The European Commission have proposed a draft eIdentity Regulation, to replace the current eSignatures Directive (99/93/EC). While the proposal is mostly concerned with inter-operability of national electronic IDs and improving the legal significance of digital signatures, timestamps, documents, etc. there are also some new requirements on “trust service providers”.
According to Article 3(12), Trust Services comprise “any electronic service consisting in the creation, verification, validation, handling and preservation of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication, and electronic certificates, including certificates for electronic signature and for electronic seals” and according to Art 3(14) a Trust Service Provider is “a natural or a legal person who provides one or more trust services”.
Art 15 requires all Trust Service Providers to “take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide”, which looks similar to the requirement of the current Data Protection Directive on anyone processing personal data. For those who fail to implement such measures, Art 9 makes them liable for “any direct damage caused to any natural or legal person” resulting from the failure, unless they can demonstrate that they did not act negligently. Art 15(2) also requires security breaches with a significant impact to be reported to the supervisory authority for trust services, the national body for information security, and the data protection authorities, on the same tight timescale as proposed in the new Data Protection Regulation, but to additional regulators.
What puzzles me about this is that, unless there’s some hidden meaning in the word “service” (for example that it must be commercial, or must be provided to a separate third party), the definition of a trust service provider seems to cover anyone who issues a digital certificate, even if it’s only to members of the organisation to access services provided by the issuing organisation (for example I have a certificate issued by my employer to ensure that I only enter username and password when connected to genuine eduroam services). In most of the circumstances I can think of, a security breach of those certificates would only affect the organisation that issued them (so it would be unlikely to sue itself) and the breach would be unlikely to have a “significant impact”. But it seems to me there could still be some unexpected consequences (for the Commission, regulators and people who didn’t previously realise they were trust service providers) of legislating so widely. Unless someone can point out the limitation on scope that I’ve missed?
[UPDATE]
I’ve now spotted Article 2(2), which may provide the limitation I was looking for:
I think that means that the examples I was thinking of would be outside the breach requirement and liability requirements.