Order PRE/1838/2014 approving Cl@ve, the common platform for electronic identification, authentication and signature of the State Public Administration Sector

OFFICIAL STATE BULLETIN No. 245 Thursday, October 9, 2014 Sec. I. Page 82203

I. GENERAL PROVISIONS MINISTRY OF THE PRESIDENCY 10264 Order PRE/1838/2014, of October 8, publishing the Agreement of the Council of Ministers of September 19, 2014, approving Cl@ve, the common platform of the State Public Administration Sector for identification, authentication and electronic signature through the use of agreed keys.

The Council of Ministers, in its meeting of September 19, 2014 and upon the proposal of the Vice President of the Government and Minister of the Presidency and of the Ministers of Finance and Public Administrations, of the Interior, of Employment and Social Security and of Industry, Energy and Tourism, has adopted an Agreement approving Cl@ve, the common platform of the State Public Administration Sector for identification, authentication and electronic signature through the use of agreed keys.

In virtue of what is provided in the seventh paragraph of the aforementioned Agreement and for general knowledge, its publication as an Annex to this Order is ordered.

Madrid, October 8, 2014.–The Vice President of the Government and Minister of the Presidency, Soraya Sáenz de Santamaría Antón.

ANNEX Agreement of the Council of Ministers approving Cl@ve, the common platform of the State Public Administration Sector for identification, authentication and electronic signature through the use of agreed keys

The Government of Spain has launched an ambitious reformist project aimed at correcting the imbalances that hinder our growth and creating the appropriate foundations to build a new cycle of economic prosperity and employment.

On these premises, on October 26, 2012, the Council of Ministers approved an Agreement creating the Commission for the Reform of Public Administrations (CORA) and, following the presentation of its Report in the Council of Ministers on June 21, 2013, actions were initiated to simplify procedures and reduce administrative burdens for citizens and businesses and to avoid overlaps and duplicities in the actions of the Administrations, promoting the management of common services and resources with the objective of improving the efficiency of public activity with cost savings.

In the field of computer means, the measures proposed by the CORA Report have focused on a rationalization of the current organizational structures in the field of Information and Communication Technologies (ICT) of the State Public Administration Sector, consolidating common infrastructures and services that allow for a more efficient use of technological resources, as well as offering higher levels of quality in the services provided.

In order to develop the standardization processes considered essential to incentivize the sharing and reuse of infrastructures and services, the CORA Report contemplated the creation of a specific body, at the highest level, that would drive and coordinate the necessary process of rationalization of the various facets of information and communications technology policy throughout the State Public Administration Sector: acquisition of computer goods, network structure, e-government services and optimization of web publication systems. This body is the Directorate of Information and Communication Technologies of the General State Administration.

cve: BOE-A-2014-10264

OFFICIAL STATE BULLETIN No. 245 Thursday, October 9, 2014 Sec. I. Page 82204

In development of the CORA Report, the competencies for coordinating the process of rationalization of ICT in the State Public Administration Sector were initially attributed to the Ministry of the Presidency in accordance with what is provided in Royal Decree 695/2013, of September 20. This Royal Decree attributed to the Directorate of Information and Communication Technologies of the General State Administration the elaboration, coordination and direction of the strategy on information and communication technologies of the State Public Administration Sector, as well as the planning of the consolidation of horizontal infrastructures and services in the field of Electronic Administration, among others. By Royal Decree 802/2014, of September 19, these competencies are attributed to the Ministry of Finance and Public Administrations and the Directorate of Information and Communication Technologies is attached to this Ministry, depending on the State Secretariat of Public Administrations.

In this model of common and integrated management, facilitating relations between society and Administration, it is essential to enable a simple, fast and secure system for the identification, authentication and signature of citizens in their electronic relationship with the service providers of the State Public Administration Sector and, to the extent that it is agreed, of the rest of the State Public Sector, of the Autonomous Administrations and Local Entities. Furthermore, this electronic identification and authentication system must allow the expression of the user's will, when so required by the service or electronic procedure, through electronic signature systems valid according to current regulations.

Law 11/2007, of June 22, on the electronic access of citizens to Public Services, meant that Public Administrations made a huge effort to make all their services available to citizens by electronic means and to do so with the highest possible security guarantees. The high levels of security foreseen for electronic access to services have been supported mainly by the electronic signature systems provided for in paragraphs a) and b) of article 13.2 of Law 11/2007 of June 22. These certificate-based electronic signature systems, however, require frequent software updates and reconfigurations that add a component of complexity that can be discouraging and which is not always necessary, by virtue of the principle of proportionality, in those procedures and processes that do not require such a high level of security.

On the other hand, although there are already different identification, authentication and signature systems provided for in article 13.2.c) of Law 11/2007, which provides for other electronic signature systems, such as the use of agreed keys in a previous registration as a user, the provision of information known by both parties or other non-cryptographic systems, in the terms and conditions determined in each case, these systems are not interoperable with each other, with the inconvenience this entails for the citizen who has to know and apply different systems depending on the Administration, the body or the service or procedure to which they access.

In view of these difficulties, and in exercise of the functions provided for in article 9.1, paragraph d) of Royal Decree 199/2012, of January 23, which consist in planning the consolidation of horizontal infrastructures and services in the field of electronic administration, the Ministry of the Presidency through the Directorate of Information and Communication Technologies of the General State Administration has organized and led the work of a group of experts in which representatives of the vast majority of ministerial departments and their attached public bodies have participated, who, after intense work over several months, have designed a collaborative system for electronic identification, authentication and signature, called to resolve the limitations of the current ones, integrating the existing agreed key systems of the Administration into a single one, and opening its use to the entirety of the State Public Administration Sector, and also allowing integration into the rest of the Public Administrations when available, thereby enabling the practical extension of Electronic Administration services to the vast majority of Spanish citizens, in application of Law 11/2007, of June 22.

cve: BOE-A-2014-10264

OFFICIAL STATE BULLETIN No. 245 Thursday, October 9, 2014 Sec. I. Page 82205

Therefore, attending to the needs of citizens, taking advantage of the possibilities offered by rapid technological evolution and appealing to the principle of proportionality provided for in Law 11/2007, of June 22, and without prejudice to the continuity of the service of already operational systems, which are of undeniable utility for citizens, the creation of Cl@ve is approved, a common system, easy to use, based on article 13.2.c) of the aforementioned law, which will conform as the common platform of the State Public Administration Sector for electronic identification, authentication and signature through the use of agreed keys and will offer identification and authentication services alternative and complementary to those governed by letters a) and b) of article 13.2 of Law 11/2007, of June 22. This new system aims to facilitate uniform citizen access to various services provided via the Internet, trying to minimize the existing identification and authentication systems or those that future needs might demand.

The Cl@ve system will be developed on two already operational systems and, taking advantage of the effort made within the working group, the use of the PIN24H of the State Tax Administration Agency, conceived for users with occasional access, and the "Social Security user and password system" oriented towards users with frequent access, recently implemented in their respective fields, is extended. In addition, the transversality of the new model of common management of citizen identification, authentication and signature, referred to in this agreement, is based on the collaboration of the different bodies and public bodies attached to various ministerial departments that will act in the system as bodies responsible for its application and guarantees of operation. Thus, under the ownership of the Directorate of Information and Communication Technologies, which incorporates into its own the functions previously attributed to the General Directorate of Administrative Modernization, Procedures and Impulse of Electronic Administration, they will assume responsibility for their respective actions in the fields of User Registration, Identification, Authentication and Electronic Signature: the State Tax Administration Agency, the IT Management of the Social Security and other Managing Entities and Common Services of Social Security, the General Directorate of the Police, as a certification service provider, and the FNMT-RCM, due to the importance that, in the development of the project, the DNIe (Electronic National Identity Document) has and that it will undoubtedly have in the future, the DNI in the cloud, since, additionally, the Cl@ve system will allow access to cloud signature services based on centralized electronic certificates.

This electronic identification and signature system may evolve in the future to also admit the participation of the private sector in its provision, or its combination with other technological solutions offered by specialized companies.

The Cl@ve system is created to cover the entire scope of the State Public Administration Sector and, where appropriate, of the rest of the Public Administrations. In this sense, it is worth remembering that the impulse of an electronic administration also implies responding to community commitments. The Digital Agenda for Europe proposes legal measures for the effective digital development of Europe regarding electronic signature (key action no. 3) and the mutual recognition of electronic identification and authentication (key action no. 16), thus establishing a clear legal framework in order to eliminate fragmentation and lack of interoperability, promote digital citizenship and prevent cybercrime.

In its development, Law 11/2007, of June 22, enshrines in its preamble the right of citizens to communicate with Administrations by electronic means and emphasizes that the counterpart of this right is the obligation of Administrations to equip themselves with electronic means and systems so that this right can be exercised in an agile and effective manner. Electronic administration is not merely a technical matter, but one of democratic governance and the extension of a common platform to all administrative instances comes to satisfy that need for homogeneity, simplicity and shared services collected in the CORA Report.

cve: BOE-A-2014-10264

OFFICIAL STATE BULLETIN No. 245 Thursday, October 9, 2014 Sec. I. Page 82206

Being the scope of application of this text the entirety of the State Public Administration Sector, and forming part of it the General State Administration, this Agreement of the Council of Ministers is adopted in virtue of what is provided in Royal Decree 1671/2009, of November 6, which partially develops Law 11/2007, of June 22, in its article 11 "Other electronic signature systems"; issued in development of article 13.2.c) of Law 11/2007, which indicates that when the system refers to the entirety of the General State Administration, an agreement of the Council of Ministers will be required upon proposal of the Ministries of the Presidency and of Industry, Tourism and Commerce, prior report of the Higher Council of Electronic Administration.

In virtue of the above, prior report of the Higher Council of Electronic Administration and upon proposal of the Vice President of the Government and Minister of the Presidency, of the Minister of Finance and Public Administrations, of the Minister of the Interior, of the Minister of Employment and Social Security and of the Minister of Industry, Energy and Tourism, the Council of Ministers in its meeting of September 19, 2014, agrees:

First. Approval of the Cl@ve system. The Cl@ve system is approved, a common system for identification, authentication and electronic signature for the entire State Public Administration Sector, which will allow the citizen to relate electronically to public services through a common platform through the use of agreed keys prior to registration as a user of the same, in accordance with what is provided in article 13.2.c) of Law 11/2007, of June 22, on the electronic access of citizens to public services.

This platform will offer users a friendly interface to select one of the identification and electronic signature systems indicated in article 13.2 of Law 11/2007, of June 22.

Information regarding this system, as well as the list of bodies of the State Public Sector, Autonomous Administrations or Local Entities that incorporate into the system, will be published on the Portal www.060.gob.es and in the electronic offices of the bodies where it is applicable in accordance with what is provided in Royal Decree 1671/2009, of November 6, which partially develops Law 11/2007, of June 22.

Second. Bodies responsible for its application and guarantees of operation.

1. The body responsible for the Cl@ve system will be the Directorate of Information and Communication Technologies, in development of the competencies for the impulse of digital Administration, and of the innovation process of the General State Administration and its Public Bodies, attributed in accordance with what is provided in Royal Decree 802/2014, of September 19, which modifies Royal Decree 390/1998, of March 13, which regulates the functions and organizational structure of the Delegations of Economy and Finance; Royal Decree 1887/2011, of December 30, which establishes the basic organizational structure of ministerial departments; Royal Decree 199/2012, of January 23, which develops the basic organizational structure of the Ministry of the Presidency; Royal Decree 256/2012, of January 27, which develops the basic organizational structure of the Ministry of Finance and Public Administrations and Royal Decree 696/2013, of September 20, modifying the aforementioned.

2. The following bodies and public bodies will participate in the construction and implementation of the Cl@ve system and will be guarantors of its operation, assuming responsibility for their respective actions in the fields of User Registration, Identification, Authentication and Electronic Signature: a) The State Tax Administration Agency. b) The Directorate of Information and Communication Technologies.

cve: BOE-A-2014-10264

OFFICIAL STATE BULLETIN No. 245 Thursday, October 9, 2014 Sec. I. Page 82207 c) The IT Management of the Social Security and other Managing Entities and Common Services of Social Security d) The General Directorate of the Police e) The National Factory of Currency and Stamps-Royal Mint (FNMT-RCM).

3. For the purposes provided for in Organic Law 15/1999, of December 13, on the Protection of Personal Data, the Directorate of Information and Communication Technologies of the General State Administration will have the status of responsible for the file, being the bodies and public bodies mentioned in the previous paragraph in charge of the processing of the same, in accordance with their specific regulations. Therefore, and in conformity with what is provided in article 12 of Organic Law 15/1999, of December 13, said bodies and public bodies: a) Will process the data necessary for the operation of the system on behalf of the body responsible for the file and in accordance with the indications established by the same, in accordance with the fifth paragraph of this Agreement. b) Will not process the data for purposes other than those of the system, which consist in facilitating to the citizen a common platform that allows them to relate electronically to public services through the use of agreed keys. c) Will implement, for the adequate operation of the system, the security measures established in Title VIII of the Regulation for the development of Organic Law 15/1999, of December 13, approved by Royal Decree 1720/2007, of December 21. d) Will be obliged, in case of ceasing the provision of the service, to proceed to the return of the data or its transmission to the body or organism designated to such effect by the responsible for the file. e) Will respect what is established in article 12 of Organic Law 15/1999 and in Chapter III of Title II of its development Regulation.

4. The system will allow several modes of use, with different levels of operational guarantee according to criteria of integrity, confidentiality, authenticity and non-repudiation, in the terms provided in art. 11.3 of Royal Decree 1671/2009, of November 6, which may be applied to administrative procedures according to their needs, by virtue of the principle of proportionality collected in article 4 of Law 11/2007, of June 22.

Third. General description of the Cl@ve system.

1. Registration: Interested parties who wish to use the system must provide the necessary personal data to enable the identification, authentication and electronic signature services. These data will be integrated into the Cl@ve File of personal data that will be created in the terms provided in Law 15/1999, of December 13, on the Protection of Personal Data and its development regulations.

Registration can be carried out telematically or in person in any of the offices of the bodies and public bodies that perform User Registration functions of the Cl@ve platform. The form of registration used will be one of the factors to classify the level of identity and authenticity guarantee associated with the registration.

2. Identification: There will be 2 types of identification systems: a) Cl@ve occasional: password system with very limited validity in time, oriented to users who access services sporadically. b) Cl@ve permanent: password system with lasting validity in time but not unlimited, oriented to habitual users.

cve: BOE-A-2014-10264

OFFICIAL STATE BULLETIN No. 245 Thursday, October 9, 2014 Sec. I. Page 82208 3. Signature of electronic documents: The Cl@ve systems can be used to confirm information, proposals or drafts sent or exhibited by a Public Administration.

The Cl@ve platform will offer users a friendly interface that allows them to select, from among the electronic signature systems indicated in article 13.2 of Law 11/2007, of June 22, those that the regulatory framework of the action in question requires or allows in each case to carry out the corresponding administrative procedure or management and the signature of electronic documents if applicable.

Among the systems offered to the citizen, the Cl@ve platform will offer the citizen to use the Electronic National Identity Document for their identification, authentication and signature, in which case the regulatory framework of said document will be applicable to the data processing derived from such use.

Fourth. Application of the system.

1. When the completion of procedures or access to services in an Electronic Office of the State Public Administration Sector requires the use of identification and authentication systems provided for in article 13.2.c) of Law 11/2007, of June 22, at least one of the systems that integrate into the new Cl@ve platform must be offered.

2. Likewise, in order to facilitate the electronic access of citizens to the Administration and in development of the principle of efficiency, other Public Administrations may adhere to the system through agreement under the technical, economic and organizational conditions determined in the technical prescriptions for development referred to in the Fifth paragraph of this Agreement. Their incorporation into the Cl@ve system will be published on the Portal www.060.gob.es and in the electronic offices that are applicable.

3. Initially, the network of offices of the State Tax Administration Agency and of the Managing Entities and Common Services of Social Security will function as Data Registration Offices. The Directorate of Information and Communication Technologies of the General State Administration may agree to expand the network of Registration Offices with those public bodies that have territorial deployment and meet the necessary technical requirements established by resolution of this Directorate. The list of Registration Offices will be published on the Portal www.060.gob.es and in the electronic offices that are applicable.

4. The State Public Administration Sector must enable the Cl@ve system in all services and electronic procedures directed to citizens before December 31, 2015. Services and procedures directed