This post is also available in: Español
The COVID-19 crisis has highlighted the need for remote identification methods to apply for qualified electronic certificates. Royal Decree-Law (“RD-L”) 11/2020 temporarily allowed remote identification during the state of emergency.
RD-L 28/2020 then modified the 2003 Electronic Signature Act. RD-L 28/2020 provided for the adoption of a ministerial order allowing to establish these remote identification means permanently. Under this provision, which was subsequently introduced in article 7(2) of Act 6/2020 regulating certain aspects of electronic trust services (the “Trust Services Act”, currently in force), the Ministry of Economic Affairs and Digital Transformation published the “Draft Order on remote identification means for the issuance of qualified electronic certificates” (the “Draft”).
The Draft, which is still pending approval, tentatively proposes a set of requirements for the remote identification of qualified electronic certificate applicants providing equivalent assurance in terms of reliability to physical presence. Below we provide an overview of the main points of the Draft.
EU law on electronic identification and trust services−the eIDAS Regulation and its implementing provisions−allows Member States to verify the identity of qualified electronic certificate applicants (“QEC Applicants”), using “identification methods recognized at national level,” providing equivalent assurance in terms of reliability to physical presence.
The Draft intends to implement article 7(2) of the Trust Services Act, which is worded as follows:
“An Order from the Ministry of Economic Affairs and Digital Transformation will provide the technical verification conditions and requirements for the remote identification of QEC Applicants including, where appropriate, other applicant’s attributes verified through other means like videoconference or video identification, providing equivalent assurance in terms of reliability to physical presence according to a conformity assessment body (…)”.
Although it is a draft that can still be amended, below we set out its defining features.
- Purpose. As noted above, the Draft seeks to “regulate the minimum technical conditions and requirements for the remote identification of QEC Applicants, including other applicant’s attributes, through methods providing equivalent assurance, in terms of reliability, to physical presence.”
- Scope. The Draft covers public and private qualified service providers based in Spain, residents in Spain and those with a permanent establishment in Spain (jointly, the “Providers”). The Draft also allows for outsourcing the performance of identification procedures, although without modifying the Providers’ liability regime.
- The Draft provides two remote identification systems: (i) agent-assisted identification; and (ii) non-assisted identification, without online interaction, including subsequent review by an agent. A certified body will perform the assessments and verify compliance with the requirements by the Providers.
- Security requirements. The Draft requires Providers to (i) carry out a yearly risk assessment; (ii) implement technical and organizational measures; and (iii) record, in writing, their systems’ security features. Providers must also notify supervisory bodies of any breach of security or loss of integrity impacting the service. They must notify supervisory bodies immediately or within 24 hours after having become aware of the security breach or loss of integrity.
- How are QEC Applicants identified?
According to the Draft, QEC Applicants must use their national identification document (“DNI”), and the Provider should verify the applicant’s security features during the remote video identification. Previously, the Provider should provide clear information to the QEC Applicant about the security terms, conditions and recommendations regarding the process. The Provider must also obtain the Applicant’s express consent to the process and the recordings, adopting measures to ensure privacy throughout the process.
The QEC Applicant’s identification process must be recorded in full without interruptions, with a clear and clean image. Also, the date and time should be recorded through a qualified electronic time stamp.
- Verification of the QEC Applicant’s identity, attributes and DNI
The Provider must verify the authenticity, validity and integrity of the Applicant’s DNI, as well as whether it belongs to the Applicant. The Provider will also adopt measures to (i) mitigate discrepancies regarding the QEC Applicant’s identity (e.g., stolen documents); and (ii) detect any manipulations of the video, the DNI or the Applicant. During registration, the Provider will verify the QEC Applicant’s identification data through the platforms provided by the Secretariat of State for Digitalization and Artificial Intelligence or the competent supervisory body.
We will wait until the final approval of the Ministerial Order to confirm the legal framework applicable to electronic identification processes regarding qualified certificates for electronic signatures. These processes are extremely necessary nowadays, but they still give rise to legal concerns in addition to the general uncertainty of the online environment.
Authors: Claudia Morgado y Raúl Pérez.
This post is also available in: Español