Trusted List Scheme Rules

From the Electronic Documents Law:

Chapter IV
Certificate Service Providers and Trusted Certification Service Providers

Section 8.  Certification Service Providers

(1) A certification service provider is a natural or legal person, who provides certification services without the receipt of a special permit.
(2) Accreditation of a certification service provider is voluntary.
(3) A certification service provider shall be considered to be trustworthy if he or she conforms to all the requirements of Section 9 of this Law.

Section 9.  Trusted Certification Service Provider

A trusted certification service provider shall be considered to be a natural or legal person who conforms to all of the following requirements:
1) utilises trustworthy personnel who have the necessary specialised knowledge, experience and qualifications for the provision of certification services, who have become acquainted with the relevant security provisions for the provision of certification services, and have not been convicted for the intentional committing of a criminal offence;
2) utilises trustworthy and secure information systems and products which are appropriately protected against unauthorised access and modification;
3) maintains sufficient financial resources in order to implement this Law and the regulatory enactment requirements issued on the basis of this Law, and shall insure itself for civil liability in order to be able to compensate losses caused to persons due to wrongful purpose or negligence;
4) is accredited with the State Data Inspection (hereinafter also ā€“ supervisory institution) in accordance with the procedures specified in this Law;
5) ensures the continuous on-line accessibility of the signature-verification data register;
6) ensures the possibility of immediate revocation, suspension of operation and renewal of qualified certificates in the cases specified in this Law;
7) ensures that at any moment the date and time of the issuance, revocation, suspension of operation and renewal of qualified certificates can be determined;
8) utilises a secure system for qualified certificate storage in a verifiable form and shall ensure that:
a) only the authorised persons of the trusted certification service provider may make entries or their changes,
b) it is possible to check and determine changes in information,
c) the qualified certificates issued are not publicly accessible, except in a case where the written consent of the signatory has been obtained,
d) any technical changes that affect security requirements are apparent to the systems administrator, and
e) such technology is utilised as will ensure that when using electronic signature-creation data they can never be copied;
9) in stamping the electronic document with a time stamp, ensures the possibility to specify without doubt the date and time of the received electronic document; and
10) ensure that the time-stamp does not alter the signed electronic document.

Section 10.  Accreditation of Trusted Certification Service Providers

In order to receive accreditation, the following documents shall be submitted to the supervisory institution:
1) a written application;
2) the certification service provision regulations;
3) a description of the certification service provision information system and procedure security;
4) an examination opinion of the certification service provision information system and procedure security; and
5) a document that certifies the fulfilment of the requirements of Section 9, Clause 3 of this Law.

Section 11.  Certification Service Provision Regulations

(1) The certification service provision regulations shall include:
1) the firm name of the trusted certification service provider, registration number or given name, surname, personal identity number, telephone address and electronic mail address;
2) information regarding the information system, equipment, technology, computer programmes to be utilised for the provision of certification services and the documents certifying their right of use;
3) a model trusted certification service provider and signatory contract;
4) information regarding the issuing procedures for qualified certificates and their security;
5) information regarding various possibilities of restricting the use of the secure electronic signature by the signatory;
6) information regarding the revocation, suspension of operation and renewal procedures for qualified certificates;
7) information regarding the technical and technological possibilities which are offered by the certification service provider in order to protect secure electronic signature-creation devices, electronic signature-verification data and qualified certificates from unlawful use;
8) information regarding the fact that in the continuous on-line free access regime, free access shall be ensured to the electronic signature-verification data and the issued, revoked, suspended and renewed certificate registers;
9) information regarding the stamping of electronic documents with a time-stamp and the security of the procedures thereof; and
10) information regarding the fact that in the continuous on-line regime, free access shall be ensured to the time-stamp register.
(2) If the information included in the certification service provision regulation changes, the trusted certification service provider shall, without delay, submit amendments to the certification service provision regulations to the supervisory institution.

Section 12.  Description of the Certification Service Provision Information System, Equipment and Procedure Security

(1) Information to be indicated in the description of the certification service provision information system, equipment and procedure security shall be determined by the Cabinet.
(2) If the information indicated in the description of the certification service provision information system, equipment and procedure security changes, the trusted certification service provider shall, without delay, submit amendments to the description of the certification service provision information system, equipment and procedure security to the supervisory institution.

Section 13.  Examination of the Certification Service Provision Information System, Equipment and Procedure Security

(1) The examination of the certification service provision information system, equipment and procedure security and the opinion regarding such shall be provided by an expert who is included in a list approved by the supervisory institution.
(2) The list approved by the supervisory institution shall include persons who conform to all of the following requirements:
1) he or she has the technical possibility to specify the conformity of the certification service provision information system, equipment and procedure security to the requirements of regulatory enactments;
2) he or she is legally and financially independent from trusted certification service providers and supervisory institutions;
3) he or she or his or her employed personnel have the necessary knowledge; and
4) he or she is not engaged in the manufacture and supply of certification service provision information systems and other information technologies.
(3) Procedures for the examination of certification service provision information system, equipment and procedure security and time periods shall be determined by the Cabinet.

Section 14.  Civil Liability Insurance

(1) It is mandatory to insure against the possible risk of losses associated with the activities of a trusted certification service provider.
(2) The insurance of the risk of the activities of a trusted certification service provider shall secure claims, which may arise in relation to his or her activities.
(3) The trusted certification service provider shall enter into an insurance contract prior to receipt of accreditation, and the insurance contract shall be maintained in effect for the whole of the time period of the provision of certification services.
(4) If as a result of the actions or inaction of the trusted certification service provider, losses are incurred, the insurance company on the basis of the insurance contract shall cover such losses from the insurance compensation of the trusted certification service provider.
(5) The Cabinet shall determine the minimum amount of insurance and the procedures for calculating insurance compensation.

Section 15.  Personal Data Protection

(1) A certification service provider may only acquire the personal data directly from the signatory or from a third person if the signatory has consented to this.
(2) A certification service provider may only process the personal data for the purpose of issuing and maintaining a certificate.
(3) A certification service provider may not process the personal data for other purposes without the consent of the signatory.

Additional Information:

Page last updated: June 11, 2013 09:36 PM