The Electronic Signatures Regulations 2002

(Regulation 2)

SCHEDULE 1(Annex I to the Directive)

REQUIREMENTS FOR QUALIFIED CERTIFICATES

Qualified certificates must contain:

(a)an indication that the certificate is issued as a qualified certificate;

(b)the identification of the certification-service-provider and the State in which it is established;

(c)the name of the signatory or a pseudonym, which shall be identified as such;

(d)provision for a specific attribute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended;

(e)signature-verification data which correspond to signature-creation data under the control of the signatory;

(f)an indication of the beginning and end of the period of validity of the certificate;

(g)the identity code of the certificate;

(h)the advanced electronic signature of the certification-service-provider issuing it;

(i)limitations on the scope of use of the certificate, if applicable; and

(j)limits on the value of transactions for which the certificate can be used, if applicable.

(Regulation 2)

SCHEDULE 2(Annex II to the Directive)

REQUIREMENTS FOR CERTIFICATION-SERVICE-PROVIDERS ISSUING QUALIFIED CERTIFICATES

Certification-service-providers must:

(a)demonstrate the reliability necessary for providing certification services;

(b)ensure the operation of a prompt and secure directory and a secure and immediate revocation service;

(c)ensure that the date and time when a certificate is issued or revoked can be determined precisely;

(d)verify, by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued;

(e)employ personnel who possess the expert knowledge, experience, and qualifications necessary for the services provided, in particular competence at managerial level, expertise in electronic signature technology and familiarity with proper security procedures; they must also apply administrative and management procedures which are adequate and correspond to recognised standards;

(f)use trustworthy systems and products which are protected against modification and ensure the technical and cryptographic security of the process supported by them;

(g)take measures against forgery of certificates, and, in cases where the certification-service-provider generates signature-creation data, guarantee confidentiality during the process of generating such data;

(h)maintain sufficient financial resources to operate in conformity with the requirements laid down in the Directive, in particular to bear the risk of liability for damages, for example, by obtaining appropriate insurance;

(i)record all relevant information concerning a qualified certificate for an appropriate period of time, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings. Such recording may be done electronically;

(j)not store or copy signature-creation data of the person to whom the certification-service-provider provided key management services;

(k)before entering into a contractual relationship with a person seeking a certificate to support his electronic signature inform that person by a durable means of communication of the precise terms and conditions regarding the use of the certificate, including any limitations on its use, the existence of a voluntary accreditation scheme and procedures for complaints and dispute settlement. Such information, which may be transmitted electronically, must be in writing and in readily understandable language. Relevant parts of this information must also be made available on request to third parties relying on the certificate;

(l)use trustworthy systems to store certificates in a verifiable form so that:

• only authorised persons can make entries and changes,

• information can be checked for authenticity,

• certificates are publicly available for retrieval in only those cases for which the certificate-holder’s consent has been obtained, and

• any technical changes compromising these security requirements are apparent to the operator.