Legal base	Articles 114 and 288 TFEU; QMV; ordinary legislative procedure
Department	Business, Innovation and Skills
Basis of consideration	Minister's letters of 3 December 2013 and 12 March 2014
Previous Committee Reports	HC 83-xxxiii (2013-14), chapter 2 (12 February 2014) and HC 86-xi (2012-13), chapter 5 (5 September 2012); also see (27369) 7560/06: HC 34-xxviii (2005-06), chapter 14 (10 May 2006) and (30246) 16836/08: HC 19-xi (2008-09), chapter 10 (18 March 2009)
Discussion in Council	To be determined
Committee's assessment	Legally and politically important
Committee's decision	Cleared

Background

11.1  The Electronic Signature Directive — Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures[23] — established the legal framework at European level for electronic signatures and certification services, thereby allowing the free flow of electronic signature products and services across borders and ensuring a basic legal recognition of electronic signatures. The three forms of electronic signature that the Directive addresses are:

—   the simplest form of the "electronic signature" which serves to identify and authenticate data (as simple as signing an e-mail message with a person's name or using a PIN-code);

—  the "advanced electronic signature"(which uses encryption technology to sign data, and requires a public and a private key); and

—  the "qualified electronic signature" (an advanced electronic signature based on certification and the use of a secure-signature-creation device that has to comply with the requirements in Annex I, II and III of the Directive, which aims to meet the legal requirements of a hand written signature).

11.2  A Commission review of its operation (which the previous Committee considered in May 2006 and cleared with a Report to the House) noted that, while e-signatures were commonly used in e-banking and e-government services, the use of qualified electronic signatures had been much less than it had expected; this (the Commission said) meant that the internal market objective of the Directive — the free circulation of qualified electronic signatures — could not be assessed comprehensively at that stage. Service providers preferred solutions developed by the banking sector. The Commission said that this slowed down the process of developing interoperable solutions; it would continue to encourage the development of e-signatures services and applications and monitor the market.[24]

11.3  This was followed by a further Commission "Action Plan" in 2008. Despite a continuing lack of interest, the Commission nonetheless maintained that greater use of digital signatures was a good thing and that adoption had been prevented by cross-border interoperability problems. It was, however, the then Government's consistent view that the primary barrier was the lack of a clear business case, rather than those suggested by the Commission. Though the actions to be carried out by the Commission were aimed at information gathering and enabling actions and would thus have no impact on UK policy, the then government would ensure that emerging EU e-Signature and e-Identity management policy was consistent with UK policy and compliant with emerging standards, including standards to support a trusted identity service provider model accepted by all Member States.[25]

The draft Regulation

11.4  The content of the draft regulation is set out in detail in our 2012 Report.[26] The proposed Council Regulation would replace the 1999 E-Signatures Directive with a broad framework to enable the mutual recognition and acceptance of electronic identification, authentication, signatures and related ancillary trust services (referred to as eIAS) across borders. It accordingly covers not only electronic signatures (e-Sigs) but also electronic identification (e-ID) and electronic seals, electronic time stamping, acceptance of electronic documents, and website authentication. The proposal would give legal effect to the use of eIAS and thus increase confidence in accessing online services or completing online transactions in other European countries. The proposal does not seek to impose an EU e-ID scheme on Member States and is only concerned with issues relating to the cross-border use of e-ID.

11.5  The direct applicability of a Regulation pursuant to Article 288 TFEU would, the Commission says, provide greater legal certainty by introducing a harmonised set of core rules contributing to the functioning of the internal market. It would "create a level playing field for businesses providing trust services where the currently existing differences in national legislation often lead to legal uncertainty and additional burden". Legal certainty would be "significantly increased through clear acceptance obligations by Member States of qualified trust services which will create additional incentive for businesses to go abroad". Mutually recognised electronic identification means and widely accepted electronic signatures would facilitate cross-border provision of numerous services in the internal market and enable businesses to go cross-border without facing obstacles in interactions with public authorities, and would "mean significant efficiency improvements both for businesses and citizens when complying with the administrative formalities".

11.6  The then Minister (Norman Lamb) welcomed this initiative. However, when he described the language used as "less than clear"; as making it "difficult to assess with confidence what this proposal will mean in practice"; and as giving rise to "a number of concerns where wording is open to different interpretations", there was plainly still much to be clarified and finalised. In particular, the then Minister said that: there were several references to the Commission being empowered to adopt "delegated acts" whose purpose and scope was not clearly set out in the text, but gave no details of which areas; it was therefore difficult to assess with confidence whether he was content that powers needed to be conferred upon the Commission to adopt these acts and what this proposal would mean in practice; and he intended "to be vigilant on this issue".

11.7  He also indicated concern that the Commission's proposal should support rather than undermines the UK's own plans for identity assurance in connection with Government plans to incorporate an e-ID solution into universal credit and a possible pan-Government solution for e-ID. There was also uncertainty about the cost of the proposal.

11.8  Sorting all this out and negotiating a satisfactory outcome with the European Parliament before the end of 2012 — which was the Cyprus Presidency's aim — would be a tall order. In the first instance, therefore, the Committee looked forward to receiving the Government's own impact assessment, and asked the Minister then to provide: a summary of the negotiating process at that stage; a situation report on each of the concerns that the Minister highlights; and greater detail on which of the 43 Articles of the draft Regulation the Minister then regarded as satisfactory, and which ones he still did not, and why.

11.9  In the meantime, we retained the document under scrutiny.[27]

The Minister's letter of 3 December 2013

11.10  The Minister for Business and Energy (Michael Fallon) said that, although progress with "a very complicated and technical Regulation" had been slow under both the Cypriot and Irish Presidencies, considerable progress had been made since September under the Lithuanian Presidency, especially in respect of articles 1-19, which made up the first half of the Regulation that cover the General Provisions, Electronic Identification and Trust Services elements. Agreement had now been reached in COREPER[28] that the Presidency could begin informal trialogues with the European Parliament in respect of articles 1-19 only of the Regulation. The rest of the Regulation, i.e. articles 20-42 on electronic signatures, electronic seals, electronic time stamps, electronic delivery and website authentication services, required further detailed work before they, and therefore the Regulation as a whole, could be agreed.

11.11  The Government was:

"broadly content with the direction negotiations are going in respect of articles 1-19, many of our comments and suggestions have been taken on board and we are seen as being supportive and constructive in respect of trying to reach consensus around a workable outcome. In particular, the Lithuanian Presidency has put a lot of energy into the electronic identification (e-ID) part of the Regulation, i.e. articles 5-8. The Government feels that very significant progress has been made in reaching the current revised text of articles 1-19."

11.12  The relevant officials were working to ensure that any revised text on e-ID did not undermine or cut across the Government's on the Identity Assurance Programme (IDAP); this included a concept of "levels of assurance" to ensure that a European system would provide appropriate, and proportionate, identity assurance would be more in line with the system being in the UK.

11.13  The Minister recalled that the proposal raised a number of other areas of concern and said that, where possible, he had provided an updated position in respect of the latest revised text (see our most recent Report on this document for details).[29]

Our further assessment

11.14   After fifteen months' inactivity, the Commission and the Presidency had decided to press ahead at full speed, with a view to adoption prior to the upcoming European Parliament elections. However desirable that objective might be, it did not obviate the need for proper prior parliamentary scrutiny.

11.15  Helpful and informative as this latter update was, before we could consider lifting the scrutiny reserve, we required a further update akin to the one on the proposed Directive on the market for radio equipment (which we considered at the same meeting), i.e., as well as dealing definitively with the issues of concern highlighted by both his predecessor and himself, also outlining all of the articles in which the Commission proposed the use of delegated powers, the outcome on each one, and how any outcome that conceded the use of a delegated act was consistent with Article 290 TFEU.

11.16  In the meantime, we continued to retain the draft Regulation under scrutiny.

11.17  We also drew this chapter of our Report to the attention of the Business, Innovation and Skills Committee.[30]

The Minister's letter of 12 March 2014

11.18  The Minister (Michael Fallon) writes "to formally request that your Committee lifts the reserve it placed on the proposed Regulation in 2012", says that he believes "that the information provided below addresses all of the concerns raised previously".

11.19  The Minister notes that original proposal contained 29 implementing acts and 19 delegated acts, and continues as follows:

"DETAILED OVERVIEW OF THE PROPOSED DELEGATED ACTS AND NEGOTIATION OUTCOMES

"There were particular concerns about the uncertainty of the extent of some delegated acts, in particular, that they related to essential elements of the Proposal. Article 290 TFEU provides that a legislative act may delegate to the Commission the power to adopt non-legislative acts to supplement or amend certain non-essential elements of the legislative act. As requested by the Committee, the table at Annex A sets out the articles of the Proposal containing delegated acts, and the outcome in relation to each.[31]

"As the Committee will see, the revised text contains only three delegated acts. The UK and other Member States have been successful in achieving the deletion of delegated acts that were considered excessive and inappropriate given the constraints in Article 290 TFEU. The UK is therefore satisfied that these remaining delegated acts are appropriate.

"DETAILED OVERVIEW OF THE PROPOSED IMPLEMENTING ACTS AND NEGOTIATION OUTCOMES

"For eID (articles 5-8)

"The Council text now provides for tertiary legislation in four areas where experts need to be involved in making cross-border recognition work:

·  "implementing acts to set European assurance levels in relation to identity (Article 6a(2))

·  "implementing acts on the format and procedure for notifying a scheme (Article 7(4))

·  "implementing acts on cooperation to build trust and understanding of other member states' approaches to identity assurance (Article 8(2))

·  "implementing acts to address the practical questions on interoperability (Article 8(2a))

"By ensuring that these are implementing acts rather than delegated acts, the Council has ensured that member states retain a greater role in their agreement.

"Through the implementing act required by Article 6a, the Regulation makes provision for standards for different assurance levels. The importance of this is set out in the section on assurance levels below. Setting these levels in an implementing act should ensure that the standards will be flexible enough to update as international thinking changes and as the technology develops. The scope of the implementing act is clearly defined — Article 6a sets a clear basis and set of criteria to be taken into account when setting standards. The linked recital in the Council text also ensures that the levels set by the Commission will be tied to other international work on assurance levels, in which the UK is heavily involved.

"The implementing act provided for in Article 7 relates to the circumstances, format and procedure of a notification of an eID scheme. It provides an opportunity to ensure that all Member States take a uniform approach to notification of their schemes. Exactly what needs to be included in the notification of a scheme depends on the interoperability framework so use of an implementing act here means that the notification can be flexible according to that framework.

"Article 8 now provides for two implementing acts rather than delegated acts. The text also now contains a lot more detail on the areas to be covered by those implementing acts. Article 8(1)(a) and (b) set criteria related to the interoperability framework and Articles 8(1)(c) and (d) set criteria related to cooperation between Member States. These ensure that the parameters for the implementing acts are set out clearly in the Regulation, rather than giving a completely open hand to the Commission.

"For Trust Services

"The implementing acts in Articles 14, 20, 28 and 34 have been deleted. Although replacement implementing acts are allowed for in the new Articles 20a and 28a these are much more closely defined. Minor amendments have been made in a number of other provisions for implementing acts, including deleting the word 'circumstances', for example, in relation to the implementing acts allowed for in Articles 13 and 15. The UK considers that these amendments significantly reduce the scope of the implementing acts in question.

"Also, the implementing act in Article 16 has been amended to constrain its scope to establishing reference numbers for existing standards for conformity assessment bodies, whereas, the original implementing act empowered the Commission to define the circumstances, procedures and formats applicable to assessment of conformity assessment bodies — a much wider power. In light of these changes, the UK is satisfied that the remaining, as well as new and replacement, implementing acts contained in the text agreed by Coreper on the 28th February are appropriate in the circumstances. More detail on these is set out in the table at Annex B.[32]

"Other Considerations relating to Electronic Identification (eID)

"Scope

"In the Council text, the scope of the Regulation has now been limited so that it only places the obligation to accept eID from other member states on public sector services that are already accepting eID domestically, and that require significant assurance that a person is who they say they are. The Regulation also allows for public sector service providers to accept eIDs with a lower assurance level where they choose to do so. The limitation of scope means the implementation can focus on services where there is genuine cross-border relevance rather than having to ensure that all service providers have to consider how to ensure compliance.

"Art 6(1)(a) — Inclusion of ID provided by private Identity Providers (IDPs)

"The wording of Article 6(1)(a) has been made broader to ensure that eID systems involving private identity providers can also be notified under the Regulation. Several member states' eID systems (including the one being developed in the UK) rely on private sector IDPs, so this change can ensure that the Regulation fits with the different approaches being developed on identity assurance across the EU.

"Provisions in relation to security breach

"Article 7a has been introduced to ensure that it is clear what steps need to be taken and who needs to be notified should there be a security breach in relation to a notified eID solution.

"Liability

"The new Article 7b attributes liability amongst different parties involved in providing an eID solution. It now provides more detail around liability, referring to liability being determined in accordance with national law, and introducing a test of intention or negligence before the liability provisions can take effect.

"Assurance levels and use of the term 'unambiguously' in relation to electronic identification (eID)

"The original proposal made reference to the fact that eID needs to 'unambiguously link the person (which can be a natural or legal person) to the person identification data' and required that Member States take liability for this link being established. As initially drafted, the Regulation set a single threshold, which had to be met by national eID schemes in order for them to be notified. Services accepting eID domestically in an EU member state would then also have had to accept all such notified eIDs. Under that initial draft text, the threshold to be met was simply that the person identification data had to be attributed 'unambiguously' to the relevant person. There was no definition of 'unambiguous attribution', and no chance to ensure that other aspects of identity assurance (for example the strength of the log-in process) were sufficiently robust.

"The Council text, Article 5, now sets up a system whereby the service provider only has to accept a notified eID, which meets the assurance level it requires domestically, or a higher level. An undefined concept of unambiguous attribution is no longer included in the draft text. As explained above, assurance levels will be set out in an implementing act to enable comparison of domestic levels. This is now in line with the UK's approach to identity assurance, which means that service providers can require end users to establish their identity to a level appropriate to that service's requirements. It is also better aligned to wider international thinking, including the approach taken by the International Standards Organisation.

"CONSIDERATIONS RELATING TO TRUST SERVICES

"Given the lack of clarity in the original proposal, a significant amount of work has been done to ensure that the final text has been amended and expanded in order to provide the level of detail needed to understand how it will work in practice. Some of the more significant amendments to the Regulation that have been negotiated in respect of trust services are set out below for information although this is not an exhaustive list:

·  "Article 2 — Scope — has been amended to make it clear that the requirements set out in this Regulation do not apply to private networks.

·  "Article 9 — Liability — has been amended and clarified to allow for a 'reverse burden of proof' in respect of matters of liability and trust service providers below the level of 'qualified'. This article now also allows for the national rules on liability to apply.

·  "Article 11 — Data processing and protection — has been deleted given that this is covered by specific data protection legislation. The new Article 4a on this subject now refers specifically to Directive 95/46/EC.

·  "Article 13 — Supervisory body — this has been considerably amended and expanded in order to define more precisely the supervisory body's roles and responsibilities.

·  "Article 16 — Supervision of qualified trust service providers — has been amended to ensure that qualified trust service providers are only audited every two years instead of annually as originally proposed. This will reduce the potential costs to businesses of providing a service.

·  "Section 6 — Electronic Documents — this section has been deleted. The UK has always maintained that electronic documents are not a trust service so we are pleased that this has been taken on board.

·  "Article 37 — website authentication certificates — this has been amended so that it is clear that this is a voluntary service and not a legal requirement.

"OTHER CONSIDERATIONS

"Financial implications

"Electronic identification — pending a clearer picture on technical interoperability, it is difficult to estimate the costs related to implementation. However, as the Regulation is now in line with the approach the UK is taking to identity assurance domestically, we are now much better placed to build compliance with the Regulation into the domestic identity solution we are developing, rather than having to establish costly, parallel systems.

"Trust Services — although Member States will still be required to establish a 'supervisory body', the principle of only taking a light-touch supervisory role in respect of trust services below the level of 'qualified' (the highest level) has now been accepted. I believe that the UK should be able to adapt its existing supervisory arrangements in respect of electronic signatures at minimal additional cost in order to meet the new supervisory requirements set out in this Regulation.

"Impact Assessment

"As you may recall, the lack of detail in the original proposal has meant that it has not been possible to carry out an impact assessment. In my update of 3rd December 2013, I included an impact assessment checklist, and I can confirm that my officials will carry out a full impact assessment now that the final text is all but agreed. I will let you know the outcome of that assessment once it has been done."

TIMETABLE

11.20  The Minister says that this dossier was agreed at COREPER on 28 February; will go to the European Parliament Plenary session in April; and then to a ministerial Council for agreement. He also notes that, subject to the implementing acts being drafted and agreed, he expects that "the various elements will be staggered and thus come into practical effect during 2015-18".

11.21  As well as the Tables at Annex A and B, the Minister also attaches a copy of the draft text of the proposal agreed at COREPER — noting, however, that, as it carries a limité marking, in accordance with the arrangements agreed between the Government and the Committee for sharing EU documents carrying such a marking it cannot be published, nor reported on in any way that would bring detail contained in the document into the public domain.

11.22  The Minister concludes thus:

"Based on the above and in light of the significant work that has been done since the proposal was first published in 2012, I am convinced that the final outcome of these negotiations meets the strategic objectives of the UK in delivering a key element of the (Digital) Single Market. I trust, therefore, that this letter provides you with the additional information you require in order to be able to lift the scrutiny reserve. Please do not hesitate to contact me if you have any further questions."

Conclusion

11.23  We are again grateful to the Minister for this very comprehensive and persuasive analysis. Even though we cannot refer directly to the draft Council Regulation itself (which has still to be finalised by the jurist-linguists; hence the caveat), we are satisfied on the basis of the very detailed information in the Minister's letter of 12 March and the two Annexes that the outcome is satisfactory, both legally and politically.

11.24  We therefore now clear the Council Regulation.

11.25  We also draw this chapter of our Report to the attention of the Business, Innovation and Skills Committee.

Annex A: Table of delegated acts and negotiation outcomes

Article	Description of proposed power	Outcome of negotiations
8	Paragraph 1 requires Member States to co-operate in order to ensure the interoperability of electronic identification means (i.e. a material or immaterial unit containing electronic identification data used to access services online) falling under a notified scheme. Paragraph 3 empowers the Commission to adopt delegated acts to facilitate cross-border interoperability of electronic identification means by setting minimum technical requirements.	Deleted although now covered by implementing acts — see paras 5-8 above for more detail.
13	Paragraph 2 entrusts supervisory bodies with the tasks of monitoring trust service providers; undertaking supervision of qualified trust service providers; and ensuring that relevant information and data is kept by qualified trust service providers. Paragraph 5 empowers the Commission to adopt delegated acts concerning the definition of procedures applicable to the tasks referred to in paragraph 2.	Deleted.
15	Paragraph 1 requires trust service providers to take appropriate technical and organisational measures to manage security risks. Paragraph 5 empowers the Commission to adopt delegated acts concerning the further specification of the measures referred to in paragraph 1.	Deleted.
16	Paragraph 1 states that qualified trust service providers must be audited by a recognised independent body. Paragraph 5 empowers the Commission to adopt delegated acts concerning the specification of the conditions under which the independent body carrying out the audit referred to in paragraph 1 shall be recognised.	Deleted.
18	Paragraph 5 requires Member States to establish, maintain and publish trusted lists with information relating to qualified trust service providers. Paragraph 5 empowers the Commission to adopt delegated acts concerning the definition of the information referred to in paragraph 1.	Deleted.
20	Paragraph 4 states that where an electronic signature with a security assurance level below qualified electronic signature is required for access to a service online, all electronic signatures matching at least the same security assurance level shall be recognised and accepted. Paragraph 6 empowers the Commission to adopt delegated acts concerning the definition of the different security levels of electronic signature referred to in paragraph 4.	Deleted.
21	Paragraph 4 empowers the Commission to adopt delegated acts concerning the further specification of the requirements applicable to qualified certificates for electronic signatures set out in Annex 1 of the Proposal.	Deleted.
23	Paragraph 1 states that qualified electronic signature creation devices may be certified by appropriate public or private bodies designated by Member States provided they have been submitted to a security evaluation process. Paragraph 3 empowers the Commission to adopt delegated acts concerning the establishment of specific criteria to be met by the designated bodies referred to in paragraph 1.	No change. The UK is satisfied that the power does not relate to an essential element of the basic act and that it is suitable to be framed as a delegated act rather than an implementing act.
25	Paragraph 1 sets out the requirements for a qualified electronic signature to be considered as valid. Paragraph 2 empowers the Commission to adopt delegated acts concerning the further specification of the requirements in paragraph 1.	Deleted.
27	Paragraph 1 states that a qualified electronic signature preservation service must be provided by a qualified trust service provider who uses procedures and technologies capable of extending the trustworthiness of the qualified electronic signature validation data beyond the technological validity period. Paragraph 2 empowers the Commission to adopt delegated acts concerning the further specification of the requirements in paragraph 1.	Deleted.
28	Paragraph 4 states that where an electronic seal security assurance level below the qualified electronic seal is required to access a service online, all electronic seals matching at a minimum the same security assurance level shall be accepted. Paragraph 6 empowers the Commission to adopt delegated acts concerning the definition of different security assurance levels of electronic seals referred to in paragraph 4.	Deleted.
29	Paragraph 4 empowers the Commission to adopt delegated acts concerning the further specification of the requirements applicable to qualified certificates for electronic seals, set out in Annex 3 of the Proposal.	No change. The UK is satisfied that the power does not relate to an essential element of the basic act and that it is suitable to be framed as a delegated act rather than an implementing act.
30	Paragraph 2 applies Article 23, and therefore the delegated power at 23(3), mutatis mutandis to requirements for qualified electronic seal creation devices.	No change. The UK is satisfied that the power does not relate to an essential element of the basic act and that it is suitable to be framed as a delegated act rather than an implementing act.
31	Applies articles 25 and 27, and therefore the delegated powers at 25(2) and 27(2) mutatis mutandis to the validation and preservation of qualified electronic seals.	Both powers deleted
35	Paragraph 3 empowers the Commission to adopt delegated acts concerning the specification of mechanisms for sending or receiving data using electronic delivery services, which shall be used with a view to fostering interoperability between electronic delivery services.	Deleted.
37	Paragraph 3 empowers the Commission to adopt delegated acts concerning the further specification of the requirements applicable to qualified certificates for website authentication, set out in Annex 4 to the Proposal.	Deleted.

Annex B: Table of implementing acts and negotiation outcomes

Article	Description of proposed power	Outcome of negotiations
13	Paragraph 3 requires supervisory bodies to produce a report on the last calendar year's supervisory activities by the end of the first quarter of the following year. Paragraph 6 enables the Commission to use implementing acts to define the circumstances, formats and procedures for the report referred to in paragraph 3.	Reference to "circumstances" deleted, which reduces the scope for their use considerably.
14	This article allows for the Supervisory Bodies established by each Member State to provide Mutual Assistance. Paragraph 4 enables the Commission to use implementing acts to specify the formats and procedures for the mutual assistance provided for in this article.	Deleted — the Commission is now unable to specify how Member States provide mutual assistance
15	Paragraph 1-3 requires trust service providers to take appropriate technical and organisational measures to manage security risks; to notify the supervisory body and national information body for information security and other relevant 3rd parties of any security breach or loss of integrity and to provide ENISA and the Commission with an annual summary of breach notifications from trust service providers. Paragraph 6 enables the Commission to use implementing acts to define the circumstances, formats and procedures, including deadlines in relation to the requirements set out in paragraphs 1-3.	Reference to "circumstances" deleted, which reduces the scope for their use considerably.
16	Paragraph 1 states that qualified trust service providers must be audited by a recognised independent body. Paragraph 2 states that the supervisory body may, at any time, audit the trust service providers to confirm that they and their services meet the requirements of this Regulation. Paragraph 4 states that if the qualified trust service provider does not remedy any failure identified within a set time limit set by the supervisory body, it shall lose its qualified status. Paragraph 6 enables the Commission to use implementing acts to define the circumstances, procedures and formats applicable to the requirements set out in paragraphs 1, 2 and 4.	Reference to "circumstances, procedures and formats" deleted; replaced by "establish reference number of the following standards:.." i) relating to accreditation of conformity assessment bodies and ii) auditing rules under which conformity assessment bodies will carry out their assessment. This wording is more precise and reduces the scope for using implementing acts considerably.
17	Paragraph 1 requires qualified trust service providers to notify the supervisory body of their intention to provide a qualified trust service and submit a security audit report. Paragraph 2 states that, once the documents referred to in paragraph 1 have been submitted, qualified trust service providers shall be included in the trusted lists referred to in Article 18. Paragraph 3 states that the supervisory body shall verify the compliance of the qualified trust service provider and the qualified services they provide with the requirements of the Regulation. Paragraph 5 enables the Commission to use implementing acts to define the circumstances, formats and procedures applicable to the requirements set out in paragraphs 1, 2 and 3.	Reference to "circumstances" deleted, which reduces the scope for their use considerably.
18	Paragraphs 1-4 requires Member States to establish, maintain and publish trusted lists with information relating to qualified trust service providers; notify the Commission information on the body responsible; and for the commission to make this information available to the public through a secure channel.. Paragraph 6 enables the Commission to use implementing acts to define the technical specifications and formats for the trusted lists referred to in paragraphs 1-4.	Replaced "may" by "shall…specify the information referred to in paragraph 1". This provides greater certainty around what technical specifications and formats will be required.
19	Article 19 specifies the requirements for qualified service providers. Paragraph 5 enables the Commission by means of implementing acts to establish reference numbers of standards for trustworthy systems and products.	Now refers to standards which "comply with the requirements under paragraph 2(d) and (e)", which is more precise.
20	Article 20 deals with the Legal effects and acceptance of electronic signatures. Paragraph 7 enables the Commission to use implementing acts to establish reference numbers of standards for the security levels of electronic signatures.	Deleted. New Article 20a allows the Commission to use implementing acts to establish reference numbers of standards for advanced electronic signatures.
21	Article 21 deals with the requirements for qualified certificates for electronic signatures. Paragraph 5 enables the Commission to use implementing acts to establish reference numbers of standards for qualified certificates for electronic signatures.	Requirement for the Commission to publish implementing acts in the Official Journal deleted.
22	Article 22 deals with the requirements for qualified electronic signature creation devices. Paragraph 2 enables the Commission to use implementing acts to establish reference numbers of standards for qualified electronic signature creation devices.	Requirement for the Commission to publish implementing acts in the Official Journal deleted.
24	Paragraph 1 requires Member States to notify the Commission of information on qualified electronic signature creation devices referred to in Articles 23.. Paragraph 3 enables the Commission to use implementing acts to define the circumstances, formats and procedures applicable to paragraph 1.	Reference to "circumstances" deleted, which reduces the scope for their use considerably.
25	Articles 25 deals with the requirements for the validation of qualified electronic signatures.. Paragraph 3 enables the Commission to use implementing acts to establish reference numbers of standards for the validation of qualified electronic signatures.	Requirement for the Commission to publish implementing acts in the Official Journal deleted.
26	Article 26 deals with qualified validation service for qualified electronic signatures. Paragraph 1 sets out the requirements for a qualified trust service provider who provides a qualified validation service for qualified electronic signatures. Paragraph 2 enables the Commission to use implementing acts to establish reference numbers of standards for the qualified validation service referred to in paragraph 1.	Requirement for the Commission to publish implementing acts in the Official Journal deleted.
27	Paragraph 1 states that a qualified electronic signature preservation service must be provided by a qualified trust service provider who uses procedures and technologies capable of extending the trustworthiness of the qualified electronic signature validation data beyond the technological validity period. Paragraph 3 enables the Commission to use implementing acts to establish reference numbers of standards for the preservation of qualified electronic signatures referred to in paragraph 1.	Requirement for the Commission to publish implementing acts in the Official Journal deleted.
28	Article 28 deals with the legal effects of electronic seals. Paragraph 7 enables the Commission to use implementing acts to establish reference numbers of standards for the security assurance levels of electronic seals.	Deleted. Paragraph 5 of new Article 28a allows the Commission to use implementing acts to define reference formats of advanced electronic seals or reference methods where alternative formats are used.
29	Article 29 deals with the requirements for qualified certificates for electronic seals. Paragraph 5 enables the Commission to use implementing acts to establish reference numbers of standards for qualified certificates for electronic seals.	Requirement for the Commission to publish implementing acts in the Official Journal deleted.
30	Paragraphs 1 and 3 apply Articles 22and 24, and therefore the implementing power at 22(2) and 24(3), mutatis mutandis to requirements for qualified electronic seal creation devices.	No change
31	Applies articles 25, 26 and 27, and therefore the implementing powers at 25(3), 26(2) and 27(3) mutatis mutandis to the validation and preservation of qualified electronic seals.	No change
33	Article 33 deals with the requirements for qualified electronic time stamps. Paragraph 2 enables the Commission to use implementing acts to establish reference numbers of standards for the accurate linkage of time to data and an accurate time source.	"Accurate linkage" has been deleted; and "binding of date and time to data" inserted, which is more precise and technically meaningful. Requirement for the Commission to publish implementing acts in the Official Journal deleted.
34	Article 34 deals with the legal effects and acceptance of electronic documents. Paragraph 4 enables the Commission to use implementing acts to define the formats of electronic signatures and seals that shall be accepted when a qualified electronic document is requested by a Member State.	Deleted
36	Article 36 deals with the requirements for qualified electronic delivery services. Paragraph 2 enables the Commission to use implementing acts to establish reference numbers of standards for processes for sending and receiving data.	Requirement for the Commission to publish implementing acts in the Official Journal deleted.
37	Article 37 deals with requirements for qualified certificates for website authentication. Paragraph 4 enables the Commission to use implementing acts to establish reference numbers of standards for qualified certificates for website authentication.	Requirement for the Commission to publish implementing acts in the Official Journal deleted.

24   For full information, see (27369) 7560/06: HC 34-xxviii (2005-06), chapter 14 (10 May 2006). Back

25   For full information, see (30246) 16836/08: HC 19-xi (2008-09), chapter 10 (18 March 2009). Back

26   See headnote: HC 86-xi (2012-13), chapter 5 (5 September 2012). Back

27   See headnote: HC 86-xi (2012-13), chapter 5 (5 September 2012). Back

28   COREPER, from French Comité des représentants permanents, is the Committee of Permanent Representatives in the European Union, made up of the head or deputy head of mission from the EU member states in Brussels. Its job is to prepare the agenda for the ministerial Council meetings; it may also take some procedural decisions. It oversees and coordinates the work of some 250 committees and working parties made up of civil servants from the member states who work on issues at the technical level to be discussed later by COREPER and the Council. It is chaired by the Presidency of the Council of the European Union. There are in fact two committees: COREPER I consists of deputy heads of mission and deals largely with social and economic issues; COREPER II consists of heads of mission (Ambassador Extraordinary and Plenipotentiary) and deals largely with political, financial and foreign policy issues. Back

29   See headnote: HC 83-xxxiii (2013-14), chapter 2 (12 February 2014). Back

30   See headnote: HC 83-xxxiii (2013-14), chapter 2. Back

31   Reproduced at Annex A to this chapter of our Report. Back

32   Reproduced at Annex B to this chapter of our Report. Back