The Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019

PART 1The eIDAS Regulation

1.  The eIDAS Regulation is amended as follows.

2.  In Article 1—

(a)in the words before point (a)—

(i)omit “internal”;

(ii)omit “electronic identification means and”;

(b)omit paragraph (a).

3.  In Article 2—

(a)omit paragraph 1;

(b)in paragraph 2, for “resulting from national law” substitute “by operation of law”;

(c)in paragraph 3, for “national or Union” substitute “the”.

4.—(1) Article 3 is amended as follows.

(2) Omit point (4).

(3) In point (6), omit “an electronic identification or”.

(4) In point (8), for the words from “means” to the end substitute “has the same meaning as in the Public Contracts Regulations 2015 (S.I. 2015/102)(1) (see the definition of “bodies governed by public law” in regulation 2(1) of those Regulations);”.

(5) After point (41) insert—

“(42) ‘the equivalent EU law’ means Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC(2), or any instrument replacing that Regulation, as it has effect in EU law from time to time.”.

5.  Omit Article 4.

6.  Omit Article 5.

7.  Omit Chapter II.

8.  In Article 13—

(a)in paragraph 1, in the first subparagraph, after “trust service providers” insert “established in the United Kingdom or in the EU”;

(b)in paragraph 3, for “national rules on liability” substitute “general principles of liability in tort or delict”.

9.  Omit Article 14.

10.  Omit Article 15.

11.  Omit Article 16.

12.—(1) Article 17 is amended as follows.

(2) Omit paragraphs 1 and 2.

(3) In paragraph 3—

(a)in the words before point (a), after “supervisory body” insert “(as assigned to the Information Commissioner by regulation 3 of the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696)(3))”;

(b)in points (a) and (b), for “territory of the designating Member State” substitute “United Kingdom”.

(4) In paragraph 4—

(a)omit point (a);

(b)in point (c), omit “other supervisory bodies and”;

(c)omit point (d);

(d)in point (h), omit “national”;

(5) For paragraph 5 substitute—

“1.  The Secretary of State may give directions to the supervisory body requiring it to establish, maintain and update a trust infrastructure in accordance with the directions.”.

(6) Omit paragraphs 6 to 8.

13.  For Article 18 substitute—

“Co-operation with EU authorities

1.  The supervisory body may give information and assistance to, and otherwise co-operate with, a public authority in the EU if the supervisory body considers that to do so would be in the interests of effective regulation or supervision of trust services (whether inside or outside the United Kingdom).

2.  Nothing in paragraph 1 authorises the processing of personal data other than in accordance with the data protection legislation.

In this paragraph, “processing”, “personal data” and “the data protection legislation” have the meanings given by section 3 of the Data Protection Act 2018(4).”.

14.—(1) Article 19 is amended as follows.

(2) In paragraph 1, after “trust service providers” insert “established in the United Kingdom”.

(3) In paragraph 2—

(a)in the first subparagraph—

(i)after “trust service providers” insert “established in the United Kingdom”;

(ii)omit the words from “and, where applicable” to “data protection authority,”;

(b)omit the third subparagraph.

(4) Omit paragraphs 3 and 4.

15.  In Article 20—

(a)in paragraph 3, for “lists” substitute “list”;

(b)omit paragraph 4.

16.  In Article 21—

(a)in paragraph 1, after “providers” insert “established in the United Kingdom”;

(b)in paragraph 2, in the second subparagraph, for “lists” substitute “list”;

(c)in paragraph 3, for “lists” substitute “list”;

(d)omit paragraph 4.

17.  For Article 22 substitute—

“Trusted list

1.  The Secretary of State must make arrangements for the maintenance and publication of a trusted list, containing information relating to qualified trust service providers and the qualified trust services provided by them.

2.  The arrangements must provide for the maintenance and publication of the trusted list, in a secured manner, in a form that is electronically signed or sealed and suitable for automated processing.

3.  The arrangements must provide for a body to be responsible for the maintenance and publication of the trusted list.

4.  The arrangements may provide for the trusted list to include information relating to trust service providers established in the United Kingdom that do not have qualified status, and the trust services provided by them. Where the arrangements do so, they must also provide for the list to indicate clearly which providers and services are not qualified.

5.  The arrangements must provide for the publication, in a form that is electronically signed or sealed and suitable for automated processing, of:

(a)information on the body referred to in paragraph 3, and

(b)details of where the trusted list is published, the certificates used to sign or seal the list, and any changes thereto.

6.  The trusted list maintained under this Article is initially to consist of the information that was in the list maintained immediately before exit day under Article 22 of this Regulation as it then had effect.”.

18.  Omit Article 23.

19.—(1) Article 24 is amended as follows.

(2) In paragraph 1—

(a)in the first subparagraph, omit “and in accordance with national law”;

(b)in the second subparagraph—

(i)in the words before point (a), omit “in accordance with national law”;

(ii)in point (b), for the words from “set out” to “‘high’” substitute “for the assurance levels ‘substantial’ or ‘high’ under the equivalent EU law so far as relating to electronic identification schemes (or would meet those requirements if they were not predicated on the doing of anything in, or by, a member State)”;

(iii)in point (d), omit “recognised at a national level”.

(3) In paragraph 2—

(a)in point (c), omit “, in accordance with national law”;

(b)in point (j), omit “in accordance with Directive 95/46/EC”.

(4) Omit paragraph 5.

20.  After Article 24 insert—

“Article 24A

Recognition of EU standards etc.

1.  For the purposes of Articles 25(2), 27, 35(2), 37, 41(2) and 43(2) (and any implementing measures having effect for the purposes of those provisions), anything which is not qualified under this Regulation is to be treated as qualified if:

(a)it is qualified under the equivalent EU law, or

(b)the application of any one or more of the assumptions in paragraph 2 would result in its being qualified under either this Regulation or the equivalent EU law.

2.  The assumptions are:

(a)to the extent that being qualified depends on anything being done by a qualified trust services provider, that a trust services provider with qualified status under this Regulation has qualified status under the equivalent EU law (and vice versa);

(b)to the extent that being qualified depends on any related service, device, process or record being qualified, that any such thing that is qualified under this Regulation is qualified under the equivalent EU law (and vice versa);

(c)to the extent that being qualified depends on meeting any technical standard or requirement, that anything meeting such a standard or requirement under this Regulation meets any corresponding standard or requirement under the equivalent EU law (and vice versa).

3.  For the purposes of this Article, a trust service is not to be regarded as being qualified under the equivalent EU law if it is qualified (or is treated as such) only by virtue of provision for the recognition of trust services provided by entities established outside the EU pursuant to an international agreement to which the EU is party.”.

21.  In Article 25, omit paragraph 3.

22.—(1) Article 27 is amended as follows.

(2) For paragraphs 1 to 3 substitute—

“1.  If a public sector body requires an advanced electronic signature for the use of an online service offered by or on behalf of that body (but does not require it to be based on a qualified certificate for electronic signature), the body must recognise any advanced electronic signature (whether or not based on a qualified certificate for electronic signature) that complies with the Implementing Decision.

2.  If a public sector body requires an advanced electronic signature based on a qualified certificate for electronic signature to use an online service offered by or on behalf of that body, the body must recognise any advanced electronic signature based on a qualified certificate for electronic signature, or any qualified electronic signature, that complies with the Implementing Decision.

3.  If a public sector body requires an electronic signature to use an online service offered by or on behalf of that body, the body may not, for the use of that service from a place outside the United Kingdom, require the signature to be at a higher security level than that of a qualified electronic signature.”.

(3) Omit paragraph 4.

(4) For paragraph 5 substitute—

“5.  In this Article “the Implementing Decision” means Commission Implementing Decision (EU) 2015/1506 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies(5).”.

23.  In Article 28, omit paragraphs 2, 5 and 6.

24.  In Article 29, omit paragraph 2.

25.—(1) Article 30 is amended as follows.

(2) In paragraph 1, for “Member States” substitute “a person appointed for that purpose by the Secretary of State (“the appointed person”)”.

(3) For paragraph 2 substitute—

“2.  The appointed person must notify the supervisory body of the name and address of any body the person designates under paragraph 1.

2A.  The supervisory body must maintain a list of the names and addresses of the designated bodies notified to it under paragraph 2.”.

(4) In paragraph 3—

(a)in the first subparagraph—

(i)in point (a), for the words from “carried out” to “subparagraph” substitute “that complies with the Implementing Decision”;

(ii)in point (b), for “Commission” substitute “supervisory body”;

(b)for the second subparagraph substitute—

“In this paragraph “the Implementing Decision” means Commission Implementing Decision (EU) 2016/650 laying down standards for the security assessment of qualified signature and seal creation devices(6).”.

(5) Omit paragraph 4.

26.  In Article 31—

(a)for paragraphs 1 and 2 substitute—

“1.  A body designated under Article 30(1) must notify the supervisory body as soon as reasonably practicable of any certification of conformity that it makes, or cancels, for the purposes of Article 30.

2.  The supervisory body must maintain and publish a list of electronic signature creation devices the certification of which is notified to it under paragraph 1.”;

(b)omit paragraph 3.

27.  In Article 32, omit paragraph 3.

28.  In Article 33, omit paragraph 2.

29.  In Article 34, omit paragraph 2.

30.  In Article 35, omit paragraph 3.

31.—(1) Article 37 is amended as follows.

(2) For paragraphs 1 to 3 substitute—

“1.  If a public sector body requires an advanced electronic seal for the use of an online service offered by or on behalf of that body (but does not require it to be based on a qualified certificate for electronic seal), the body must recognise any advanced electronic seal (whether or not based on a qualified certificate for electronic seal) that complies with the Implementing Decision.

2.  If a public sector body requires an advanced electronic seal based on a qualified certificate for electronic seal to use an online service offered by or on behalf of that body, the body must recognise any advanced electronic seal based on a qualified certificate for electronic seal, or any qualified electronic seal, that complies with the Implementing Decision.

3.  If a public sector body requires an electronic seal to use an online service offered by or on behalf of that body, the body may not, for the use of that service from a place outside the United Kingdom, require the seal to be at a higher security level than that of a qualified electronic seal.”.

(3) Omit paragraph 4.

(4) For paragraph 5 substitute—

“5.  In this Article “the Implementing Decision” means Commission Implementing Decision (EU) 2015/1506 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies(7).”.

32.  In Article 38, omit paragraphs 2, 5 and 6.

33.  In Article 41, omit paragraph 3.

34.  In Article 42, omit paragraph 2.

35.  In Article 44, omit paragraph 2.

36.  In Article 45, omit paragraph 2.

37.  Omit Chapter V.

38.  Omit Article 49.

39.  In Article 51, omit paragraphs 3 and 4.

40.  In Article 52, omit paragraphs 3 and 4.

41.  After Article 52, omit the words from “This Regulation” to “Member States.”.

42.  In Annex I, in point (b), omit “, the Member State in which that provider is established and”.

43.  In Annex III, in point (b), omit “the Member State in which that provider is established and”.

44.  In Annex IV, in point (b), omit “the Member State in which that provider is established and”.