ORDER OF
DIRECTOR OF THE
COMMUNICATIONS REGULATORY AUTHORITY OF THE
REPUBLIC OF LITHUANIA
ON THE APPROVAL OF THE SPECIFICATION OF THE PROCEDURE FOR GRANTING STATUS OF QUALIFIED TRUST SERVICE PROVIDERS AND QUALIFIED TRUST SERVICES AND INCORPORATION THEREOF IN THE NATIONAL TRUSTED LIST AND PROVISION OF ACTIVITY REPORTS OF QUALIFIED TRUST SERVICE PROVIDERS
21 June 2018 No 1V-588
Vilnius
Pursuant to Article 4(2)(1), (2)(2), (2)(5) and (2)(6), Article 10(3), 10(4)(1) and 10(7), Article 16, Article 17(1) and (2) of the Law on Electronic Identification and Trust Services for Electronic Transactions of the Republic of Lithuania, paragraph 1 of Resolution No 144 of the Government of the Republic of Lithuania of 18 February 2016 “On the Designation of the Supervisory Body for Trust Services and the Body Responsible for the Establishment, Maintenance and Publication of the National Trusted List”, Article 17(4)(b), (e), (g) and (j), Article 20(1), (2) and (3), Article 21(1) and (2) and Article 24(2)(a) of Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ 2014 L 257, p. 73), taking into account the Guidelines on Initiation of Qualified Trust Services, Guidelines on Supervision of Qualified Trust Services and Guidelines on Termination of Qualified Trust Services of the European Network and Information Security Agency (ENISA) of 19 December 2017:
1. I hereby approve the specification of the procedure for granting status of qualified trust service providers and qualified trust services and incorporation thereof in the national trusted list and provision of activity reports of qualified trust service providers (hereinafter – the Specification) (enclosed).
2. I instruct that:
2.1. the procedures governed in the Specification commenced and not completed by the date of entry into force of this Order shall be continued and completed under the provisions of the Specification;
2.2. qualified trust service providers shall, within 3 months of the date of entry into force of this Order, update the plans for termination of the activity of the provision of qualified trust services under the requirements referred to in Annex 3 to the Specification and shall submit them to the Communications Regulatory Authority of the Republic of Lithuania.
3. I hereby instruct to publish this Order in the Register of Legal Acts.
Deputy Director,
Acting Director Mindaugas Žilinskas
APPROVED BY
Order No 1V-588 of Director of the Communications Regulatory Authority of the Republic of Lithuania of 21 June 2018
SPECIFICATION OF THE PROCEDURE FOR GRANTING STATUS OF QUALIFIED TRUST SERVICE PROVIDERS AND QUALIFIED TRUST SERVICES AND INCORPORATION THEREOF IN THE NATIONAL TRUSTED LIST AND PROVISION OF ACTIVITY REPORTS OF QUALIFIED TRUST SERVICE PROVIDERS
CHAPTER I
GENERAL PROVISIONS
1. The specification of the procedure for granting status of qualified trust service providers and qualified trust services and incorporation thereof in the national trusted list and provision of activity reports of qualified trust service providers (hereinafter – the Specification) shall establish the procedure for granting and withdrawing status of qualified trust service providers (hereinafter – the qualified providers) and qualified trust services (hereinafter – the qualified services), incorporation of qualified providers and qualified services in the national trusted list and removal thereof from the list, provision and examination of conformity assessment reports under Article 20(1) of Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ 2014 L 257, p. 73) (hereinafter – Regulation (EU) No 910/2014) and of information on the changes in the provision of qualified services, submission of qualified providers’ activity reports to the Communications Regulatory Authority of the Republic of Lithuania (hereinafter – the Authority).
2. The definitions used for the purpose of the Specification are defined in the Law on Electronic Identification and Trust Services for Electronic Transactions of the Republic of Lithuania (hereinafter – the Law) and Regulation (EU) No 910/2014.
3. All the documents to be submitted to the Authority according to the procedure set by the Specification shall comply with the requirements laid down in the Rules for the Submission of Documents to the Communications Regulatory Authority of the Republic of Lithuania approved by Order No 1V-292 of Director of the Authority of 16 September 2004 “On the Approval of the Rules for the Submission of Documents to the Communications Regulatory Authority of the Republic of Lithuania” and they shall be submitted by means provided in the Rules referred to herein.
CHAPTER II
GRANTING STATUS OF QUALIFIED PROVIDERS AND QUALIFIED SERVICES
4. A trust service provider (hereinafter – the service provider) intending to provide qualified services shall provide the Authority with the following:
4.1. notification of intended qualified services (hereinafter – the notification) of a form established in Annex 1 to the Specification enclosing the following:
4.1.1. documents certifying the service provider’s compliance with the requirement established in Article 16 of the Law;
4.1.2. the service provider’s operating documents under which the qualified services will be provided (the service provider’s practice statement, terms and conditions of intended qualified services, procedure for customer service, dispute settlement, etc.), except for the documents that are submitted together with the conformity assessment report;
4.1.3. electronic storage medium and/or file with the service provider’s electronic signature and/or electronic seal certificates intended for the provision of qualified services;
4.1.4. where it is intended to provide the services of creation of qualified electronic signature certificates, qualified certificates for electronic seal and/or qualified certificates for website authentication (hereinafter jointly – the qualified certificates) – information on which data will be specified in the intended qualified certificates (profiles of intended qualified certificates) and electronic storage medium and/or file with the samples of intended qualified certificates;
4.1.5. where it is intended to provide the services of creation of qualified certificates for electronic signature and/or qualified certificates for electronic seal – information on qualified electronic signature and/or electronic seal creation devices which will be used to create qualified electronic signature and/or qualified electronic seal;
4.1.6. where it is intended to provide the services of creating qualified electronic time stamps – information on which data will be specified in the intended qualified electronic time stamps (profiles of intended qualified electronic time stamps) and electronic storage medium and/or file with the samples of intended qualified electronic time stamps;
4.2. The conformity assessment report compliant with the requirements laid down in Annex 2 to the Specification;
4.3. documents certifying that the service provider has been insured against civil liability in accordance with the requirements laid down in Article 10(2) of the Law;
5. The Authority shall, no later than within 5 working days from the date of receipt of the notification, do one of the following:
5.1. accept the notification for examination and notify in writing the service provider which submitted the notification thereof (hereinafter – the applicant);
5.2. having determined that the submitted documents and/or information referred to in paragraph 4 of the Specification are incomplete, inaccurate and/or non-compliant with the requirements set forth in the Specification, shall notify in writing the applicant of the detected irregularities and shall request to submit the missing and/or clarified documents and/or information within a time limit set by the Authority which is of at least 5 working days.
6. Where the applicant fails to eliminate the irregularities found within the time limit set by the Authority under paragraph 5.2 of the Specification, the Authority shall make a grounded decision to refuse to examine the notification and shall notify the applicant thereof no later than within 3 working days of the date of the decision.
7. Having accepted the notification for examination, the Authority shall, no later than within 3 months of the date of receiving the notification, assess the compliance of the service provider and/or intended qualified services with the requirements of Regulation (EU) No 910/2014. The period referred to herein may be extended by a grounded decision of the Authority that the applicant shall be notified of no later than within 3 working days of the date of the decision.
8. When assessing the compliance of the service provider and/or intended qualified services with the requirements of Regulation (EU) No 910/2014, the Authority shall have the right to request the submission of additional documents and/or information necessary to assess the compliance of the service provider and/or intended qualified services with the requirements of Regulation (EU) No 910/2014 within a time limit set by the Authority which is of at least 5 working days.
9. The Authority shall, having carried out the assessment referred to in paragraph 7 of the Specification, make one of the following decisions:
9.1. having determined that the applicant and/or intended qualified services comply with the requirements of Regulation (EU) No 910/2014, shall make a decision to grant qualified status to a service provider referred to in the notification and/or intended qualified services;
9.2. having determined that the applicant and/or intended qualified services do not comply with the requirements of Regulation (EU) No 910/2014, shall make a grounded decision on refusal to grant qualified status to a service provider referred to in the notification and/or intended qualified services; the Authority shall notify the applicant of the decision made as referred to herein no later than within 3 working days of the date of the decision.
10. The Authority shall immediately, but no later than on the next working day of the date of the decision referred to in paragraph 9.1 of the Specification, include the qualified provider and/or intended qualified services that were granted qualified status in the national trusted list and shall notify in writing the applicant thereof no later than within 3 working days of the date of the decision referred to in paragraph 9.1 of the Specification.
CHAPTER III
SUBMISSION AND EXAMINATION OF CONFORMITY ASSESSMENT REPORTS UNDER ARTICLE 20(1) OF REGULATION (EU) NO 910/2014
11. The qualified supplier shall submit to the Authority the conformity assessment report referred to in Article 20(1) of Regulation (EU) No 910/2014 within the period established in Article 20(1) of Regulation (EU) No 910/2014 which shall mutatis mutandis conform to the requirements laid down in Annex 2 to the Specification.
12. Where the qualified provider fails to submit the conformity assessment report referred to in Article 20(1) of Regulation (EU) No 910/2014 within the period set in Article 20(1) of Regulation (EU) No 910/2014, the Authority shall, no later than within 5 working days of the deadline for submission of the conformity assessment report referred to in Article 20(1) of Regulation (EU) No 910/2014, notify the qualified provider of a failure to submit the conformity assessment report and shall request to submit to the Authority the conformity assessment report referred to in Article 20(1) of Regulation (EU) No 910/2014 within the period set by the Authority which is of at least 5 working days which shall mutatis mutandis conform to the requirements laid down in Annex 2 to the Specification. In the paragraph referred to herein, the Authority shall also notify the qualified provider of the consequences referred to in paragraph 13 of the Specification.
13. Where the qualified provider fails to submit the conformity assessment report referred to in Article 20(1) of Regulation (EU) No 910/2014 within a time limit set by the Authority under paragraph 12 of the Specification, the Authority shall make a grounded decision to withdraw qualified status of the qualified provider and/or qualified services it provides. The Authority shall immediately, but no later than on the next working day of the date of the decision, notify the service provider of the decision referred to herein.
14. The Authority shall, no later than within 5 days of the date of receipt of the conformity assessment report referred to in Article 20(1) of Regulation (EU) No 910/2014, do one of the following:
14.2. having determined that the conformity assessment report fails to comply with the mutatis mutandis applicable requirements established in Annex 2 of the Specification, shall notify in writing the qualified provider thereof and request to eliminate the irregularities within the time limit set by the Authority which is of at least 5 working days.
15. Where the qualified provider fails to eliminate the irregularities found within the time limit set under paragraph 14.2 of the Specification, the Authority shall make a grounded decision to withdraw qualified status of the qualified provider and/or qualified services it provides. The Authority shall immediately, but no later than on the next working day of the date of the decision, notify the service provider of the decision referred to herein.
16. The Authority shall, no later than within 3 months of receiving the conformity assessment report referred to in Article 20(1) of Regulation (EU) No 910/2014 20 which mutatis mutandis conforms to the requirements laid down in Annex 2 to the Specification, assess the compliance of the qualified provider and/or of the qualified services it provides with the requirements of Regulation (EU) No 910/2014 and do one of the actions referred to in paragraph 18 of the Specification. The period referred to herein may be extended by a grounded decision of the Authority that the applicant shall be notified of no later than within 3 working days of the date of the decision.
17. When assessing the compliance of the qualified provider and/or qualified services it provides with the requirements of Regulation (EU) No 910/2014, the Authority shall have the right to request the submission of additional documents and/or information necessary to assess the compliance of the qualified provider and/or qualified services it provides with the requirements of Regulation (EU) No 910/2014 within the time limit set by the Authority which is of at least 5 working days.
18. The Authority shall, having carried out the assessment referred to in paragraph 16 of the Specification, do one of the following:
18.1. having determined that the qualified provider and/or qualified services it provides comply with the requirements of Regulation (EU) No 910/2014, notify in writing the qualified provider thereof;
18.2. having determined that the qualified provider and/or qualified services it provides do not comply with the requirements of Regulation (EU) No 910/2014, taking account of the extent of identified nonconformities and existing or potential consequences:
18.2. make a grounded decision to withdraw qualified status of the qualified provider and/or qualified services it provides that do not comply with the requirements of Regulation (EU) No 910/2014; the Authority shall notify the service provider of the decision made as referred to herein no later than on the next working day of the date of the decision.
19. Having received information on rectified inconsistencies with the requirements of Regulation (EU) No 910/2014 under paragraph 18.2.1 of the Specification, the Authority shall, no later than within 20 working days, assess the received information and do one of the following:
19.1. having determined that nonconformities to the requirements of Regulation (EU) No 910/2014 have been rectified, notify in writing the qualified provider thereof;
20. Where the Authority does not receive information on rectification of inconsistencies with the requirements of Regulation (EU) No 910/2014 under paragraph 18.2.1 of the Specification, it shall be considered that the qualified provider failed to rectify inconsistencies with the requirements of Regulation (EU) No 910/2014. In the case referred to herein, the Authority shall make the decision referred to in paragraph 18.2.2 of the Specification and notify the service provider thereof within a period set in paragraph 18.2.2 of the Specification.
21. On the date of entry into force of the decisions referred to in paragraphs 13, 15, subparagraphs 18.2.2, 19.2 and paragraph 20 of the Specification, the Authority shall remove the qualified provider and/or the qualified services it provides, whose qualified status was withdrawn, from the national trusted list and shall immediately notify in writing the service provider thereof, but no later than on the next working day of the date of entry into force of the decision.
CHAPTER IV
EXAMINATION OF NOTIFICATIONS OF CHANGES IN THE PROVISION OF QUALIFIED SERVICES
22. The qualified provider shall immediately, but no later than within 3 working days of the date of the changes, submit to the Authority the information on any changes in the provision of qualified services as referred to in Article 24(2)(a) of Regulation (EU) No 910/2014.
23. The Authority shall, having received information on the changes made in the provision of qualified services from the qualified provider as referred to in Article 24(2)(a) of Regulation (EU) No 910/2014, no later than within 20 working days assess the information and do one of the actions referred to in paragraph 25 of the Specification. The period referred to herein may be extended by a grounded decision of the Authority that the applicant shall be notified of no later than within 3 working days of the date of the decision.
24. When assessing the received information on the changes made in the provision of qualified services, the Authority shall have the right to request the submission of additional documents and/or information necessary to assess the changes made in the provision of qualified services within a time limit set by the Authority which is of at least 5 working days.
25. The Authority shall, having carried out the assessment referred to in paragraph 23 of the Specification, do one of the following:
25.1. having determined that the changes in the provision of qualified services are in line with the requirements of Regulation (EU) No 910/2014, no actions referred to in Article 20(2) of Regulation (EU) No 910/2014 appear to be necessary and the changes made in the provision of qualified services do not lead to the fact that the provided qualified services is to be considered a new trust service subject to newly granted qualified status under Article 21 of Regulation (EU) No 910/2014, shall notify the qualified provider thereof and, if necessary, update the information in the national trusted list;
25.2. do one of the actions referred to in Article 20(2) of Regulation (EU) No 910/2014:
25.2.2. make a grounded request for the qualified provider to assess the conformity of provided qualified services, where the Authority has been notified of the changes made in the provision whereof, to the requirements of Regulation (EU) No 910/2014 at its own expense within a time limit set by the Authority which is of at least 30 working days and to submit to the Authority the conformity assessment report which shall mutatis mutandis conform to the requirements laid down in Annex 2 to the Specification;
25.3. having determined that changes made in the provision of qualified services lead to the fact that the qualified provider and/or qualified services it provides do not comply with the requirements of Regulation (EU) No 910/2014, taking account of the extent of identified nonconformities and existing or potential consequences:
25.3. make a grounded decision to withdraw qualified status of the qualified provider and/or changed qualified services it provides that do not comply with the requirements of Regulation (EU) No 910/2014; the Authority shall notify the service provider of the decision made as referred to herein no later than on the next working day of the date of the decision.
25.4. having determined that the changes in the provision of qualified services made by the service provider led to the fact that the provided qualified service has become a new trust service which is subject to newly granted qualified status under Article 21 of Regulation (EU) No 910/2014, make a grounded decision to withdraw qualified status of the qualified service provider and of qualified service it provides as referred to herein; the Authority shall immediately, but no later than on the next working day of the date of the decision, notify the service provider of the decision referred to herein and of the right to address the Authority with regard to granting qualified status of the service provider and/or trust service provided by it under Article 21 of Regulation (EU) No 910/2014.
26. Having received information on rectified inconsistencies with the requirements of Regulation (EU) No 910/2014 under paragraph 25.3.1 of the Specification, the Authority shall, no later than within 10 working days, assess the received information and do one of the following:
26.1. having determined that nonconformities to the requirements of Regulation (EU) No 910/2014 have been rectified notify in writing, the qualified provider thereof and, if necessary, update the information in the national trusted list;
27. Where the Authority does not receive information on rectification of inconsistencies with the requirements of Regulation (EU) No 910/2014 under paragraph 25.3.1 of the Specification, it shall be considered that the qualified provider failed to rectify inconsistencies with the requirements of Regulation (EU) No 910/2014. In the case referred to herein, the Authority shall make the decision referred to in paragraph 25.3.2 of the Specification and notify the service provider thereof within a period set in paragraph 25.3.2 of the Specification.
28. Where the qualified provider fails to submit the conformity assessment report within the time limit set under paragraph 25.2 of the Specification, the Authority shall make a grounded decision to withdraw qualified status of the qualified provider and/or qualified services it provides. The Authority shall immediately, but no later than on the next working day of the date of the decision, notify the service provider of the decision referred to herein.
29. Where the Authority carries out the audit of the qualified provider referred to in paragraph 25.2.1 of the Specification, paragraph 24, subparagraphs 25.1, 25.3, 25.4 and paragraphs 26, 27 shall apply mutatis mutandis. Where the Authority receives the conformity assessment report referred to in paragraph 25.2.2 of the Specification, paragraphs 14, 15, 23, 24, subparagraphs 25.1, 25.3, 25.4 and paragraphs 26, 27 shall apply mutatis mutandis.
30. On the date of entry into force of the decisions referred to in subparagraphs 25.3.2, 25.4, 26.2 and paragraph 27 of the Specification, the Authority shall remove the qualified provider and/or the qualified services it provides, whose qualified status was withdrawn, from the national trusted list and shall immediately notify, in writing, the service provider thereof, but no later than on the next working day of the date of entry into force of the decision.
CHAPTER V
SUBMISSION OF ACTIVITY REPORTS OF QUALIFIED PROVIDERS
31. The qualified provider shall submit to the Authority the activity report of the previous calendar year by 1 February of every year which shall contain the following information:
31.1. issuing qualified certificates:
31.1.1. the number of all qualified certificates it issued that were valid on 31 December of the previous calendar year and separate numbers of qualified certificates for electronic signature, qualified certificates for electronic seal and qualified certificates for website authentication;
31.1.2. the number of all qualified certificates for electronic signature and/or electronic seal it issued that were valid on 31 December of the previous calendar year that were issued together with the qualified electronic signature and/or electronic seal creation devices and separate numbers of qualified certificates for electronic signature and/or electronic seal;
31.1.3. the number of qualified certificates for electronic signature it issued that were valid on 31 December of the previous calendar year that were stored on SIM (subscriber identity module) cards;
31.2. creating qualified electronic time stamps – the total number of qualified electronic time stamps created in the previous calendar year;
31.3. providing qualified electronic registered delivery services – the total number of documents delivered in the previous calendar year;
31.4. providing a qualified validation service for qualified electronic signatures and/or qualified electronic seals – the total number of qualified electronic signatures and/or qualified electronic seals verified in the previous calendar year;
CHAPTER VI
FINAL PROVISIONS
32. The qualified providers, having violated the requirements of the Specification, shall be liable in compliance with the procedure laid down in the Code of Administrative Offences of the Republic of Lithuania.
33. Decisions passed by the Authority may be appealed against according to the procedure and terms and conditions prescribed by the Law on Administrative Proceedings of the Republic of Lithuania.
_____________________
Specification of the procedure for granting status of qualified trust service providers and qualified trust services and incorporation thereof in the national trusted list and provision of activity reports of qualified service providers
Annex 1
(Form of a notification of intended qualified trust services)
________________________________________________________________________________
(legal person’s legal form, name, code, registered address or natural person’s name, surname, personal code, residence address)
___________________________________________________________________________
(telephone number, fax, email address, website address (if available))
To: Communications Regulatory Authority of the Republic of Lithuania
Mortos g. 14, 03219 Vilnius
tel. +370 5 210 5633, fax: +370 5 216 1564, email [email protected].
NOTIFICATION
OF INTENDED QUALIFIED TRUST SERVICES
________________ No ________
(date)
_______________
(completion location)
| 1. Intended qualified trust services (please tick as appropriate) |
£creation of qualified certificates for electronic signature services £ creation of qualified certificates for electronic seal services £ creation of qualified certificates for website authentication services £ qualified validation services for qualified electronic signatures £ qualified validation services for qualified electronic seals £ qualified preservation services for qualified electronic signatures £ qualified preservation services for qualified electronic seals £ qualified electronic time stamp creation services £ qualified electronic registered delivery services |
| 2. Title of intended qualified trust services in the Lithuanian and English languages to be included in the national trusted list |
|
| 3. Links to the website where following information in the Lithuanian and English languages is published: - applicant’s practice statement; - terms and conditions of the provision of intended qualified trust services; - procedure for customer service and dispute settlement; - information on the existing qualified trust services. |
|
| 4. Contact person’s (for this notification) details: name, surname, telephone No, fax, email address |
|
| 5. Contact person’s (for security and integrity of the provision of qualified trust services) details: name, surname, telephone No, fax, email address |
|
| 6. Service provider’s certificates for electronic signature and/or electronic seal for intended qualified trust services encoded as BASE64 |
|
| 7. Annexes to the notification (list of annexes and number of pages of every annex) |
1.______________________________, ___ p. 2.______________________________, ___ p. 3. ______________________________, ___ p. ____________________________________ p. |
_____________________________ ________________ _______________
(position) (signature) (name, surname)
Specification of the procedure for granting status of qualified trust service providers and qualified trust services and incorporation thereof in the national trusted list and
provision of activity reports of qualified service providers
Annex 2
REQUIREMENTS FOR CONFORMITY ASSESSMENT REPORTS
1. The conformity assessment report (hereinafter – the report) shall comply with the minimum requirements referred to in this annex.
2. The conformity assessment shall be carried out and the report shall be drafted by the conformity assessment body (hereinafter – the CAB) complying with the criteria referred to in Article 3(18) of Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ 2014 L 257, p. 73) (hereinafter – Regulation (EU) No 910/2014). The report shall contain (enclose) the following information:
2.1. CAB name, registration number (if any) referred to in official sources, registered office address and email address;
2.2. name of the national bureau which accredited the CAB, registration number (if any) referred to in official sources, registered office address and email address;
2.3. copy of the valid CAB accreditation certificate and accreditation schemes under which the CAB was accredited, detailed description certifying that the CAB has been accredited under Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ 2008 L 218, p. 30) as competent to carry out assessment of conformity of qualified trust service providers and the qualified trust services they provide (hereinafter – the qualified services) to the requirements of Regulation (EU) No 910/2014.
3. The report shall contain (enclose) a certificate of conformity to the requirements of Regulation (EU) No 910/2014 issued by the CAB or another document certifying that the trust service provider (hereinafter – the service provider) and intended qualified services conform to all applicable requirements of Regulation (EU) No 910/2014, if that conformity was confirmed in the report.
4. The report shall contain (enclose) the following information:
4.2. name and surname of the CAB auditor who carried out conformity assessment and signed the report;
4.3. name, registration number, registered office address of a service provider whose conformity to the requirements of Regulation (EU) No 910/2014 has been assessed;
4.4. intended qualified services of the service provider whose conformity to the requirements of Regulation (EU) No 910/2014 has been assessed and verified by indicating certificates encoded as BASE64 used to provide such qualified services;
4.5. detailed description of every functional structure or hierarchy of an intended qualified service of a service provider by identifying it in such a way that information on this service could be included in the national trusted list under the requirements of Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (OJ 2015 L 235, p. 26);
4.6. list and copies of the service provider’s operating documents under which the conformity of the service provider and intended qualified services to the requirements of Regulation (EU) No 910/2014 was assessed;
4.7. description of every completed stage of conformity assessment (for instance, document conformity assessment, implementation conformity assessment, inspections on site, etc.), period in which conformity assessment was carried out (start and end dates) and the number of working hours or working days in the course of which conformity assessment was carried out.
5. The report shall contain the detailed information certifying the conformity of the service provider and intended qualified services to the applicable requirements of Regulation (EU) No 910/2014 was assessed:
5.1. detailed description of assessment (report) of conformity to every applicable requirement of Regulation (EU) No 910/2014 (by indicating a specific provision of Regulation (EU) No 910/2014) which shall contain the following:
5.1.1. description of how the service provider and intended qualified services comply with the applicable requirement of Regulation (EU) No 910/2014;
5.1.2. all nonconformities of the service provider and intended qualified services to the applicable requirement of Regulation (EU) No 910/2014 and potential effect of irregularities on the intended qualified services or provision thereof;
5.2. where the conformity of a service provider and intended qualified services has been additionally verified or certified under a specific standard or another public specification, that validation or certification report shall be submitted as an individual document by clearly stating the identified nonconformities to the requirements of the specific standards or other public specifications applied and the potential effect of nonconformities on the intended qualified services or the provision thereof.
6. The report shall specify all third parties which would be authorised by the service provider to carry out certain processes of the provision of the service provider’s intended qualified services or part thereof. All processes of the provision of qualified services intended by the service provider shall be assessed.
7. The report shall contain the following information:
7.2. cases and circumstances under which the CAB shall reassess the conformity of the service provider referred to in the report and/or its intended qualified services, whose conformity to the requirements of Regulation (EU) No 910/2014 has been confirmed by the report, to the requirements of Regulation (EU) No 910/2014 (except for the planned periodic audits).
8. The integrity and authenticity of the report shall be ensured. The report shall be signed with a hand-written signature of the CAB auditor that carried out conformity assessment or by a qualified electronic signature.
__________________________
Specification of the procedure for granting status of qualified trust service providers and qualified trust services and incorporation thereof in the national trusted list and
provision of activity reports of qualified service providers
Annex 3
REQUIREMENTS FOR THE PLAN FOR TERMINATION OF THE PROVISION OF QUALIFIED TRUST SERVICES
1. The plan for termination of the provision of qualified trust services (hereinafter – the plan) shall comply with the minimum requirements referred to in this annex.
2. The plan shall describe the procedures and means to be taken by the qualified trust service provider (hereinafter – the qualified provider) in case it would terminate the provision of one, several and of all intended or provided qualified trust services (hereinafter jointly – the qualified services and individually – the qualified service).
3. The procedures for termination of the provision of qualified services and means provided for in the plan shall ensure that:
3.1. after termination of the provision of relevant qualified services, it will no longer be possible to create new qualified certificates for electronic signature, qualified certificates for electronic seal and/or qualified certificates for website authentication (jointly – the qualified certificates), create new qualified electronic time stamps, provide qualified validation services for qualified electronic signatures or seals, qualified preservation services for qualified electronic signatures or seals and/or qualified electronic registered delivery services on behalf of the qualified provider;
3.2. prior to termination of the provision of qualified services related to the issuance of qualified certificates, all qualified certificates issued by means of a qualified service whose provision is to be terminated, shall be revoked, except for the cases where the conditions for the transfer of obligations, referred to in the plan, related to a qualified service whose provision is to be terminated, to another qualified provider ensure that such qualified certificates and their management will further conform to the requirements of Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ 2014 L 257, p. 73) (hereinafter – Regulation (EU) No 910/2014).
4. The plan shall establish the procedures and means enabling the use of entries for a period established in the plan, including all relevant information related to the data drafted and obtained by the qualified provider, in particular, in order to provide evidence in court proceedings, assess conformity to the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) and to ensure the continuous provision of a qualified service, especially validation data of the qualified provider’s electronic signature and electronic seal (for instance, certificates for electronic signature and/or electronic seal) and other information necessary to verify integrity of derivative data of qualified services.
5. The plan shall clearly identify a period and all entries that should be made accessible during that period under paragraph 4 of the plan, forms and methods of their storage which must ensure storage of such entries in the future, as well as legibility thereof.
6. The procedures and means described in the plan shall cover voluntary termination of the provision of qualified services at the qualified provider’s initiative and compulsory termination of the provision of qualified services in the absence of the qualified provider’s initiative.
7. The plan shall describe every possible case of termination of the provision of qualified services (for example, where a qualified provider decides to terminate the provision of certain qualified services, and the obligations related to the qualified service whose provision is terminated are not transferred to another qualified provider, also, where they are transferred to another qualified provider; termination of the provision of qualified services, where the qualified provider terminates its activity (for example, it is liquidated, restructured, etc.); termination of the provision of qualified services due to bankruptcy of the qualified provider; termination of the provision of qualified services, where qualified status of the qualified provider and/or qualified services it provides is withdrawn, etc.).
8. The plan shall contain a detailed description of means and procedures to be taken in the event of termination of the provision of qualified services in order to protect qualified service providers’ interests, including the procedure for storing and providing information necessary to verify the results created by means of a qualified service whose provision is to be terminated, as well as the procedure for concluding the agreements with another qualified provider so that the qualified service providers receive new qualified services as smoothly as possible (for instance, prior to revoking previously issued qualified certificates).
9. The plan shall indicate all parties concerned that will or may be affected by termination of the provision of qualified services and parties concerned which might not be affected by termination of the provision of qualified services and which, however, shall be notified of termination of the provision of qualified services (for instance, the Communications Regulatory Authority of the Republic of Lithuania, etc.). The plan shall contain a detailed description of means and procedures for how the parties concerned will be notified of termination of the provision of qualified services, moreover, such means and procedures shall cover the cases where the provision of qualified services is terminated at the qualified provider’s initiative and in the absence of the qualified provider’s initiative (for instance, having withdrawn its qualified status, etc.).