Last November 13, 2020, Law 6/2020, of November 11, regulating certain aspects of electronic trust services came into force. The purpose of this Law is the adaptation to Regulation (EU) No. 910/2014, regarding electronic identification and trust services for electronic transactions in the internal market, also known as eIDAS Regulation.
This new regulation aims to harmonize those aspects that the Regulation does not develop and leaves in the hands of the Member States. However, in its attempt not to legislate on the aforementioned issues, the Law fails and does not achieve its objective of establishing a regulatory framework so that Spanish providers can act on an equal footing with their European counterparts.
Below we analyze the most relevant measures introduced by Law 6/2020, which applies to Spanish providers and to those resident or domiciled in another State that have a permanent establishment in Spain and are not supervised by another EU competent authority.
In its articles, the Law establishes a maximum validity period of five years, as well as the cases of revocation of certificates. In this way, it limits the period of validity with respect to certificates issued by foreign providers. In addition, the qualified certificate may only be renewed once using another certificate already in force.
In relation to identity, certificates for natural persons will include the DNI, NIE or NIF number, unless the holder does not have them. Only then can they be replaced by another identification code or number. In the case of certificates of legal persons or entities without legal personality, they will be identified by their corporate name and NIF; and, if they do not have it, a code that identifies them univocally and permanently over time, as recorded in the official records, will be used. However, the Law does not mention the possibility of including passports despite the fact that it is a valid method, according to the same, to verify identity and that ETSI EN 319-412-1 includes it among the attributes that can be included as “Serial number”.
Likewise, in relation to PSD2 certificates, the ETSI standards establish the inclusion of the PSP identification number and not the NIF. This identifier is specified by the National Competent Authority (in our country it is the Bank of Spain). Therefore, there is an overlap between Law 6/2020 and the technical standards that may lead to different interpretations. Can the PSP identifier be considered as the code that univocally identifies them? It is not clear and could be a competitive disadvantage for providers based in Spain who issue PSD2 certificates.
In addition, Article 7 establishes the possibility of remote validation based on technical measures and requirements established by Ministerial Order, taking Community standards as a starting point. However, for the time being there is no regulation governing remote identification, beyond the provisions of RD 11/2020, the articles of which were repealed at the end of the State of Alarm decreed in March. At that time, the supervisory body could accept video identification methods based on the procedures authorized by Sepblac.
Consequently, we find ourselves in a situation in which remote identification is not permitted in the absence of regulation, despite the fact that the Law has been passed at an exceptional time when mobility is very limited and which prevents many users from having access to an electronic certificate.
Another aspect introduced by the articles is that only natural persons are authorized to electronically sign, i.e., the issuance of electronic signature certificates to legal persons or unincorporated entities is not contemplated. Therefore, these can only sign through those natural persons who legally represent them.
Obligations of the TSPs
Qualified providers must have liability insurance for a minimum amount of €1,500,000, except if they belong to the public sector. In addition, for each extra qualified service rendered, they must add €500,000.
Likewise, all providers are obliged to take the necessary measures to resolve security incidents and to notify security breaches or loss of integrity to the Supervisory Body.
Supervision and control
According to Article 16, the Ministry must issue and notify the resolution of the verification procedure within a maximum period of 6 months. However, according to Article 21.2 of the eIDAS Regulation, if this procedure has not been completed within 3 months, the supervisor must inform the lender of the reason for the delay and the expected timeframe for completion of the procedure.
Violations and sanctions
The Law also establishes a sanctioning regime based on a series of infringements typified in the same article, in addition to those established by the eIDAS. The exclusion of the provider from the trusted list is contemplated in certain cases.
In the second additional provision, the full legal effects of the systems used in the Public Administrations are contemplated, making reference to Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, and Law 40/2015, of October 1, on the Legal Regime of the Public Sector. However, Law 18/2011, of 5 July, regulating the use of information and communication technologies in the Administration of Justice should also be included.
On the other hand, Law 59/2003 of December 19, 2003, on electronic signature and Article 25 of Law 34/2002, of July 11, 2002, on information society services and electronic commerce are repealed, eliminating the figure of the Trusted Third Party as it is subsumed in the types regulated by the Regulation.
The new Law, in addition to modifying Article 326.3 of Law 1/2000, of January 7, of Civil Procedure, adds a paragraph 4. This paragraph grants evidentiary force to qualified electronic trust services and it is the responsibility of the party challenging the invalidity to prove it.
In short, we find ourselves with a law that comes late and has deficiencies that can generate insecurity in trust providers. Despite being a law that complements the European Regulation, it legislates on certain aspects already included therein and leaves aside others as relevant as video identification. Therefore, although Spain finally has the necessary legislation, the text still lacks coherence in order to create a robust and effective regulatory framework.