Official Translation
REPUBLIC OF LITHUANIA
LAW ON ELECTRONIC SIGNATURE
July 11, 2000. No. VIII - 1822
Vilnius
CHAPTER I
GENERAL PROVISIONS
ARTICLE 1. Purpose of the Law
1. This Law shall regulate the creation, verification, and validity of electronic signature, signature users’ rights and obligations, establish the certification services and requirements of their providers and the rights and functions of the institution of electronic signature supervision.
2. This Law shall not regulate the use of the signature-creation data, signature- verification data and use of electronic-signature-device to ensure confidentiality of information.
ARTICLE 2. Basic Definitions of this Law
1. Person is an enterprise, not having the rights of a legal person, a natural or legal person, including foreign persons.
2. Electronic Data (hereinafter referred to as-Data) includes all data processed by information technology means.
3. Data Processing includes all operations with data: selection, recording, classification, grouping, accumulation, storing, exchanging, copying, connecting, disclosure, supply, use and destruction.
4. Electronic Signature (hereinafter referred to as-Signature) means data, which are inserted, attached to or logically associated with other data for the purpose of confirming the authenticity of the latter and (or) identification of the signatory.
5. Secure-electronic-signature means signature, which meets all of the requirements indicated in this paragraph:
6. Signed-data means data, to which an electronic signature is inserted, attached to or logically associated with.
7. Signatory means a capable natural person, who holds a signature-creation device and, acting voluntarily either on his own behalf or on behalf of the other person, whom he represents, creates a signature.
8. Signature Users means persons, who use electronic signature in their activity or obtain signed data from other persons.
9. Signature-creation-data means unique data, which are used by the signatory to create a signature.
10. Signature-creation-device means configured computer software and (or) hardware, used to implement the signature-creation data.
11. Secure-signature-creation-device means a signature-creation device which meets all of the requirements laid down in this paragraph:
1) the signature - creation data used for electronic signature generation can practically occur only once, and their secrecy is reasonably assured;
2) the signature-creation data, used for signature generation cannot, with reasonable assurance, be derived and the signature is protected against forgery using currently available technology;
3) the signature creation data used for signature generation can be reliably protected by the legitimate signatory against the use of others;
13. Signature-verification-device means configured software and (or) hardware used to implement the signature-verification-data.
14. Certificate means an electronic attestation, which links signature-verification data to a signatory and confirms or allows to establish the identity of that signatory.
15. Qualified-certificate means a certificate produced by a certification-service-provider who fulfils the requirements laid down by the Government or its authorised institution. This certificate contains the following data:
4) specific attributes of the signatory, if that is required considering the projected goals of the certificate’s use;
5) signature-verification data, which corresponds to the signature-creation data under the control of the signatory;
16. Certification-service-provider means an enterprise, not having the rights of a legal person, or a legal person who issues certificates or provides other services related to electronic signature.
ARTICLE 3. Generation of Signature-creation and Verification Data
1. Following the request by a person, who has decided to use electronic signature in his activities, the certification-service-provider, using an electronic-signature-device, shall create for him signature creation and verification data. This data may be created by the person himself.
2. A certification-service-provider who issues qualified-certificates must give the signature-creation-data only to the person upon whose request they had been created, without keeping a copy of such for himself and ensuring their secrecy.
3. Signature-verification-data shall be public. The certification-service-provider shall enter them in the certificate of the signatory and provide it to all signatories. Should the signatory himself have generated the signature-creation and verification data, to issue a certificate, he shall transfer the signature-verification-data to the certification-service-provider.
ARTICLE 4. Issuing and Processing of Certificates
2. A natural person, requesting the certification-service-provider to issue his certificate, must submit some documents confirming his identity.
3. A natural person, upon whose request a certificate has been issued, shall be liable for the documents confirming his identity in accordance with the laws of the Republic of Lithuania.
4. The certification-service-provider shall suspend the validity of the certificate:
2) upon the request by law enforcement institutions authorised by the Government, in seeking to prevent crimes;
5. Suspension of the validity of the certificate shall be revoked upon obtaining a request by the signatory or a law enforcement institution authorised by the Government, upon the request whereof the validity of the certificate had been suspended. Should the validity of the certificate be suspended for reasons indicated in item 3 of paragraph 4 of this Article, suspension of the validity of the certificate shall be revoked upon the receipt of a request and explanation by the signatory, denying the information received from the certification-service-provider. Failure to receive such a request and explanation within one month of suspension of certificate validity, shall result in revocation of validity of the certificate.
6. Certification-service-provider shall revoke the validity of the certificate:
2) upon loss of control by the signatory of signature-creation-data corresponding to the certificate;
4) based upon the limitations of validity of the certificate, stipulated in the certificate in issuing it;
7) upon violation by the signatory of the legal acts regulating use of signature or the conditions of the contract with the certification-service-provider;
7. The signatory must approach the certification-service-provider, who issued it his certificate, concerning revocation of the validity of the certificate, if he has lost control of signature-creation-data corresponding to the certificate.
ARTICLE 5. Validity of Foreign State Certificates
1. Qualified-certificates, issued by foreign state certification-service-providers shall be considered legally equivalent to the qualified-certificates issued by the Republic of Lithuania certification-service-providers, if:
1) they are issued by a certification-service-provider, who is accredited in the Republic of Lithuania;
3) the certificate is guaranteed by the certification-service-provider of the
Republic of Lithuania, who corresponds to the requirements established by the Government or an institution authorised by it for certification-service-providers who issue qualified-certificates;
4) the certificate is guaranteed by a certification-service-provider of a European Union Member State, corresponding to the equivalent requirements for certified-service-providers who issue qualified-certificates, established by the Government of the Republic of Lithuania or an institution authorised by it.
ARTICLE 6. Creation of Signature
1. The signatory shall create an electronic signature by means of a signature-creation-device from the data to be signed and signature-creation-data belonging to him alone.
2. The signatory shall be liable for the protection of signature-creation-data and signature-creation-device.
ARTICLE 7. Verification of Signature
1.Verification of signature means establishment of signed data authenticity and establishment of the validity of signature and identification of the signatory thereof.. The signature shall be verified with signature-verification-device, using signed data and certificate of signatory.
2. The institution of signature supervision shall set the requirements for the procedure of signature verification.
ARTICLE 8. Force of Signature
1. A secure-electronic-signature, created by a secure-signature-creation-device and based on a qualified-certificate which is valid, shall have the same legal force that a hand-written signature in written documents has and shall be admissible as evidence in court.
2. A signature may not be deemed invalid based on any of the grounds listed below, that it is:
ARTICLE 9. Certification Services
1. Certification-service-providers shall provide these certification services, linked to signature use:
1) primary - certificate issuing and provision of data thereof to signature users for signature verification;
ARTICLE 10. Registration of Certification Service Providers
Certification-service-providers of the Republic of Lithuania who issue qualified-certificates, must register with the institution of signature supervision according to the procedure established by the Government or its authorised institution.
ARTICLE 11. Accreditation of Certification-service -providers
1. Certification-service-providers may voluntarily accredit themselves with an institution of signature supervision. Accreditation is the assessment of a certification-service-provider’s ability to perform his functions. Accreditation is not a required condition of certification-service-providers.
2. An institution of signature supervision shall establish the requirements of voluntary accreditation of certification-service-providers and procedure of accreditation.
ARTICLE 12. Obligations, Rights and Liability of Certification-service-providers
1. In order to issue a certificate, a signatory shall sign a contract with a certification-service-provider. In drawing up a contract, the certification-service-provider must:
1) inform the signatory regarding the procedure, use and limitations of the certificate and voluntary accreditation of the certification-service-provider;
2) in issuing a signatory’s certificate, require that the person
submit documents confirming his identity;
2. A certification-service-provider must:
1) provide certificate data for signature users for verification of signatures twenty-four hours per day;
2) suspend or revoke without any delay, the validity of a signatory’s certificate in instances stipulated in paragraphs 4 and 6 of Article 4;
3) inform without any delay, the signatory concerning the suspension or revocation of his certificate;
3. A certification-service-provider who issues qualified-certificates must:
1) collect the information stipulated by the Government or an institution authorised by it, pertaining to certificate processing and replies to inquiries posed by signature users and to keep it for the stipulated length of time;
4. A certification-service-provider, who issues qualified-certificates, shall have the right to set limitations of certificate use purpose, limits of the value of transactions, when the certificate may be used, and shall not be liable for the damage suffered by signature users, should the limitations indicated in the certificate have been violated.
5. A certified-service-provider who issues qualified-certificates shall be liable for:
2) that the person indicated in the issued certificate is the holder of the signature-creation-data, corresponding to the signature-verification-data indicated in the certificate;
3) correlation between signature-creation-data and signature-verification-data, when he creates both these data, upon the request of the person;
ARTICLE 13. Suspension of Certification Service Provision
1. A certification-service- provider must no later than one month prior to the suspension of certification service, inform of this the signatories, whose certificates he issued and whose certificates are valid, as well as other certification-service-providers, with whom he has signed contracts of guarantee.
2. A certification-service-provider may suspend the validity of all the certificates he issued no earlier than one month after the announcement concerning the projected suspension of certification-service-provision.
3. A certification-service-provider, issuing qualified-certificates, must no later than one month prior to suspension of the certification service, inform the institution of signature supervision, concerning this.
4. A certification-service-provider who issues qualified-certificates must, within one month from the announcement of the projected suspension of certification-service-provision, hand over all of his issued qualified-certificates and information stipulated by the institution of signature supervision, concerning certificate processing and the inquiries by signature users, to a successor of the activity or institution of signature supervision.
ARTICLE 14. Functions of Institution of Electronic Signature Supervision
1. An institution authorised by the Government shall perform the functions of electronic signature supervision.
2. The institution of electronic signature supervision shall:
4) establish the requirements and procedure of voluntary accreditation for certification-service-providers;
6) draft the procedure of registration of certification-service-providers who issue qualified-certificates, register them and openly publish the list thereof in the “Official Gazette;”
7) supervise how the information linked to qualified-certificate managing and signature users inquiries, collected by a certification-service-provider, is being managed;
8) revoke by his request, the registration of a certification-service-provider who issues qualified-certificates;
10) maintain contact with corresponding institutions of electronic
signature supervision abroad exchange information, collect and openly publish it;
ARTICLE 15. Rights of Institution of Electronic Signature Supervision
1. An institution of signature supervision shall have the right to revoke the accreditation of an accredited certification-service-provider, having established that he violated the requirements set forth for accredited certification-service-providers.
2. An institution of signature supervision shall have the right to warn a certification-service-provider who issues qualified-certificates and to suspend or annul his registration, upon having established that he has violated the requirements set forth by the Government or its authorised institution, for certification-service-providers who issue qualified-certificates.
3. The decisions adopted by institutions of signature supervision regarding accreditation of an accredited certification-service-provider or the revocation of registration of a certification-service-provider who issues qualified-certificates, shall be appealed in accordance with the procedure established by laws.
ARTICLE 16. Implementation of the Law
1. To propose to the Government to draft and adopt the legal acts necessary for the implementation of the Law within six months from the coming into force of this Law.