Croatia
advertisement
THE CROATIAN PARLIAMENT 2604 Pursuant to Article 88 of the Constitution of the Republic of Croatia, I hereby issue the DECISION PROMULGATING THE ACT ON AMENDMENTS TO THE ELECTRONIC SIGNATURE ACT I hereby promulgate the Act on Amendments to the Electronic Signature Act passed by the Croatian Parliament at its session on 2 July 2008. Class: 011-01/08-01/73 No.: 71-05-03/1-08-2 Zagreb, 4 July 2008 The President of the Republic of Croatia Stjepan Mesić, m.p. THE ACT ON AMENDMENTS TO THE ELECTRONIC SIGNATURE ACT Article 1 In the Electronic Signature Act (Official Gazette 10/02), in Article 2, paragraph 1, after item 2 a new item 3 is added which reads: “3. A time stamp – is an electronically signed receipt of the issuer confirming the contents of the data it relates to in the stated period, and an advanced time stamp is an electronically signed receipt of the verifier which fulfils the conditions for and advanced electronic signature.” Former items 3 - 10 become items 4 – 11. In former item 11, which becomes item 12 the words: “from Article 17 hereof” are replaced by the words: “laid down in this Act”. Former items 12 and 13 become items 13 and 14. Article 2 Article 5 is amended and reads: “The advanced electronic signature, if it has been created in line with the provisions of this Act and if all other requirements laid down in this Act and the regulations adopted under this Act, shall have the same legal force and shall serve as a replacement for a handwritten signature or/and signature and impression of a seal affixed to the electronic document.” Article 3 Article 6 is amended and reads: “An electronic signature shall be considered as legally valid and shall be admissible in legal proceedings if it meets the requirements prescribed by this Act. An electronic signature may not be denied legal effectiveness and admissibility as evidence in legal proceedings solely on the basis that it is: – in electronic form, or – not based upon a qualified certificate, or – not based upon a qualified certificate issued by an accredited certification service provider, or – not created by an advanced signature-creation device.” Article 4 In Article 7, paragraph 1 is deleted. In paragraph 2 the words: “to paragraph 1 of this Article” are replaced by the words: “Article 6 of this Act”. Article 5 In Article 9, after paragraph 2, paragraph 3 is added which reads: “The conditions referred to in paragraphs 1 and 2 of this Article shall apply to the electronic signature-creation device accordingly”. Article 6 After Article 9, Article 9a is added which reads: 9a Certification authority must enable the recipient of an electronic message signed by an electronic signature, or another authorised person, to verify the electronic signature by ensuring that: 1. the data used for verifying the signature correspond to the data displayed to the verifier, 2. the signature is reliably verified and the result of that verification is correctly displayed to the verifier, 3. the verifier can, as necessary, reliably establish the contents of the signed data, 4. the authenticity and validity of the certificate required at the time of signature verification can be reliably verified, 5. the result of verification and the signatory's identity are correctly displayed, 6. the use of a pseudonym is clearly indicated, 7. that any changes relevant for the security of the electronic signature can be detected.” “Article Article 7 In Article 10, the word: “any” is deleted. Article 8 In Article 11, paragraph 1, the word “any” is deleted. In item 9 the words: “value of business transactions” are replaced by the words: “in relation to the importance of legal transactions.” Paragraph 3 and paragraph 4 are deleted. Article 9 Article 12 is amended and reads: “The provisions of this Act regulating the certificate shall apply to the time stamp and services related thereto accordingly, while the provisions of this Act relating to the qualified certificate shall apply to the advanced time stamp and services related thereto.” Article 10 Article 14 is deleted. Article 11 In Article 15, paragraph 1 after the word: “Ministry” the words: “of the Economy, Labour and Entrepreneurship (hereinafter: the Ministry)” are added. Paragraph 2 is amended and reads: “Together with the report from paragraph 1of this Article or in cases of changes in the rendering of services, the certification-service providers shall notify the Ministry with its internal acts regarding the provision of certification services, its proceedings and technical infrastructure.” After paragraph 2, paragraph 3 is added which reads: “In their internal rules, certification-service providers that issue qualified certificates must take into account the security-related requirements laid down in this Act.” Article 12 In Article 16, new paragraphs 1 and 2 are added which read: “The Ministry is responsible for keeping the Directory of Certification Service Providers. The Directory of Certification Service Providers is public and shall be kept in electronic form.” Former paragraphs 1 and 2 become paragraphs 3 and 4. Former paragraph 3, which becomes paragraph 5, the words: “the Minister of the Economy” are replaced by the words: “the Minister of the Economy, Labour and Entrepreneurship (hereinafter: the Minister)”, and after the word: “Directory” a full stop is added, and the words: “and the forms to apply for entry into the Directory and to report changes to be entered.” are deleted. Article 13 In Article 17, paragraph 1, the words: “the conditions stipulated in Article 12 of this Act” are deleted. Item 1 is amended and reads: “1. proven ability and reliability to securely provide certification services.” In item 5, the words: “administrative and managerial” are replaced by the word “administrative”, and the words: “which comply with generally accepted standards” are deleted. Item 8 is amended and reads: “8. ensure sufficient financial resources for operations in compliance with the requirements established in this Act,” Item 9 is amended and reads: “9. ensure the storing of all relevant information pertaining to the qualified certificate during a suitable period, particularly for the purpose of providing evidence about the certificate in legal proceedings,” In item 10, the words: “stores nor” are deleted, and the words: “on whose behalf” are replaced by the words “for whom”. Item 11 is amended and reads: “11. before entering into a contractual relationship with a person seeking a certificate to support his electronic signature, notify that person in writing about the precise terms and conditions regarding the use of the certificate, including any limitations on its use, the existence of a voluntary accreditation scheme and procedures for complaints and appeals, and mutual dispute settlement. Relevant parts of this information must also be made available on request to third parties examining the certificate concerned.” In item 12, subitems b and c are amended and read: “b. information can be checked for authenticity, c. certificates are publicly available for retrieval in those cases for which the signatory’s consent has been obtained,”. In subitem d, the word: “aware” is replaced by the word “apparent”. Article 14 Article 18 is amended and reads: “A qualified certification service provider shall take out insurance against risks for liability for damage which occurs in the provision of certification-related services (obligatory insurance), in particular: 1. as regards the accuracy of all information contained in the qualified certificate at the time of issuance and as regards the fact that the certificate contains all the details prescribed for a qualified certificate, 2. for assurance that at the time of the issuance of the certificate, the signatory identified in the qualified certificate held the signature-creation data corresponding to the signatureverification data given or identified in the certificate, 3. for assurance that the signature-creation data and the signature-verification data can be used in a complementary manner in cases where the certification service provider stores and issues both, unless the certification service provider proves that he has acted with due diligence. A qualified certification service provider shall be liable for damage caused to any entity or legal or natural person for failure to revoke such certificate, unless the certification service provider proves that he has acted with due diligence. A certification service provider may indicate in a qualified certificate the limitations on the use of that certificate, provided that the limitations are recognisable to third parties. The certification service provider shall not be liable for damage arising from use of a qualified certificate which exceeds the limitations stated in paragraph 3. A certification service provider may indicate in the qualified certificate a limit on the value of transactions for which the certificate can be used, provided that the limit is recognisable to third parties. The certification service provider shall not be liable for damage resulting from this maximum limit being exceeded. A certification service provider may indicate in the qualified certificate a limit on the value of transactions for which the certificate can be used, provided that the limit is recognisable to third parties. The certification service provider shall not be liable for damage resulting from this maximum limit being exceeded. The minimum amount of insurance referred to in paragraph 1 of this Article shall be determined by the Minister.” Article 15 Article 19 is deleted. Article 16 Article 21 is deleted. Article 17 Article 22 is deleted. Article 18 In Article 23, paragraph 1, after the word: “certification” the words “on the basis of a contract with the selected certification service provider” are added. Paragraph 5 is deleted. Article 19 In Article 24, paragraph 2 is deleted. Article 20 In Article 30, paragraph 4 is deleted. Article 21 In Article 33, paragraph 1 is amended and reads: “A certification service provider shall inform each signatory and the Ministry of the possible termination of certification services within a period of not less than three months prior to the expiry of the certification services entrusted thereto by this contract.” Article 22 In Article 34, paragraphs 2 and 3 are deleted. Article 23 After Article 34, the new Articles 34a, 34b, 34c, 34d and their headings are added which read: “Voluntary accreditation Article 34a Certification service providers that prove they fulfil all the requirements laid down in this Act may request from the accreditation authority to be entered in the Register of Accredited Certification Service Providers (hereinafter: the Register). On their request, foreign certification service providers shall be entered in the Register provided that they fulfil the requirements laid down in this Act relating to the validity of foreign certificates in the Republic of Croatia. Certification service providers that are entered in the Register (hereinafter: accredited providers) may operate indicating the fact they hold accreditation. Certification service providers that are entered in the Register may indicate this fact in the issued certificates. Article 34b The accreditation body shall keep a publicly available electronic Register of voluntarily accredited providers. The Register or the abstract from the Register shall be signed by the accreditation body by means of an advanced electronic signature. The data for the verification of a qualified certificate of the accreditation body shall be published on the website along with the Register. Article 34c The accreditation authority shall supervise and implement measures in relation to the accredited providers. The accreditation authority shall: 1. issue general recommendations for the operation of certification service providers, and recommendations and standards for the operation of accredited providers in line with the Act and subordinate regulations adopted pursuant thereto, 2. supervise the implementation of legal acts and subordinate regulations in the internal rules of accredited certification service providers, 3. verify whether a certification service provider during the whole time of its activity meets the requirements laid down in this Act and subordinate regulations adopted pursuant thereto, and its internal rules, 4. supervise the use of relevant procedures and infrastructure in the process of accrediting certification service providers, 5. supervise the legality of issue, storage and revocation of the certificates of accredited providers, 6. supervise the legality of other services provided by accredited providers. The accreditation authority may recommend: 1. to change the internal rules of an accredited provider, 2. to an accredited provider to cease with further use of inappropriate procedures and infrastructure. If the certification service provider proceeds contrary to the recommendations referred to in the decision adopted by the accreditation authority, the accreditation authority shall delete it from the Register. A dissatisfied party may lodge an appeal to the Ministry against the decision referred to in paragraph 4 of this Article within 15 days from having received the decision. The Minister shall decide on the appeal within thirty days after having received the appeal. The dissatisfied party may initiate administrative procedure against the decision referred to in paragraph 6 of this Article. Article 34d For the purpose of carrying out accreditation tasks, the Government of the Republic of Croatia shall establish or designate a competent body to function as the accreditation authority at the proposal of the Minister. The authority referred to in paragraph 1 shall not be a certification service provider.” Article 24 The heading above Article 35 is amended and reads: “Validity of foreign certificates”. Article 35 is amended and reads: “Qualified certificates issued by certification service providers having a seat in the European Union shall be equally valid as qualified certificates issued in the Republic of Croatia. Qualified certificates issued by certification service providers having a seat in the European Union shall be equally valid as the qualified certificates issued in the Republic of Croatia if: 1. the certification service provider fulfils the requirements for the issuance of qualified certificates stipulated in this Act, and if it has been voluntary accredited in the Republic of Croatia or one of the European Union Member States, 2. any of the national the certification service providers that fulfils the requirement for the issuance of qualified certificates stipulated in this Act guarantees for such certificates as if they were its own, 3. if so determined by a bilateral or multilateral agreement between the Republic of Croatia and other countries or international organisations, 4. if so determined by a bilateral or multilateral agreement between the European Union and third countries or international organisations. Certificates issued by the certification service provider having a seat in the European Union, which pursuant to this Act cannot be deemed qualified, shall be treated equally as the certificates issued in the Republic of Croatia, in accordance with the provisions of this Act.” Article 25 In Article 36, paragraph 1, after the word: “Ministry” the words: “and the State Inspectors’ Office in accordance with the provisions of a special act” are added. Article 26 In Article 37, paragraph 1, after the word: “oversight”, the words: “authorised body responsible for the supervision of certification service providers” are added, and the words: “the Ministry shall conduct inspections of the operations of registered and recorded certification services, and” are deleted. Paragraph 2 is amended and reads: “If a certification service provider fails to fulfil the requirements stipulated in this Act and the implementing regulations adopted pursuant to this Act, the authorised body shall adopt the decision temporarily prohibiting the provision of certification services.” Article 27 In Article 38, the words: “a public official of the Ministry authorised to" are replaced by the words: “the authorised body”. Article 28 In Article 41, paragraph 1, item 2, the words: “collection and” are deleted. Item 8 is deleted. Former item 9, which becomes item 8, is amended as follows: “8. fails to duly inform the service users who were issued certificates and the Ministry of the possible termination of certification services” (Article 33, paragraph 1)”. TRANSITIONAL AND FINAL PROVISIONS Article 29 Six months after entry into force of this Act, the Minister shall pass regulations pursuant to this Act. The subordinate regulations passed pursuant to the Electronic Signature Act (Official Gazette 10/02) shall apply until subordinate regulations referred to in paragraph 1 of this Article are passed. Article 30 This Act shall enter into force on the eighth day after the day of its publication in the Official Gazette. Class: 650-05/08-01/01 Zagreb, 2 July 2008 THE CROATIAN PARLIAMENT The President of the Croatian Parliament Luka Bebić, m.p.