CEN/TR 419030:2018
(Main)Rationalized structure for electronic signature standardization - Best practices for SMEs
Rationalized structure for electronic signature standardization - Best practices for SMEs
This Technical Report aims to be the entry point in relation to electronic signatures for any SME that is considering to dematerialize paper-based workflow(s) and seeks a sound legal and technical basis in order to integrate electronic signatures or electronic seals in this process. It is not intended to be a guide for SMEs active in the development of electronic signatures products and services - they should rather rely on the series ETSI EN 319 for building their offer - but it is a guide for SMEs CONSUMING e-Signature products and services.
This document builds on CEN/TR 419040, "Guidelines for citizens", explaining the concept and use of electronic signatures, to further help SMEs to understand the relevance of using e-Signatures within their business processes. It guides SMEs in discovering the level of electronic Signatures which is appropriate for their needs, extends the work to specific use-case scenarios, paying special attention to technologies and solutions, and addresses other typical concrete questions that SMEs need to answer before any making any decisions (such as the question of recognition of their e-Signature by third parties, within their sector, country or even internationally).
Once the decision is taken to deploy electronic signatures or electronic seals in support of their business, SMEs will then typically collaborate with their chosen providers of e electronic signatures or electronic seals products or services, which can be done on the basis of ETSI TR 119 100 "Guidance on the use of standards for signature creation and validation", that helps enterprises fulfil their business requirements. The present document presents the concepts and use of the standards relevant for SMEs developed under the Rationalised Framework to SMEs.
Cadre pour la normalisation de la signature électronique - Meilleures pratiques pour les PME
Racionalizirana struktura za standardiziran elektronski podpis - Dobre prakse za MSP
Cilj tega tehničnega poročila je biti vstopna točka v zvezi z elektronskimi podpisi za vsa mala in srednje velika podjetja (SME), ki razmišljajo o ukinitvi potekov dela na osnovi papirja ter iščejo preudarno pravno in tehnično osnovo, da bi v tem postopku integrirali elektronske podpise. Njegov namen ni biti smernica za mala in srednje velika podjetja, aktivna pri razvoju izdelkov in storitev za elektronske podpise – te bi se morale za pripravo ponudbe zanašati na skupino standardov EN 319 x00 – temveč je smernica za mala in srednje velika podjetja, ki UPORABLJAJO izdelke in storitve za elektronske podpise.
Ta dokument nadgrajuje FprCEN/TR 419040, »Smernice za državljane«, z razlago koncepta in uporabe elektronskih podpisov, da bi dodatno pomagal malim in srednje velikim podjetjem razumeti pomembnost uporabe elektronskih podpisov v njihovih poslovnih postopkih. Mala in srednje velika podjetja usmerja v odkrivanje ravni elektronskih podpisov, ki je primerna za njihove potrebe, razširja delo na posebne scenarije primerov uporabe, pri čemer se zlasti posveča tehnologijam in rešitvam, ter obravnava druga tipična konkretna vprašanja, na katera morajo mala in srednje velika podjetja odgovoriti pred kakršnim koli odločanjem (kot je vprašanje priznavanja njihovega elektronskega podpisa s strani tretjih oseb, znotraj njihovega sektorja, države ali celo mednarodno).
Ko je sprejeta odločitev za uvedbo elektronskih podpisov v podporo njihovemu poslovanju, mala in srednje velika podjetja potem tipično sodelujejo z izbranimi ponudniki izdelkov ali storitev elektronskih podpisov, kar se lahko izvaja na osnovi standarda ETSI 19 100, »Poslovno voden postopek za izvedbo ustvarjanja in potrjevanja elektronskih podpisov v elektronskem poslovanju«, ki podjetjem pomaga izpolniti njihove poslovne zahteve. Ta dokument malim in srednje velikim podjetjem predstavlja koncept in uporabo standardov, razvitih v racionaliziranem okviru, ki so pomembni za mala in srednje velika podjetja.
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
01-september-2018
Racionalizirana struktura za standardiziran elektronski podpis - Dobre prakse za
MSP
Rationalized structure for electronic signature standardization - Best practices for SMEs
Cadre pour la normalisation de la signature électronique - Meilleures pratiques pour les
PME
Ta slovenski standard je istoveten z: CEN/TR 419030:2018
ICS:
35.040.01 Kodiranje informacij na Information coding in general
splošno
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
CEN/TR 419030
TECHNICAL REPORT
RAPPORT TECHNIQUE
May 2018
TECHNISCHER BERICHT
ICS 35.030
English Version
Rationalized structure for electronic signature
standardization - Best practices for SMEs
Cadre pour la normalisation de la signature
électronique - Meilleures pratiques pour les PME
This Technical Report was approved by CEN on 9 March 2018. It has been drawn up by the Technical Committee CEN/TC 224.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2018 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 419030:2018 E
worldwide for CEN national Members.
Contents Page
European foreword . 3
Introduction . 4
1 Scope . 5
2 Terms and definitions . 5
3 Abbreviations . 7
4 Electronic seals as per EU Regulation 910/2014. 9
5 SME’s perspective . 10
5.1 Reasons for signing or sealing . 10
5.1.1 General . 10
5.1.2 Electronic signing as a way to confirm a legal commitment or because of a legal
requirement . 11
5.1.3 Electronic signing as a matter of diligence / risk management . 12
5.1.4 Electronic seals as a way to comply with an explicit legal requirement to apply a seal,
stamp or comparable formal requirement . 13
5.1.5 Electronic seals as a way to ensure the integrity and authenticity of a document . 13
5.2 Who signs or seals? . 13
6 Solutions . 14
6.1 General . 14
6.2 Signature creation . 14
6.2.1 General . 14
6.2.2 Remotely managed signature creation application and signature creation device . 16
6.2.3 Remotely managed signature creation device . 17
6.2.4 Remotely managed signature creation . 17
6.2.5 Signature creation application and signature creation device in the hand of the
signatory . 18
6.2.6 Responsibilities of parties . 19
6.2.7 Level of security and assurance on the issued signatures . 20
6.3 Signature validation . 21
6.4 Signature preservation . 21
7 I’m a TSP? . 22
8 Use-cases . 23
8.1 Use-cases where the SME is signing . 23
8.1.1 eInvoicing . 23
8.1.2 eProcurement Directive . 23
8.1.3 Accessing markets across the EU and the impact of the Services Directive . 24
8.2 Use-cases where the SME and the SME’s customers / partners are co-signing or co-
sealing . 25
9 Annex Digital signatures standardization . 26
Bibliography . 30
European foreword
This document (CEN/TR 419030:2018) has been prepared by Technical Committee CEN/TC 224
“Personal identification and related personal devices with secure element, systems, operations and
privacy in a multi sectorial environment”, the secretariat of which is held by AFNOR.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
Introduction
Today, it is possible to electronically sign data to achieve the same effects as when using a hand-written
signature. Such electronic signatures benefit from full legal recognition due to the EU Regulation N°
910/2014 of the European Parliament and of the Council on electronic identification and trust services
for electronic transactions in the internal market [1] (hereafter referred to as Regulation (EU) N°
910/2014) which addresses various services that can be used to support different types of electronic
transactions and electronic signatures in particular.
The use of secure electronic signatures should help the development of online businesses and services in
Europe. The European Commission standards initiative aims at answering immediate market needs by:
— securing online transactions and services in Europe in many sectors: e-business, e-administration, e-
banking, online games, e-services, online contract, etc.;
— contributing to a single digital market;
— creating the conditions for achieving the interoperability of electronic signatures at a European level.
Besides the legal framework, the technical framework at the present time is very mature. Citizens
routinely sign data electronically by using cryptographic mechanisms such as, e.g. when they use a credit
card or debit card to make a payment. Electronic signatures implemented by such cryptographic
mechanisms are called “digital signatures”. Appropriate technical methods for digital signature creation,
validation and preservation, as well as ancillary tools and services provided by trust service providers
(TSPs), are specified in a series of document developed along with the present document.
The present document is part of a rationalized framework of standards (see ETSI TR 119 000 [6])
realized under the Standardization Mandate 460 issued by the European Commission to CEN, CENELEC
and ETSI for updating the existing standardization deliverables.
Further support is provided to the emerging cross-border use of eSignatures through other legal and
policy instruments that affect electronic processes being used in the market today (e.g. eInvoicing
Directive [3], Public Procurement Directive [4] and Services Directive [5]).
In this framework, CEN is in charge of issuing Guidelines for electronic signatures implementation. These
guidelines are provided through two documents:
— CEN/TR 419030, “Rationalized structure for electronic signature standardization - Best practices for
SMEs”, aligned with standards developed under the Rationalised Framework as described by
ETSI SR 001 604, and
— CEN/TR 419040, “Rationalized structure for electronic signature standardization - Guidelines for
citizens”, explaining the concept and use of electronic signatures.
The present document builds on CEN/TR 419040.
These two documents differ slightly from the other documents in the Technical Framework since they go
beyond the technical concept of “digital signature” and deal also with the legal concepts of electronic
signatures and electronic seals.
1 Scope
This Technical Report aims to be the entry point in relation to electronic signatures for any SME that is
considering to dematerialize paper-based workflow(s) and seeks a sound legal and technical basis in
order to integrate electronic signatures or electronic seals in this process. It is not intended to be a guide
for SMEs active in the development of electronic signatures products and services - they should rather
rely on the series ETSI EN 319 for building their offer - but it is a guide for SMEs CONSUMING e-Signature
products and services.
This document builds on CEN/TR 419040, “Guidelines for citizens”, explaining the concept and use of
electronic signatures, to further help SMEs to understand the relevance of using e-Signatures within their
business processes. It guides SMEs in discovering the level of electronic Signatures which is appropriate
for their needs, extends the work to specific use-case scenarios, paying special attention to technologies
and solutions, and addresses other typical concrete questions that SMEs need to answer before any
making any decisions (such as the question of recognition of their e-Signature by third parties, within
their sector, country or even internationally).
Once the decision is taken to deploy electronic signatures or electronic seals in support of their business,
SMEs will then typically collaborate with their chosen providers of e electronic signatures or electronic
seals products or services, which can be done on the basis of ETSI TR 119 100 “Guidance on the use of
standards for signature creation and validation”, that helps enterprises fulfil their business requirements.
The present document presents the concepts and use of the standards relevant for SMEs developed under
the Rationalised Framework to SMEs.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at http://www.iso.org/obp
2.1
advanced electronic signature
electronic signature which meets the requirements set out in Article 26 of Regulation (EU)
N° 910/2014 [1]
Note 1 to entry: Article 26: An advanced electronic signature shall meet the following requirements:
(a) it is uniquely linked to the signatory;
(b) it is capable of identifying the signatory;
(c) it is created using electronic signature creation data that the signatory can, with a high level of confidence, use
under his sole control; and
(d) it is linked to the data signed therewith in such a way that any subsequent change in the data are detectable.
[SOURCE: Regulation (EU) N° 910/2014 [1], Article 3 (11)]
2.2
electronic signature (from the regulation)
data in electronic form which is attached to or logically associated with other data in electronic form and
which is used by the signatory to sign
[SOURCE: Regulation (EU) N° 910/2014 [1], Article 3 (10)]
2.3
digital sign
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.