph 4.
17. For Article 22 substitute-
1. The Secretary of State must make arrangements for the maintenance and publication of a trusted list, containing information relating to qualified trust service providers and the qualified trust services provided by them.
2. The arrangements must provide for the maintenance and publication of the trusted list, in a secured manner, in a form that is electronically signed or sealed and suitable for automated processing.
3. The arrangements must provide for a body to be responsible for the maintenance and publication of the trusted list.
4. The arrangements may provide for the trusted list to include information relating to trust service providers established in the United Kingdom that do not have qualified status, and the trust services provided by them. Where the arrangements do so, they must also provide for the list to indicate clearly which providers and services are not qualified.
5. The arrangements must provide for the publication, in a form that is electronically signed or sealed and suitable for automated processing, of:
(a)information on the body referred to in paragraph 3, and
(b)details of where the trusted list is published, the certificates used to sign or seal the list, and any changes thereto.
6. The trusted list maintained under this Article is initially to consist of the information that was in the list maintained immediately before exit day under Article 22 of this Regulation as it then had effect.".
18. Omit Article 23.
19.-(1) Article 24 is amended as follows.
(2) In paragraph 1-
(a)in the first subparagraph, omit "and in accordance with national law";
(b)in the second subparagraph-
(i)in the words before point (a), omit "in accordance with national law";
(ii)in point (b), for the words from "set out" to "‘high'" substitute "for the assurance levels ‘substantial' or ‘high' under the equivalent EU law so far as relating to electronic identification schemes (or would meet those requirements if they were not predicated on the doing of anything in, or by, a member State)";
(iii)in point (d), omit "recognised at a national level".
(3) In paragraph 2-
(a)in point (c), omit ", in accordance with national law";
(b)in point (j), omit "in accordance with Directive 95/46/EC".
(4) Omit paragraph 5.
20. After Article 24 insert-
1. For the purposes of Articles 25(2), 27, 35(2), 37, 41(2) and 43(2) (and any implementing measures having effect for the purposes of those provisions), anything which is not qualified under this Regulation is to be treated as qualified if:
(a)it is qualified under the equivalent EU law, or
(b)the application of any one or more of the assumptions in paragraph 2 would result in its being qualified under either this Regulation or the equivalent EU law.
2. The assumptions are:
(a)to the extent that being qualified depends on anything being done by a qualified trust services provider, that a trust services provider with qualified status under this Regulation has qualified status under the equivalent EU law (and vice versa);
(b)to the extent that being qualified depends on any related service, device, process or record being qualified, that any such thing that is qualified under this Regulation is qualified under the equivalent EU law (and vice versa);
(c)to the extent that being qualified depends on meeting any technical standard or requirement, that anything meeting such a standard or requirement under this Regulation meets any corresponding standard or requirement under the equivalent EU law (and vice versa).
3. For the purposes of this Article, a trust service is not to be regarded as being qualified under the equivalent EU law if it is qualified (or is treated as such) only by virtue of provision for the recognition of trust services provided by entities established outside the EU pursuant to an international agreement to which the EU is party.".
21. In Article 25, omit paragraph 3.
22.-(1) Article 27 is amended as follows.
(2) For paragraphs 1 to 3 substitute-
"1. If a public sector body requires an advanced electronic signature for the use of an online service offered by or on behalf of that body (but does not require it to be based on a qualified certificate for electronic signature), the body must recognise any advanced electronic signature (whether or not based on a qualified certificate for electronic signature) that complies with the Implementing Decision.
2. If a public sector body requires an advanced electronic signature based on a qualified certificate for electronic signature to use an online service offered by or on behalf of that body, the body must recognise any advanced electronic signature based on a qualified certificate for electronic signature, or any qualified electronic signature, that complies with the Implementing Decision.
3. If a public sector body requires an electronic signature to use an online service offered by or on behalf of that body, the body may not, for the use of that service from a place outside the United Kingdom, require the signature to be at a higher security level than that of a qualified electronic signature.".
(3) Omit paragraph 4.
(4) For paragraph 5 substitute-
"5. In this Article "the Implementing Decision" means Commission Implementing Decision (EU) 2015/1506 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies(6).".
23. In Article 28, omit paragraphs 2, 5 and 6.
24. In Article 29, omit paragraph 2.
25.-(1) Article 30 is amended as follows.
(2) In paragraph 1, for "Member States" substitute "a person appointed for that purpose by the Secretary of State ("the appointed person")".
(3) For paragraph 2 substitute-
"2. The appointed person must notify the supervisory body of the name and address of any body the person designates under paragraph 1.
2A. The supervisory body must maintain a list of the names and addresses of the designated bodies notified to it under paragraph 2.".
(4) In paragraph 3-
(a)in the first subparagraph-
(i)in point (a), for the words from "carried out" to "subparagraph" substitute "that complies with the Implementing Decision";
(ii)in point (b), for "Commission" substitute "supervisory body";
(b)for the second subparagraph substitute-
"In this paragraph "the Implementing Decision" means Commission Implementing Decision (EU) 2016/650 laying down standards for the security assessment of qualified signature and seal creation devices(7).".
(5) Omit paragraph 4.
26. In Article 31-
(a)for paragraphs 1 and 2 substitute-
"1. A body designated under Article 30(1) must notify the supervisory body as soon as reasonably practicable of any certification of conformity that it makes, or cancels, for the purposes of Article 30.
2. The supervisory body must maintain and publish a list of electronic signature creation devices the certification of which is notified to it under paragraph 1.";
(b)omit paragraph 3.
27. In Article 32, omit paragraph 3.
28. In Article 33, omit paragraph 2.
29. In Article 34, omit paragraph 2.
30. In Article 35, omit paragraph 3.
31.-(1) Article 37 is amended as follows.
(2) For paragraphs 1 to 3 substitute-
"1. If a public sector body requires an advanced electronic seal for the use of an online service offered by or on behalf of that body (but does not require it to be based on a qualified certificate for electronic seal), the body must recognise any advanced electronic seal (whether or not based on a qualified certificate for electronic seal) that complies with the Implementing Decision.
2. If a public sector body requires an advanced electronic seal based on a qualified certificate for electronic seal to use an online service offered by or on behalf of that body, the body must recognise any advanced electronic seal based on a qualified certificate for electronic seal, or any qualified electronic seal, that complies with the Implementing Decision.
3. If a public sector body requires an electronic seal to use an online service offered by or on behalf of that body, the body may not, for the use of that service from a place outside the United Kingdom, require the seal to be at a higher security level than that of a qualified electronic seal.".
(3) Omit paragraph 4.
(4) For paragraph 5 substitute-
"5. In this Article "the Implementing Decision" means Commission Implementing Decision (EU) 2015/1506 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies(8).".
32. In Article 38, omit paragraphs 2, 5 and 6.
33. In Article 41, omit paragraph 3.
34. In Article 42, omit paragraph 2.
35. In Article 44, omit paragraph 2.
36. In Article 45, omit paragraph 2.
37. Omit Chapter V.
38. Omit Article 49.
39. In Article 51, omit paragraphs 3 and 4.
40. In Article 52, omit paragraphs 3 and 4.
41. After Article 52, omit the words from "This Regulation" to "Member States.".
42. In Annex I, in point (b), omit ", the Member State in which that provider is established and".
43. In Annex III, in point (b), omit "the Member State in which that provider is established and".
44. In Annex IV, in point (b), omit "the Member State in which that provider is established and".
45. Commission Decision of 16 October 2009 setting out measures facilitating the use of procedures by electronic means through the ‘points of contact' under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market (2009/767/EC) is revoked.
46. Commission Decision of 28 July 2010 amending Decision 2009/767/EC as regards the establishment, maintenance and publication of trusted lists of certification service providers supervised/accredited by Member States (2010/425/EU) is revoked.
47. Commission Decision of 27 April 2011 establishing minimum requirements for the cross-border processing of documents signed electronically by competent authorities under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market (2011/130/EU) is revoked.
48. Commission Implementing Decision of 14 October 2013 amending Decision 2009/767/EC as regards the establishment, maintenance and publication of trusted lists of certification service providers supervised/accredited by Member States (2013/662/EU) is revoked.
49. Commission Implementing Decision of 17 March 2014 amending Decision 2011/130/EU establishing minimum requirements for the cross-border processing of documents signed electronically by competent authorities under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market is revoked.
50. Commission Implementing Decision (EU) 2015/296 of 24 February 2015 establishing procedural arrangements for cooperation between Member States on electronic identification pursuant to Article 12(7) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market is revoked.
51. Commission Implementing Regulation (EU) 2015/806 of 22 May 2015 laying down specifications relating to the form of the EU trust mark for qualified trust services is revoked.
52. Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Article 12(8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market is revoked.
53. Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification pursuant to Article 8(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market is revoked.
54. Commission Implementing Decision (EU) 2015/1505 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market is revoked.
55.-(1) Commission Implementing Decision (EU) 2015/1506 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies(9) is amended as follows.
(2) In Article 1-
(a)for the words from the beginning to "recognise" substitute "A signature complies with this Decision if it is an";
(b)for "those signatures comply" substitute "it complies".
(3) In Article 2-
(a)for paragraph 1 substitute-
"1. A signature also complies with this Decision if it is in a format other than those referred to in Article 1, provided that:
(a)the trust service provider used by the signatory is established in the United Kingdom or the EU, and
(b)the public sector body in question is offered signature validation possibilities in accordance with paragraph 2, suitable, where possible, for automated processing.";
(b)in paragraph 2-
(i)in point (a), for "other Member States" substitute "the public sector body";
(ii)in point (c)-
(aa)in point (1), for the words from "that supports" (in the second place it occurs) to "provider" substitute "met, at the time of signing, all necessary requirements for qualified status";
(bb)in point (7), after "Regulation (EU) No 910/2014" insert ", or the corresponding provision of the equivalent EU law (within the meaning given by Article 3(42) of that Regulation),".
(4) In Article 3-
(a)for the words from the beginning to "recognise" substitute "A seal complies with this Decision if it is an";
(b)for "those comply" substitute "it complies".
(5) In Article 4-
(a)for paragraph 1 substitute-
"1. A seal also complies with this Decision if it is in a format other than those referred to in Article 3, provided that:
(a)the trust service provider used by the creator of the seal is established in the United Kingdom or the EU, and
(b)the public sector body in question is offered seal validation possibilities in accordance with paragraph 2, suitable, where possible, for automated processing.";
(b)in paragraph 2-
(i)in point (a), for "other Member States" substitute "the public sector body";
(ii)in point (c)-
(aa)in point (1), for the words from "that supports" (in the second place it occurs) to "provider" substitute "met, at the time of sealing, all necessary requirements for qualified status";
(bb)in point (7), after "Regulation (EU) No 910/2014" insert ", or the corresponding provision of the equivalent EU law (within the meaning given by Article 3(42) of that Regulation),".
(6) After Article 5, omit the words from "This Decision" to "Member States.".
56. Commission Implementing Decision (EU) 2015/1984 of 3 November 2015 defining the circumstances, formats and procedures of notification pursuant to Article 9(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market is revoked.
57.-(1) Commission Implementing Decision (EU) 2016/650 laying down standards for the security assessment of qualified signature and seal creation devices(10) is amended as follows.
(2) In Article 1(2)-
(a)omit the words from the beginning until "seal creation devices,";
(b)omit the words from "and that is notified" to the end.
58.-(1) The Agreement on the European Economic Area signed at Oporto on 2 May 1992, so far as it forms part of domestic law by virtue of section 3(2)(b) of the European Union (Withdrawal) Act 2018, is amended as follows.
(2) In Annex X, omit points 1b and 1c.
(3) In Annex XI, in point 5l, omit the second subparagraph.
59.-(1) The European Union (Recognition of Professional Qualifications) Regulations 2015(11) are amended as follows.
(2) In regulation 5(8) (electronic signatures), for the words from "accept" to the end substitute "act in accordance with Article 27 of that Regulation (and for this purpose the completion of the procedures is to be treated as the use of an online service to which that Article applies).".
60. In the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016(12), omit regulation 6(2) (review of eIDAS Regulation to have regard to implementation in other Member States).
(This note is not part of the Regulations)
These Regulations amend Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (the "eIDAS Regulation") as retained by the European Union (Withdrawal) Act 2018. They revoke the provisions relating to electronic identification; they amend the provisions relating to trust services for electronic transactions.
Chapter II of the eIDAS Regulation provides for the mutual recognition and interoperability between EU Member States pertaining to the use of electronic identity schemes. It requires that public sector digital services using electronic identities above a described assurance level must accept electronic identities from ‘notified' schemes in other EU Member States. Notification is a process whereby Member States choose to have their electronic identity scheme recognised and accepted by the other Member States.
These provisions are being revoked because Chapter II of the eIDAS Regulation establishes reciprocal arrangements between public bodies in the UK and EU Member States that will no longer be appropriate once the UK has withdrawn from the UK. The UK will no longer be an EU Member State following the UK's withdrawal from the EU and will therefore no longer have access to the mutual recognition and interoperability framework for electronic identification provided by the eIDAS Regulation. Accordingly, the implementing legislation that gives effect to Chapter II of the eIDAS Regulation is also being revoked. These amendments are necessary in order to remove these deficient provisions from the UK statute book.
Chapter III provides for the mutual recognition and interoperability between EU Member States of trust services, encompassing electronic signatures, electronic seals, electronic time stamps, electronic registered delivery and website authentication. These Regulations retain and amend Chapter III so as to preserve the regulatory framework for UK trust services and to ensure that EU products and services will continue to be available for use in the UK, thus ensuring the effective operation of retained EU law.
In particular, these Regulations preserve the functions of the Information Commissioner's Office (ICO), who is the supervisory body for trust services in the UK. Obligations on the ICO to share information and provide other forms of assistance to the ICO's EU counterparts are revoked and replaced with a power to share information in the interests of effective regulation or supervision of trust services. Redundant provisions relating to intra-EU reciprocal arrangements as well as to recognition of trust services from third countries outside the EU are revoked. These amendments are necessary in order to remove the deficient provisions from the UK statute book and to ensure the effective operation of retained EU law.
The implementing legislation that gives effect to the eIDAS Regulation is also being revoked, with the exception of Commission Implementing Decisions 2015/1506 and 2016/650 which are being retained to ensure the effective operation of the retained trust services provisions. The revocations are necessary in order to remove deficient provisions from the UK statute book.
Chapter IV provides that electronic documents are not denied legal effect or admissibility as evidence in legal proceedings solely on the basis that they are in electronic form. Chapter IV is retained in order the effective operation of retained EU law.
S.I. 2015/102 was amended by S.I. 2016/275 and 2016/696; there are other amending instruments, but none is relevant.
OJ No. L 257, 28.8.2014, p. 73.
Regulation 3 was amended by section 211(1)(b) of, and paragraphs 403 and 405 of Schedule 19 to, the Data Protection Act 2018 (c. 12).
The full title of the instrument is Commission Implementing Decision (EU) 2015/1506 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies pursuant to Articles 27(5) and 37(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market. The reference to Articles 27(5) and 37(5) of Regulation (EU) No 910/2014 is to those Articles as they had effect when the Decision was adopted.
The full title of the instrument is Commission Implementing Decision (EU) 2016/650 laying down standards for the security assessment of qualified signature and seal creation devices pursuant to Articles 30(3) and 39(2) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market. The reference to Articles 30(3) and 39(2) of Regulation (EU) No 910/2014 is to those Articles as they had effect when the Decision was adopted.
The full title of the instrument is Commission Implementing Decision (EU) 2015/1506 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies pursuant to Articles 27(5) and 37(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market. The reference to Articles 27(5) and 37(5) of Regulation (EU) No 910/2014 is to those Articles as they had effect when the Decision was adopted.
The full title of the instrument is Commission Implementing Decision (EU) 2015/1506 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies pursuant to Articles 27(5) and 37(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market. The reference to Articles 27(5) and 37(5) of Regulation (EU) No 910/2014 is to those Articles as they had effect when the Decision was adopted.
The full title of the instrument is Commission Implementing Decision (EU) 2016/650 laying down standards for the security assessment of qualified signature and seal creation devices pursuant to Articles 30(3) and 39(2) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market. The reference to Articles 30(3) and 39(2) of Regulation (EU) No 910/2014 is to those Articles as they had effect when the Decision was adopted.
S.I. 2016/696, amended by paragraphs 403 to 406 of Schedule 19 to the Data Protection Act 2018 (c. 12).