Law 6/2020, of November 11, regulating certain aspects of trust electronic services

I. GENERAL PROVISIONS HEAD OF STATE 14046 Law 6/2020, of November 11, regulating certain aspects of trust electronic services.

FELIPE VI KING OF SPAIN

To all who see and understand this. Know: That the General Courts have approved and I come to sanction the following law:

PREAMBLE I

Since July 1, 2016, Regulation (EU) No 910/2014 of the European Parliament and of the Council of July 23, 2014, on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC has been applicable.

The Electronic Signature Law 59/2003, of December 19, which transposed into the Spanish legal system the repealed Directive 1999/93/EC of the European Parliament and of the Council of December 13, 1999, establishing a Community framework for electronic signatures, has been legally displaced in everything regulated by the aforementioned Regulation. The purpose of this Law is, therefore, to adapt our legal system to the European Union's regulatory framework, thereby avoiding regulatory gaps that could give rise to situations of legal insecurity in the provision of trust electronic services.

This Law does not provide a systematic regulation of trust electronic services, which have already been legislated by Regulation (EU) 910/2014, which, out of respect for the principle of primacy of European Union Law, must not be reproduced in whole or in part. The function of this Law is to complement it in those specific aspects that the Regulation has not harmonized and whose development it provides for in the legal systems of the different Member States, the provisions of which must be interpreted in accordance with it.

II

Instead of a revision of Directive 1999/93/EC, the choice of a regulation as a legislative instrument by the European legislator, directly applicable in Member States, was motivated by the need to reinforce legal certainty within the Union, ending the regulatory dispersion caused by the transposition of the aforementioned Directive into internal legal systems through national laws, which had caused significant fragmentation and prevented the provision of cross-border services in the internal market, aggravated by differences in the supervision systems applied in each Member State.

Thus, through Regulation (EU) 910/2014, it is sought to regulate in a single normative instrument directly applicable in Member States two realities: electronic identification and trust services in a broad sense, harmonizing and facilitating the cross-border use of online services, public and private, as well as e-commerce in the EU, thereby contributing to the development of the digital single market.

On the one hand, in the field of electronic identification, the Regulation establishes mutual acceptance, for access to online public services, of national electronic identification systems that have been notified to the European Commission by Member States, with the aim of facilitating secure telematic interaction with Public Administrations and their use for carrying out cross-border procedures, eliminating this electronic barrier that excluded citizens from fully enjoying the benefits of the internal market.

On the other hand, it introduces the harmonious regulation of new qualified trust electronic services, additional to traditional electronic signatures, such as the electronic seal of a legal person, the validation service for qualified signatures and seals, the archiving service for qualified signatures and seals, the electronic time-stamping service, the certified electronic delivery service, and the web authentication certificate issuance service, which can be combined with each other to provide complex and innovative services.

A specific legal regime is established for the aforementioned qualified trust electronic services, consistent with the high supervision and security requirements they bear, and whose reflection is the singular probative relevance they possess compared to non-qualified services. This thus reinforces the legal certainty of electronic transactions between businesses, individuals, and Public Administrations.

III

The direct applicability of the Regulation does not deprive Member States of all normative capacity on the regulated matter; indeed, they are obliged to adapt national legal systems to ensure that this quality becomes effective. This adaptation may require both the modification or repeal of existing norms, as well as the adoption of new provisions called upon to complete the European regulation.

In this sense, the objective of this Law, as indicated above, is to complement Regulation (EU) 910/2014 in those aspects that it has not harmonized and that are left to the discretion of Member States. Therefore, the Law abstains from reproducing the provisions of the Regulation, addressing only those issues that the European norm refers to the decision of Member States or that are not harmonized, acquiring coherence and meaning in the framework of European legislation.

Thus, by virtue of the principle of proportionality, this Law contains the indispensable regulation to cover those aspects provided for in Regulation (EU) 910/2014, such as, among others, the risk provision regime for qualified providers, the sanctioning regime, the verification of the identity and attributes of applicants for a qualified certificate, the inclusion of additional national-level requirements for qualified certificates such as national identifiers, or their maximum validity period, as well as the conditions for the suspension of certificates.

Regulation (EU) 910/2014 guarantees legal equivalence between a qualified electronic signature and a handwritten signature, but allows Member States to determine the effects of other electronic signatures and trust electronic services in general. In this regard, the previous regulation is modified by attributing to electronic documents for whose production or communication a qualified trust service has been used a probative advantage. In this respect, the proof is simplified, as it is sufficient to merely verify the inclusion of the aforementioned service in the trust list of qualified providers of electronic services regulated in Article 22 of Regulation (EU) 910/2014.

With regard to electronic certificates, the Law introduces several provisions relating to the issuance and content of qualified certificates, the maximum validity period of which is maintained at five years. In this sense, service providers are not allowed to use the so-called "chaining" in the renewal of qualified certificates using one that is valid, more than once, for reasons of security in legal traffic. Without prejudice to the foregoing, Regulation (EU) 910/2014 contemplates the possibility of verifying the identity of the applicant for a qualified certificate using other identification methods recognized at the national level that guarantee equivalent security in terms of reliability to physical presence. Echoing this provision, the Law enables the regulatory regulation of the conditions and technical requirements that would make it possible.

Qualified certificates issued to natural persons will include the National Identity Document number, foreigner identity number, or tax identification number, except in cases where the holder lacks all of them. The same rule applies regarding the tax identification number of legal persons or entities without legal personality holding qualified certificates, which in the absence of this must use a code that identifies them uniquely and permanently over time, as recorded in official registers.

With regard to the obligations of providers, the Law establishes the requirement to constitute an economic guarantee for the provision of qualified trust services. A single minimum amount of 1,500,000 euros is set, which increases by 500,000 euros for each additional type of service provided, which is considered sufficient to cover the risks derived from the service, takes into account the diversity of services in the market, and does not penalize providers with a greater offer.

One of the requirements of Regulation (EU) 910/2014 focuses on guaranteeing the security of trust services against deliberate or accidental acts that affect their products, networks, or information systems. In this sense, all providers of trust services, qualified and non-qualified, are subject to the obligation to adopt adequate technical and organizational measures to manage risks to the security of the trust services they provide, as well as to notify the supervisory authority of any security breach or loss of integrity that has a significant impact on the trust service provided. This Law sanctions the non-compliance with the aforementioned obligations.

In response to the evolution of technology and market demands, Regulation (EU) 910/2014 opens the possibility of providing innovative services based on mobile and cloud solutions, such as remote electronic signatures and seals, in which the environment is managed by a trust service provider on behalf of the holder. In order to ensure that these electronic services obtain the same legal recognition as those used in an environment completely managed by the user, these providers must apply specific security procedures and use reliable systems and products, including secure electronic communication channels, to ensure that the environment is reliable and used under the exclusive control of the holder. The aim is thus to achieve a balance between ease of access and use of services, without detriment to security.

IV

This Law repeals the Electronic Signature Law 59/2003, of December 19, and with it those provisions incompatible with Regulation (EU) 910/2014.

This is the case with the old signature certificates for legal persons, introduced by the aforementioned Electronic Signature Law. The new paradigm established by the aforementioned regulation implies that only natural persons are qualified to sign electronically, so it does not provide for the issuance of electronic signature certificates in favor of legal persons or entities without legal personality. To these are reserved electronic seals, which allow guaranteeing the authenticity and integrity of documents such as electronic invoices. Without prejudice to the foregoing, legal persons may act through the signature certificates of those natural persons who legally represent them.

The Law allows the possibility that the supervisory authority maintains a service for disseminating information about qualified providers operating in the market, in order to provide users with useful information about the services they offer in the development of their activity.

This Law also repeals Article 25 of Law 34/2002, of July 11, on information society services and electronic commerce, referring to trust third parties, due to the services offered by this type of provider being subsumed in the types regulated by Regulation (EU) 910/2014, mainly in the certified electronic delivery and archiving services for signatures and electronic seals.

V

Although the provision of trust electronic services is carried out under free competition, Regulation (EU) 910/2014 provides, for qualified services, a system of prior verification of compliance with the requirements imposed therein. Thus, a mixed public-private collaboration system is designed for the supervision of qualified providers, since their inclusion in the trust list, which allows starting this activity, must be based on a conformity assessment report issued by an assessment body accredited by a national accreditation body, established in one of the Member States of the European Union. From then on, qualified providers must submit the aforementioned report at least every twenty-four months.

On the other hand, non-qualified service providers can provide services without prior verification of compliance with requirements, without prejudice to their submission to the follow-up and subsequent control powers of the Administration. Nevertheless, they must communicate to the supervisory authority the provision of the service within three months from when they start their activity, merely for the purpose of knowing its existence and enabling its supervision.

Finally, the sanctioning regime applicable to qualified and non-qualified providers of trust electronic services is defined, without prejudice to the possibility already provided for in Article 20.3 of Regulation (EU) 910/2014 to withdraw the qualification from the provider or service provided, and its exclusion from the trust list, in certain cases. Likewise, the amounts of the sanctions have been adjusted, reducing the maximum fine by half compared to the previous legislation, and the division into tiers of the sanctioning range for determining the fine has been provided for, in accordance with the concurrent graduation criteria.

VI

According to all the above, this Law contains twenty articles, four additional provisions, two transitional, one repealing, and seven final provisions.

The additional provisions refer: the first to public faith and trust electronic services; the second to the legal effects of the systems used in Public Administrations; the third to the National Identity Document and its electronic certificates, and the fourth to the secrecy of the identity of the members of the National Intelligence Center.

The first transitional provision refers to the communication of activity by existing non-qualified service providers, and the second transitional provision maintains in force Royal Decree 1553/2005, of December 23, regulating the issuance of the National Identity Document and its electronic signature certificates, which constitutes partial regulatory development of the Electronic Signature Law 59/2003, of December 19.

In the final provisions, various laws are modified. In the first, Law 56/2007, of December 28, on measures to boost the information society, is modified so that companies that provide services to the general public of special economic importance must have a secure means of telematic interlocution, not necessarily based on electronic certificates. With this, the rule is flexibilized and room is given to other identification means generally used in the private sector.

In the second final provision, Law 1/2000, of January 7, on Civil Procedure, is modified, with the aim of adapting it to the new regulatory framework of trust electronic services defined in this Law and in Regulation (EU) 910/2014.

In the third final provision, Law 34/2002, of July 11, on information society services and electronic commerce, is modified to adapt its regulation to Regulation (EU) 2019/1150 of the European Parliament and of the Council, regarding digital platforms.

In the fourth final provision, a new seventh additional provision is introduced in Law 17/2009, of November 23, on free access to service activities and their exercise, to adapt its regulation to Regulation (EU) 2018/302 of the European Parliament and of the Council, on measures intended to prevent unjustified geo-blocking and other forms of discrimination based on the nationality, place of residence, or place of establishment of customers in the internal market.

The fifth final provision contains the competence title, by virtue of which the Law is issued under the exclusive competences corresponding to the State in matters of civil legislation, telecommunications, and public security, in accordance with articles 149.1.8th, 21st, and 29th of the Spanish Constitution. Article 3 and the second final provision are also issued under what is provided in article 149.1.6th of the Constitution, which attributes to the State exclusive competence in matters of procedural legislation. On the other hand, the second additional provision is issued under what is provided in article 149.1.18th of the Constitution, in relation to the exclusive state competence over the bases of the legal regime of Public Administrations and the common administrative procedure.

Finally, the sixth and seventh final provisions refer to the regulatory development of the Law and its entry into force, respectively.

TITLE I General Provisions

Article 1. Object of the Law. This Law aims to regulate certain aspects of trust electronic services, as a complement to Regulation (EU) No 910/2014 of the European Parliament and of the Council of July 23, 2014, on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.

Article 2. Scope of application. This Law shall apply to public and private providers of trust electronic services established in Spain.

Likewise, it shall apply to providers resident or domiciled in another State who have a permanent establishment located in Spain, provided that they offer services not supervised by the competent authority of another European Union country.

Article 3. Legal effects of electronic documents.

1. Public, administrative, and private electronic documents have the value and legal efficacy corresponding to their respective nature, in accordance with the legislation applicable to them.

2. The proof of private electronic documents in which a non-qualified trust service has been used shall be governed by what is provided in paragraph 3 of Article 326 of Law 1/2000, of January 7, on Civil Procedure. If the service were qualified, what is provided in paragraph 4 of the same provision shall apply.

TITLE II Electronic Certificates

Article 4. Validity and expiration of electronic certificates.

1. Electronic certificates expire by expiration upon the expiry of their validity period, or by revocation by trust electronic service providers in the cases provided for in the following article.

2. The validity period of qualified certificates shall not exceed five years.

This period shall be fixed taking into account the characteristics and technology used to generate signature, seal, or website authentication creation data.

Article 5. Revocation and suspension of electronic certificates.

1. Trust electronic service providers shall extinguish the validity of electronic certificates by revocation in the following cases:

a) Request made by the signatory, the natural or legal person represented by them, an authorized third party, the creator of the seal, or the holder of the website authentication certificate.

b) Violation or endangerment of the secrecy of signature or seal creation data, or of the trust service provider, or website authentication, or improper use of said data by a third party.

c) Judicial or administrative resolution ordering it.

d) Death of the signatory; subsequent judicially modified capacity, total or partial, of the signatory; extinction of legal personality or dissolution of the seal creator in the case of an entity without legal personality, and change or loss of control over the domain name in the case of a website authentication certificate.

e) Termination of representation in electronic certificates with the attribute of representative. In this case, both the representative and the person or entity represented are obliged to request the revocation of the certificate's validity as soon as the modification or extinction of the aforementioned representation relationship occurs.

f) Cessation of the activity of the trust service provider unless the management of the electronic certificates issued by it is transferred to another trust service provider.

g) Discovery of the falsity or inaccuracy of the data provided for the issuance of the certificate and contained therein, or subsequent alteration of the circumstances verified for the issuance of the certificate, such as those related to the position.

h) In the event that it is observed that the cryptographic mechanisms used for the generation of the certificates do not meet the minimum security standards necessary to guarantee their security.

i) Any other lawful cause provided for in the service's practice statement.

2. Trust service providers shall suspend the validity of electronic certificates in the cases provided for in letters a), c), and h) of the previous paragraph, as well as in cases of doubt about the concurrence of the circumstances provided for in letters b) and g), provided that their certification practice statements provide for the possibility of suspending certificates.

3. If applicable, and prior or simultaneous to the indication of the revocation or suspension of an electronic certificate in the service for consulting the validity or revocation status of the certificates issued by it, the trust electronic service provider shall communicate to the holder, by a secure means q