This document is an excerpt from the EUR-Lex website
Document 02022R0423-20240625
Commission Implementing Regulation (EU) 2022/423 of 14 March 2022 laying down the technical specifications, measures and other requirements for the implementation of the decentralised IT system referred to in Regulation (EU) 2020/1784 of the European Parliament and of the Council
Consolidated text: Commission Implementing Regulation (EU) 2022/423 of 14 March 2022 laying down the technical specifications, measures and other requirements for the implementation of the decentralised IT system referred to in Regulation (EU) 2020/1784 of the European Parliament and of the Council
Commission Implementing Regulation (EU) 2022/423 of 14 March 2022 laying down the technical specifications, measures and other requirements for the implementation of the decentralised IT system referred to in Regulation (EU) 2020/1784 of the European Parliament and of the Council
02022R0423 — EN — 25.06.2024 — 001.001
This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document
COMMISSION IMPLEMENTING REGULATION (EU) 2022/423 of 14 March 2022 (OJ L 087 15.3.2022, p. 9) |
Amended by:
|
|
Official Journal |
||
No |
page |
date |
||
COMMISSION IMPLEMENTING REGULATION (EU) 2024/1570 of 4 June 2024 |
L 1570 |
1 |
5.6.2024 |
COMMISSION IMPLEMENTING REGULATION (EU) 2022/423
of 14 March 2022
laying down the technical specifications, measures and other requirements for the implementation of the decentralised IT system referred to in Regulation (EU) 2020/1784 of the European Parliament and of the Council
Article 1
Technical specifications of the decentralised IT system
The technical specifications, measures and other requirements for the implementation of the decentralised IT system referred to in Article 25 of Regulation (EU) 2020/1784 shall be as set out in the Annex.
Article 2
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.
ANNEX
Technical specifications, measures and other requirements of the decentralised it system referred to in article 1
1. Introduction
The decentralised IT system referred to in Regulation (EU) 2020/1784 is an e-CODEX based system for the exchange of documents and data related to the service of documents between Member States in accordance with that Regulation. The authorised e-CODEX access points of the decentralised IT system shall be governed by the legal framework established by Regulation (EU) 2022/850.
Member States that are not bound by Regulation (EU) 2020/1784 but to which the provisions of that Regulation apply under an international agreement between that Member State and the Union concerning the service of judicial and extrajudicial documents in civil or commercial matters shall be allowed to participate in the decentralised IT system referred to in Regulation (EU) 2020/1784 to the extent necessary to apply the provisions of that Regulation.
In so far as such Member States are not bound by Regulation (EU) 2022/850, they shall implement in their national law the contents of Articles 8, 9, Article 11(3), (4), and (6), Articles 12, 14, Article 15(1) and (3), and Article 20 of that Regulation, so that the necessary safeguards for the proper operation of the decentralised IT-system are in place. Once the Member State concerned has notified the Commission in accordance with the applicable international agreement concerning the service of judicial and extrajudicial documents that it has implemented those provisions in its national law, it shall be treated in the same way as other Member States exclusively for the purposes of the operation of the decentralised IT system referred to in Regulation (EU) 2020/1784.
2. Definitions
2.1. ‘HyperText Transport Protocol Secure’ or ‘HTTPS’ means encrypted communication and secure connection channels;
2.2. ‘Portal’ means the Reference Implementation solution or the National Back-end solution connected to the decentralised IT system;
2.3. ‘Non-repudiation of origin’ means the measures providing the proof of the integrity and proof of origin of the data through methods such as digital certification, public key infrastructure and digital signatures;
2.4. ‘Non-repudiation of receipt’ means the measures providing the proof of the receipt of the data to the originator by the intended recipient of the data through methods such as digital certification, public key infrastructure and digital signatures;
2.5. ‘SOAP’ means, as per the standards of World Wide Web Consortium, a messaging protocol specification for exchanging structured information in the implementation of web services in computer networks;
2.6. ‘Web service’ means a software system designed to support interoperable machine-to-machine interaction over a network; it has an interface described in a machine-processable format;
2.7. ‘data exchange’ means the exchange of messages and documents through the decentralised IT system.
3. Methods of communication by electronic means
The SoD exchange system shall use service-based methods of communication, such as Web-services or other reusable Digital Service Infrastructures for the purpose of exchanging messages and documents.
Specifically, it will use the e-CODEX infrastructure, which is comprised of two major components, the Connector and the Gateway.
The Connector is responsible for handling communication with the Reference Implementation solution or national implementations. It can process message exchange with the Gateway in both directions, trace messages and acknowledge them using standards such as ETSI-REM evidences, validate signatures of business documents, create a token that holds the outcome of the validation in PDF and XML format and create a container using standards such as ASIC-S where the business content of a message is packed and signed.
The Gateway is responsible for the exchange of messages and it is agnostic of the message content. It can send and receive messages to and from the Connector, validate header information, identify correct processing mode, sign and encrypt messages and transfer messages to other Gateways.
4. Communication protocols
The SoD exchange system shall use secure internet protocols, such as HTTPS for portal and decentralised IT system components communication and the standard communication protocols, such as SOAP, for the transmission of structured data and metadata.
Specifically, e-CODEX provides a strong information security by taking advantage of state of the art authentication and multilayer cryptographic protocol.
5. Security standards
For the communication and distribution of information via the SoD exchange system, the technical measures for ensuring minimum information technology security standards shall include:
measures to ensure confidentiality of information, including by using secure channels (HTTPS);
measures to ensure the integrity of data while being exchanged;
measures to ensure the non-repudiation of origin of the sender of information within SoD exchange system and the non-repudiation of receipt of information;
measures to ensure logging of security events in line with recognised international recommendations for information technology security standards;
measures to ensure the authentication and authorisation of any registered users and measures to verify the identity of systems connected to the SoD exchange system;
the SoD exchange system will be developed in accordance with the principle of data protection by design and by default.
6. Availability of services
6.1. The service time frame shall be 24 hours, 7 days a week, with a technical availability rate of the system of at least 98 % excluding scheduled maintenance.
6.2. Member States shall notify the Commission of maintenance activities as follows:
5 working days in advance for maintenance operations that may cause an unavailability period of up to 4 hours;
10 working days in advance for maintenance operations that may cause an unavailability period of up to 12 hours;
30 working days in advance for maintenance operations, which may cause up to 6 days unavailability period per year.
6.3. To the extent possible, during working days, maintenance operations shall be planned between 20:00h-7:00h CET.
6.4. Where Member States have fixed weekly service windows, they shall inform the Commission of the time and day of the week when such fixed weekly windows are planned. Without prejudice to the obligations set out in point 6.2, if Member States’ systems become unavailable during such a fixed window, Member States may choose not to notify the Commission on each occasion.
6.5. In case of unexpected technical failure of the Member States’ systems, Member States shall inform the Commission without delay of their system unavailability, and, if known, of the projected resuming of the service.
6.6. In case of unexpected failure of the database of Competent Authorities, the Commission shall inform the Member States without delay of the unavailability, and if known, of the projected resuming of the service.