2019_4586 Requirement on the use of a Qualified Certificate for Electronic Seals (QSealC) for integrity and authenticity

Question ID:

2019_4586

Legal Act:

Directive 2015/2366/EU (PSD2)

Topic:

Other topics

Article:

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:

Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Article/Paragraph:

34 (1)

Disclose name of institution / entity:

Yes

Name of institution / submitter:

European Telecommunications Standards Institute

Country of incorporation / residence:

France

Type of submitter:

Other

Subject Matter:

Requirement on the use of a Qualified Certificate for Electronic Seals (QSealC) for integrity and authenticity

Question:

Please clarify whether in the EBA’s Opinion on the use of eIDAS under the RTS on SCA and CSC, under Paragraph 11, Qualified Electronic Seals employing a Qualified Seal creation Device are required to provide integrity and authenticity through the reference to Article 35(2) of Regulation (EU) No 910/2014?

Background on the question:

The Opinion of the European Banking Authority on the use of eIDAS certificates under the RTS on SCA and CSC item 11 describes using of QSealC as required by RTS Article 34(1) for integrity and authenticity of signed / sealed data. This goes on to reference Article 35(2) of Regulation (EU) No 910/2014 (eIDAS). Article 35(2) of Regulation (EU) No 910/2014 relates to a "Qualified Electronic Seal". Under eIDAS Artcile 3(27) a "Qualified Electronic Seal" includes additional requirements beyond the use of a QSealC in particular use of special device for security of the signing key called in eIDAS a "Qualified Signature/Seal Creation Device". Use of such a device would be a significant additional burden on Payment Service Providers.

Date of submission:

28/02/2019

Published as Final Q&A:

14/06/2019

Final Answer:

Article 34(1) of the Commission Delegated Regulation (EU) 2018/389 specifies that ‘for the purpose of identification, as referred to in Article 30(1)(a), payment service providers shall rely on qualified certificates for electronic seals (QSealCs) as referred to in Article 3(30) of Regulation (EU) No 910/2014 or for website authentication (QWACs) as referred to in Article 3(39) of that Regulation.’

Paragraph 11 of the Opinion of the European Banking Authority (EBA) on the use of eIDAS certificates under the RTS on strong customer authentication and secure communication, describes some of the specificities of QSealCs, namely that they (i) ensure the integrity and correctness of the origin (authenticity) of the signed data and (ii) provide strong evidence of the signed data.

The reference in the EBA’s Opinion to Article 35(2) of Regulation (EU) No 910/2014 shows that the specificities of the QSealCs cited in paragraph 11 of the Opinion were in line with the applicable legislation.

Further, this reference is in line with the objective of PSD2 of technological neutrality and did not infer that Qualified Electronic Seals employing a Qualified Seal creation Device are required for the purpose of Article 34(1) of the Delegated Regulation.

Status:

Final Q&A

Answer prepared by:

Answer prepared by the EBA.