Translated by the Communications Regulatory Authority of the Republic of Lithuania
LAW OF THE REPUBLIC OF LITHUANIA
ON ELECTRONIC IDENTIFICATION AND TRUST SERVICES
FOR ELECTRONIC TRANSACTIONS
26 April 2018 No XIII-1120
Vilnius
CHAPTER I
GENERAL PROVISIONS
Article 1. Purpose of the Law
1. The purpose of the Law is to create a legal basis for effective operation of electronic identification and the market of trust services in the Republic of Lithuania to ensure the best possible protection of the interests of the users of these services.
2. This Law shall regulate the legal effect of electronic signature, electronic seal, electronic time stamp and trust services, obligations of trust service providers and users, terms of and procedure for suspension and revocation of qualified certificates for electronic signature, electronic seal or certificates for website authentication (hereinafter – the qualified certificates), supervision of trust service providers in so far as it is not covered by Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ 2014 L 257, p. 73) (hereinafter – the Regulation (EU) No 910/2014) and by implementing legal acts adopted by the European Commission on the basis thereof, and shall determine electronic identification and trust service political decision-makers.
3. The Law hereby is designed to implement the European Union legal act referred to in the annex to the Law and ensure the application thereof.
Article 2. Definitions
1. Electronic time stamp user means a person using an electronic time stamp or a party relying on that stamp.
2. Electronic signature user means a person signing with an electronic signature or a party relying on that signature.
3. Electronic seal user means a creator of an electronic seal or a party relying on the electronic seal.
4. Website authentication data means unique data used by a person holding a qualified certificate for website authentication to validate the website authentication.
5. National trusted list means a list of qualified trust service providers established in the Republic of Lithuania and of qualified trust services provided by them established, maintained and published under Article 22(1) and (2) of Regulation (EU) No 910/2014.
6. The definition of a durable medium shall be understood in accordance with the way in which it is defined in the Law on Payments of the Republic of Lithuania.
Article 3. Electronic Identification and Trust Services Policy Making and Implementation Institutions
1. The policy of electronic identification shall be made, its implementation shall be organised, coordinated and controlled by the Ministry of the Interior of the Republic of Lithuania.
2. The policy of trust services shall be made, its implementation shall be organised, coordinated and controlled by the Ministry of Transport and Communications of the Republic of Lithuania.
Article 4. Powers of the Supervisory Body in the Field of Trust Services
1. The goal of the supervisory body is to ensure that the trust service providers and the trust services that they provide meet the requirements laid down in Regulation (EU) No 910/2014, this law and implementing legal acts.
2. The supervisory body shall exercise the following tasks:
3) implement, within the competence, the provisions of Regulation (EU) No 910/2014, this law and implementing legal acts and supervise the compliance therewith;
4) lay down the procedure for verifying the identity and additional specific attributes when issuing the qualified certificates, unless otherwise stated in the laws of the Republic of Lithuania;
5) lay down the procedure for granting status of qualified trust service providers and qualified trust services and incorporation thereof in the national trusted list in so far it is not covered by implementing legal acts of Regulation (EU) No 910/2014 adopted by the European Commission;
6) lay down the procedure for the submission of qualified trust service providers’ activity reports to the supervisory body;
7) lay down the procedure for the submission of notifications under Article 19(2) of Regulation (EU) No 910/2014 in so far it is not covered by implementing legal acts of Regulation (EU) No 910/2014 adopted by the European Commission;
8) examine, within the competence, violations of Regulation (EU) No 910/2014, this law and implementing legal acts and commence legal proceedings of administrative offences under the procedure laid down by the Code of Administrative Offences of the Republic of Lithuania;
9) represent, within the competence, the Republic of Lithuania in the activity of international organisations and European Union institutions, committees and groups, appoint experts, if necessary, for participation in the activity of the said committees and groups;
10) together with the employees of the other supervisory bodies of the Member States of the European Union (on the grounds of the agreements concluded between the supervisory body and other supervisory bodies of the Member States of the European Union), carry out joint investigations or take part in the investigations carried out by the supervisory body of the other Member State of the European Union.
CHAPTER III
LEGAL EFFECT OF ELECTRONIC SIGNATURE, ELECTRONIC SEAL, ELECTRONIC TIME STAMP AND TRUST SERVICES
Article 5. Legal Effect of Electronic Signature, Electronic Seal and Electronic Time Stamp
1. An electronic signature which does not meet the requirements for the qualified electronic signature provided for in Regulation (EU) No 910/2014 shall have the equivalent legal effect of a handwritten signature, where the users of that electronic signature agree, in writing, in advance and where it is possible to store that agreement on a durable medium.
2. An electronic seal which does not meet the requirements for the qualified electronic seal provided for in Regulation (EU) No 910/2014 shall enjoy the presumption of integrity of the electronic data and of correctness of the origin of that data to which the electronic seal is linked, where the users of that electronic seal agree, in writing, in advance and where it is possible to store that agreement on a durable medium.
3. An electronic time stamp which does not meet the requirements for the qualified electronic time stamp provided for in Regulation (EU) No 910/2014 shall enjoy the presumption of the accuracy of the date and the time it indicates and the integrity of the electronic data to which the date and time are bound, where the users of that electronic time stamp agree, in writing, in advance and where it is possible to store that agreement on a durable medium.
4. A qualified electronic signature of a representative of legal person shall have the equivalent legal effect of a handwritten signature of a legal person authenticated by the stamp of a legal person, where the obligation to have the stamp is established in the legal person’s instruments of its establishment or laws.
Article 6. Legal Effect of Qualified Validation Services for Qualified Electronic Signatures and Qualified Electronic Seals
1. The qualified validation service for qualified electronic signatures shall enjoy the presumption of the reliable validation of the qualified electronic signature and the correct result of the validation procedure which shall allow the relying party to detect any qualified electronic signature security relevant issues.
Article 7. Legal Effect of Qualified Preservation Services for Qualified Electronic Signatures and Qualified Electronic Seals
1. The qualified preservation service for qualified electronic signatures shall enjoy the presumption of the reliable protection of the qualified electronic signature and the extension of the trustworthiness of the qualified electronic signature beyond the technological validity period.
Article 8. Legal Effect of Electronic Registered Delivery Services
The electronic registered delivery service which has not been granted a qualified trust service status under the procedure established in Regulation (EU) No 910/2014 shall enjoy the presumption of the integrity of the data, the sending of that data by the identified sender, its receipt by the identified addressee and the accuracy of the date and time of sending and receipt indicated by the qualified electronic registered delivery service, where the users of that service agree, in writing, in advance and where it is possible to store that agreement on a durable medium.
Article 9. Legal Effect of Qualified Website Authentication Services
The qualified website authentication service shall ensure the presumption of the reliable authentication of the website and of the accuracy of the data about that website.
Article 10. Obligations of Trust Service Providers
1. Trust service providers shall provide the trust services in compliance with the requirements of Regulation (EU) No 910/2014, this law and implementing legal acts.
2. The qualified trust service provider shall be insured against civil liability for the amount of at least EUR 30,000 per insured event and for the amount of at least EUR 90,000 for all insured events per year.
3. The trust service provider intending to start the provision of the qualified trust services shall, together with the documents referred to in Article 21(1) of Regulation (EU) No 910/2014, submit the following to the supervisory body:
1) documents certifying that the service provider has been insured against civil liability as established in Article 2 herein;
4. Qualified trust service providers shall submit information referred to in Article 24(2)(a) of Regulation (EU) No 910/2014 to the supervisory body:
1) on any changes in the provision of the qualified trust services – immediately, but no later than within 3 working days of the date of such changes;
5. Qualified trust service providers or their authorised third parties shall verify the identity of person to whom qualified certificate is issued and additional specific attributes as referred to in Article 24(1) of Regulation (EU) No 910/2014 under the procedure established by the supervisory body, unless otherwise stated in the laws of the Republic of Lithuania.
6. Qualified trust service providers issuing the qualified certificates shall ensure the accuracy of the data of the qualified certificates and immediately suspend or revoke the qualified certificates in the cases and under the procedure provided for in Regulation (EU) No 910/2014 and this law.
Article 11. Obligations of the Persons Wishing to Obtain a Qualified Certificate and/or Holding a Qualified Certificate
1. A person requesting to issue a qualified certificate shall enable a qualified trust service provider or its authorised third party to verify the identity and additional specific attributes indicated in the qualified certificate under the procedure established by the supervisory body, unless otherwise stated in the laws of the Republic of Lithuania.
2. A person to whom a qualified certificate is issued shall immediately contact the qualified trust service provider that has issued the qualified certificate regarding the revocation of the qualified certificate for electronic signature, electronic seal or website authentication in the following cases:
1) where they lose the control over the data of the electronic signature, electronic seal creation or website authentication corresponding to the qualified certificate;
Article 12. Suspension of Qualified Certificates for Electronic Signature and Qualified Certificates for Electronic Seal
1. Qualified trust service providers shall suspend the qualified certificate for electronic signature and qualified certificate for electronic seal in the following cases:
1) at the request of a person who requested to issue the qualified certificate for electronic signature and qualified certificate for electronic seal – for a period indicated by that person;
2) at the reasonable request of the law enforcement institutions in order to prevent criminal activities – for a period indicated by such institutions;
3) where information that the data of the qualified certificate for electronic signature and qualified certificate for electronic seal may be incorrect has been received;
4) where information that a person who has been issued the qualified certificate for electronic signature and qualified certificate for electronic seal may have been lost the control over the data of the electronic signature, electronic seal creation corresponding to the qualified certificate issued has been received;
2. Qualified trust service providers that have suspended the qualified certificate for electronic signature and qualified certificate for electronic seal on the grounds referred to in items 2, 3 and 4 of paragraph 1 herein shall, no later than within 24 hours of suspension of the qualified certificate for electronic signature and qualified certificate for electronic seal, notify the person whose qualified certificate for electronic signature and qualified certificate for electronic seal have been suspended, by available e-mail or phone, thereof and specify the grounds for suspension and duration. Where the qualified certificate for electronic signature and qualified certificate for electronic seal have been suspended on the grounds referred to in item 3 or 4 of paragraph 1 herein, the qualified trust service provider shall also notify the person, whose qualified certificate for electronic signature and qualified certificate for electronic seal have been suspended, of the right to submit a request, explanation and supporting evidence which refute the information received by the qualified trust service provider on the grounds whereof the qualified certificate for electronic signature and qualified certificate for electronic seal have been suspended within 30 working days of the date of suspension of the qualified certificate for electronic signature and qualified certificate for electronic seal in a way and form specified in the qualified trust service provider’s activity documents, as well as of the consequences referred to in Article 13(3) of this law.
3. The qualified trust service provider shall be liable for the damage made to the persons that have arisen out of the failure to fulfil or improper fulfilment of the obligations referred to in paragraph 5 herein, unless the qualified trust service provider proves that the damage occurred through no fault of the service provider.
4. A person shall not sustain any losses due to the use of the lost, stolen or unlawfully obtained qualified certificate for electronic signature and qualified certificate for electronic seal after the occurrence of the circumstances referred to in Article 12(1) of this law, except for the cases, where the person has acted in bad faith.
5. Qualified trust service providers shall immediately, but no later than within 24 hours of the occurrence of the circumstances referred to in items 1, 2, 3 and 4 of paragraph 1 herein, suspend the qualified certificate for electronic signature and qualified certificate for electronic seal and publish information on the suspension of the qualified certificate for electronic signature and qualified certificate for electronic seal in the certificate database, indicate the period of suspension of the qualified certificate for electronic signature and qualified certificate for electronic seal and ensure that this information is indicated to all relying parties by providing them with information on the status of the qualified certificate for electronic signature and qualified certificate for electronic seal.
6. Qualified trust service providers shall revoke the suspension of the qualified certificate for electronic signature and qualified certificate for electronic seal in the following cases:
1) the qualified certificate for electronic signature and qualified certificate for electronic seal has been suspended on the grounds referred to in item 1 or 2 of paragraph 1 herein – upon the expiry of suspension or at the request of the person who submitted a request referred to in Article 12(1)(1), or at the request of the law enforcement institution that filed a request referred to in Article 12(1)(2);
2) the qualified certificate for electronic signature and qualified certificate for electronic seal has been suspended on the grounds referred to in item 3 or 4 of paragraph 1 herein – upon receipt of the request, explanation and supporting evidence from the person that has been issued the qualified certificate for electronic signature and qualified certificate for electronic seal, where such evidence refutes the information received by the qualified trust service provider on the grounds whereof those certificates have been suspended.
Article 13. Revocation of Qualified Certificates for Electronic Signature and Qualified Certificates for Electronic Seal
1. Qualified trust service providers shall revoke the qualified certificate for electronic signature and qualified certificate for electronic seal in the following cases:
1) at the request of a person who requested to issue the qualified certificate for electronic signature and qualified certificate for electronic seal;
2) where a person who has been issued the qualified certificate for electronic signature and qualified certificate for electronic seal has lost the control over the data used to create the qualified electronic signature and electronic seal corresponding to the certificate issued;
3) where it comes to light that incorrect data were provided for issuing the qualified certificate for electronic signature and qualified certificate for electronic seal;
4) where it comes to light that the data of the qualified certificate for electronic signature and qualified certificate for electronic seal have changed;
5) where the notification on the death or incapacity in a certain field of a natural person who has been issued the qualified certificate for electronic signature has been received;
6) where the notification that a legal person who has been issued the qualified certificate for electronic signature ceased to exist has been received;
2. Qualified trust service providers that have revoked the qualified certificate for electronic signature and qualified certificate for electronic seal on the grounds referred to in items 2, 3, 4 and 7 of paragraph 1 herein shall immediately, but no later than within 24 hours of revocation of the qualified certificate for electronic signature and qualified certificate for electronic seal, notify the person whose qualified certificate for electronic signature and qualified certificate for electronic seal have been revoked, by available e-mail or phone, thereof and specify the grounds for revocation.
3. Where the person whose qualified certificate for electronic signature and qualified certificate for electronic seal have been suspended on the grounds referred to in Article 12(1)(3) or (1)(4) fails to provide the request, explanation and evidence referred to in Article 12(6)(2) within 30 working days of the suspension of the qualified certificate for electronic signature and qualified certificate for electronic seal, the qualified certificate for electronic signature and qualified certificate for electronic seal shall be revoked.
Article 14. Use of Personal Code in Certificate for Electronic Signature
The code of a person who has been issued the certificate for electronic signature may be used in the certificate for electronic signature as an additional specific attribute, where it is needed for the intended purpose of the certificate. The use of the code of a person who has been issued the certificate for electronic signature or the absence thereof shall not affect the interoperability and recognition of electronic signatures.
Article 15. Verification of Status of Trust Service Providers and/or Trust Services that They Provide
1. The national trusted list shall be referred to in order to determine whether the trust service providers established in the Republic of Lithuania and/or trust services that they provide have been granted a status of a qualified trust service provider and/or qualified trust services.
2. In order to determine whether the trust service providers established in the other Member States of the European Union and/or trust services that they provide have been granted a status of a qualified trust service provider and/or qualified trust services, the national trusted list of that Member State established, maintained and published under Article 22 of Regulation (EU) No 910/2014 shall be referred to.
Article 16. Requirements for Employees of a Qualified Trust Service Provider
The employees of the qualified trust service provider may not have record of conviction (or the conviction has not expired or has not been repealed) of intentional crimes.
Article 17. Receipt of Information
1. The supervisory body shall have the right to receive all information from the public and municipal institutions and authorities, trust service providers and users, persons that have been issued qualified certificates and, where appropriate, from other persons related to the activity of trust service providers subject to verification necessary to the supervisory body and the European Commission for the implementation and exercise of the tasks and functions in compliance with the requirements of the Law on Legal Protection of Personal Data of the Republic of Lithuania regarding confidentiality of the personal data.
2. Trust service providers, users, persons that have been issued the qualified certificates and other persons shall, at the request of the supervisory body, submit, in writing, the information referred to in paragraph 1 herein within a reasonable time limit set by the supervisory body which shall be of at least 5 working days. A period for submitting information referred to herein may be extended, for objective reasons, for a period of up to 10 days by the supervisory body.
Article 18. Officials of the Supervisory Body
1. The officials authorised by the supervisory body, when supervising the implementation of the provisions of Regulation (EU) No 910/2014, this law and implementing legal acts, shall have and exercise the following rights on behalf of the supervisory body:
2) upon providing the authorisation issued by the court, enter the premises used by the trust service provider and carry out inspection, review the trust service provider’s documents necessary for investigation, receive their copies and extracts, information stored on computers and media;
3) receive verbal and written explanations from the trust service providers undergoing the inspection, request them to arrive at the premises of the authorised official carrying out the investigation to make statements;
4) receive the data on the activity of the trust service providers undergoing the inspection and related documents or their extracts from the public and municipal institutions, bodies and persons related to the activity of the trust service providers undergoing the inspection;
5) seize documents and objects which are necessary or have evidential value when investigating the violation from the public and municipal institutions and bodies, trust service providers and users, persons who have been issued the qualified certificates for a temporary period of up to 30 working days by leaving a reasonable decision of the authorised official concerning seizure of documents and/or objects and description of seized documents and/or objects;
2. The officials authorised by the supervisory body, when implementing the rights granted to them, shall make out documents (statements, protocols, requests). The forms of the documents and the procedure for completing them shall be laid down by the supervisory body.
3. The requirements of the officials of the supervisory body provided to exercise the rights referred to in paragraph 1 herein shall be binding to the persons, employees of the management bodies of legal persons and administration. Those entities shall cooperate with the officials authorised by the supervisory body.
4. The request to issue an authorisation to perform activities referred to in Article 18(1)(2) shall be filed to Vilnius Regional Administrative Court. The request shall contain the name of the trust service provider (name, surname), nature of suspected violations and intended actions. Vilnius Regional Administrative Court shall examine the request and adopt the reasonable ruling to uphold or withdraw the request no later than within 72 hours of filing the request. Where the official authorised by the supervisory body disagrees with the ruling to withdraw the request by Vilnius Regional Administrative Court, the official shall have the right to bring an appeal against the ruling before the Supreme Administrative Court of Lithuania within 7 working days. The Supreme Administrative Court of Lithuania shall examine the appeal against the ruling of Vilnius Regional Administrative Court no later than within 7 working days. A representative of the supervisory body shall have the right to be present when the complaint is examined. The ruling adopted by the Supreme Administrative Court of Lithuania shall be final and without appeal. Courts, when examining the requests and complaints concerning the issuance of authorisations to perform activities, shall ensure confidentiality of information provided and actions planned. In urgent cases, the actions of the officials of the supervisory body may be taken by the decision of the director of the supervisory body. In this case, the request to issue the authorisation to perform activities shall be brought before the court under the procedure referred to herein within 24 hours of the decision of the director of the supervisory body. Where the court refuses to issue the authorisation to perform activities, they shall be ceased, and information obtained when performing such activities shall be immediately destroyed.
Article 19. Liability of Trust Service Providers
Persons, having infringed the requirements of Regulation (EU) No 910/2014, this law and implementing legal acts, shall be liable under the procedure laid down by the Code of Administrative Offences of the Republic of Lithuania.
Article 20. Implementation and Application of the Law
1. Qualified trust service providers shall, within 3 months of the entry into force of this law, provide the supervisory body with the documents certifying that the qualified trust service provider has been insured against civil liability in accordance with the requirements laid down in Article 10(2) of this law. Where the qualified trust service provider fails to submit the documents referred to herein within a set time limit, the supervisory body shall initiate the withdrawal of a status of the qualified trust service provider under the procedure established by Regulation (EU) No 910/2014.
2. Other definitions “advanced electronic signature”, “supervisory body for electronic signature”, “advanced electronic signature created by secure signature creation device and validated by qualified certificate in force”, “qualified certificate” used for the purpose of other legal acts of the Republic of Lithuania and definitions “advanced electronic signature”, “supervisory body for trust services”, “qualified electronic signature”, “qualified certificate for electronic signature” used for the purpose of this law are identical.
Article 21. Repeal of Law on Electronic Signature No VIII-1822 of the Republic of Lithuania
Upon the entry into force of this law, Law on Electronic Signature No VIII-1822 of the Republic of Lithuania, with all of its amendments and supplements, shall be repealed.
I promulgate this Law passed by the Seimas of the Republic of Lithuania.
President of the Republic Dalia Grybauskaitė
Annex to
the Law on Electronic Identification and
Trust Services for Electronic
Transactions
of the Republic of Lithuania