25.2.2015 |
EN |
Official Journal of the European Union |
L 53/14 |
COMMISSION IMPLEMENTING DECISION (EU) 2015/296
of 24 February 2015
establishing procedural arrangements for cooperation between Member States on electronic identification pursuant to Article 12(7) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (1), and in particular Article 12(7) thereof,
Whereas:
(1) |
Cooperation between Member States on the interoperability and security of electronic identification schemes is essential to foster a high level of trust and security appropriate to the degree of risk in such schemes. |
(2) |
Article 7(g) of Regulation (EU) No 910/2014 requires the notifying Member State to provide to other Member States a description of that scheme 6 months in advance, in order that Member States can cooperate in the way described in Article 12(5) of Regulation (EU) No 910/2014. |
(3) |
Cooperation between Member States requires simplified procedures. Interoperability and security of electronic identification schemes cannot be created by procedures conducted in different languages. The use of the English language during cooperation should facilitate reaching interoperability and security of electronic identification schemes, however, translation of already existing documentation should not cause unreasonable burden. |
(4) |
Various elements of the electronic identification schemes are managed by different authorities or bodies in the Member States. In order to allow effective cooperation and simplify administrative procedures, it is appropriate to ensure that each Member State has a single point through which its relevant authorities and bodies can be reached. |
(5) |
Exchange of information, experience and good practice between Member States facilitates the development of electronic identification schemes and serves as a tool to reach technical interoperability. The need for such cooperation is specifically justified when it concerns adjustments of already notified electronic identification schemes, changes to electronic identification schemes on which information has been provided to Member States before notification, and when important developments or incidents occur that can affect interoperability or security of electronic identification schemes. Member States should also have the means to request such kind of information concerning interoperability and security of electronic identification schemes from other Member States. |
(6) |
Peer review of electronic identification schemes should be viewed as a mutual learning process that helps to build trust between Member States, and ensures interoperability and security of notified electronic identification schemes. This requires notifying Member States to provide sufficient information about their electronic identification schemes. The need for Member States to keep certain information confidential, when this is critical for security, must however also be taken into account. |
(7) |
In order to ensure that the peer review process is cost effective and produces clear and conclusive results, and to avoid placing an unnecessary burden on Member States, Member States should collectively conduct a single peer review. |
(8) |
Member States should take into account independent third party assessments, if available, when cooperating on matters relating to electronic identification schemes, including when conducting peer reviews. |
(9) |
In order to facilitate procedural arrangements to achieve objectives in Article 12(5) and (6) of Regulation (EU) No 910/2014, the Cooperation Network should be created. This is to ensure the existence of a forum which can include all the Member States and engage them in a formalised manner to cooperate vis-à-vis the practicalities of the maintenance of the interoperability framework. |
(10) |
The Cooperation Network should examine draft notification forms provided by Member States under Article 7(g) of Regulation (EU) No 910/2014 and issue opinions providing indications as to the compliance of the schemes described therein with the requirements of Article 7 and Articles 8(1)-(2) and 12(1) of that Regulation and the implementing act referred to in Article 8(3) of that Regulation. Article 9(1)(e) of Regulation (EU) No 910/2014 requires notifying Member States to describe how the notified electronic identification scheme meets the requirements of interoperability pursuant to Article 12(1) of Regulation (EU) No 910/2014. In particular, opinions of the Cooperation Network should be taken into consideration by Member States when preparing to discharge of their obligation under Article 9(1)(e) of Regulation (EU) No 910/2014 to describe to the Commission how the notified electronic identification scheme meets the requirements of interoperability pursuant to Article 12(1) of Regulation (EU) No 910/2014. |
(11) |
All parties involved in notification should take note of the opinion of the Cooperation Network as guidance to the full cooperation, notification and interoperability processes. |
(12) |
In order to ensure the effectiveness of the peer review process conducted under this Decision, it is appropriate for the Cooperation Network to provide guidance to the Member States. |
(13) |
The measures provided for in this Decision are in accordance with the opinion of the Committee established by Article 48 of Regulation (EU) No 910/2014, |
HAS ADOPTED THIS DECISION:
CHAPTER I
GENERAL PROVISIONS
Article 1
Objective
Pursuant to Article 12(7) of the Regulation, this Decision lays down the procedural arrangements for facilitating cooperation between Member States, as is necessary in order to ensure the interoperability and security of electronic identification schemes of which Member States are intending to notify or have notified the Commission. The arrangements relate in particular to:
(a) |
the exchange of information, experience and good practice relating to electronic identification schemes and examination of the relevant developments in the electronic identification sector as set out in Chapter II; |
(b) |
peer review of electronic identification schemes as set out in Chapter III; and |
(c) |
cooperation through the Cooperation Network as set out in Chapter IV. |
Article 2
Language of cooperation
1. Unless otherwise agreed by the concerned Member States, the language of cooperation shall be English.
2. Without prejudice to paragraph 1, Member States shall not be obliged to translate supporting documents referred to in Article 10(2) where this would create an unreasonable burden.
Article 3
Points of single contact
1. For the purposes of cooperation between the Member States pursuant to Article 12(5) and (6) of Regulation (EU) No 910/2014, each Member State shall designate a point of single contact.
2. Each Member State shall communicate to the other Member States and the Commission information on the point of single contact. The Commission shall publish a list of the points of single contact online.
CHAPTER II
EXCHANGE OF INFORMATION, EXPERIENCE AND GOOD PRACTICE
Article 4
Exchange of information, experience and good practice
1. Member States shall share information, experience or good practice relating to electronic identification schemes with other Member States.
2. Each Member State shall inform other Member States accordingly where it introduces any of the following changes, developments or adjustments which are related to the interoperability or the assurance levels of the scheme:
(a) |
developments or adjustments to its already notified electronic identification scheme, where they do not require notification pursuant to Article 9(1) of Regulation (EU) No 910/2014; |
(b) |
changes, developments or adjustments to the description of its electronic identification scheme provided pursuant to Article 7(g) of Regulation (EU) No 910/2014, where they occurred before the notification. |
3. When a Member State becomes aware of any important development or incident that is not related to its notified electronic identification scheme but that could affect the security of other notified electronic identification schemes, it shall inform the other Member States.
Article 5
Request of information on interoperability and security
1. When a Member State considers that in order to ensure the interoperability between the electronic identification schemes it is necessary to have more information which was not already provided by the Member State notifying the electronic identification scheme, it may request such information from the latter. The notifying Member State shall provide such information, unless:
(a) |
it does not possess such information and to obtain it would cause an unreasonable administrative burden; |
(b) |
such information concerns matters of public security or national security; |
(c) |
such information concerns matters of business, professional or company secrets. |
2. In order to improve the security of electronic identification schemes a Member State that has a security concern affecting a scheme which has been notified or which is in the process of being notified, may request information about the security concern. The requested Member State shall then provide all Member States with the relevant information required to establish whether a security breach referred to in Article 10 of Regulation (EU) No 910/2014 has occurred or to establish whether there is a real risk that such a breach may occur, unless:
(a) |
it does not possess such information and to obtain it would cause an unreasonable administrative burden; |
(b) |
such information concerns matters of public security or national security; |
(c) |
such information concerns matters of business, professional or company secrets. |
Article 6
Exchange of information through points of single contact
The Member States shall exchange information pursuant to Articles 4 and 5 through the points of single contact and shall provide the relevant information requested without undue delay.
CHAPTER III
PEER REVIEW
Article 7
Principles
1. Peer review is a mechanism for cooperation between Member States designed to ensure interoperability and security of notified electronic identification schemes.
2. Participation of the peer Member States shall be voluntary. The Member State whose electronic identification scheme is to be peer reviewed may not refuse the participation of any peer Member State in the peer reviewing process.
3. Each Member State involved in the peer reviewing process shall bear the costs it incurs through participation in this process.
4. Any information obtained through the peer reviewing process shall be used solely for this purpose. Representatives of the Member States conducting the peer review shall not disclose any sensitive or confidential information obtained in the course of the peer review to third parties.
5. Peer Member State shall reveal any possible conflict of interest which representatives nominated by them to take part of the peer review activities might have.
Article 8
Initiation of the peer reviewing process
1. The peer review process may be initiated in one of the two ways:
(a) |
A Member State requests its electronic identification scheme to be peer reviewed. |
(b) |
A Member State or Member States express the wish to peer review the electronic identification scheme of another Member State. In their request, they shall indicate the reasons for wishing to conduct the peer review and shall explain how the peer review would contribute to the interoperability or security of Member States' electronic identification schemes. |
2. A request under paragraph 1 shall be announced to the Cooperation Network pursuant to paragraph 3. Any Member States intending to take part in the peer review shall inform the Cooperation Network within 1 month.
3. The Member State whose electronic identification scheme is to be peer reviewed shall provide the Cooperation Network with the following information:
(a) |
the electronic identification scheme to be peer reviewed; |
(b) |
the peer Member State(s); |
(c) |
the timeline for the expected outcome to be presented to the Cooperation Network; and |
(d) |
the arrangements on how to conduct the peer review pursuant to Article 9(2). |
4. An electronic identification scheme shall not be subject to further peer review within 2 years of a peer review being concluded, unless agreed by the Cooperation Network.
Article 9
Preparation for the peer review
1. The peer Member States shall provide the Member State whose electronic identification scheme is being peer reviewed with the names and contact details of their representatives carrying out the peer review within 2 weeks after the peer Member States informed of their intention to take part in the review pursuant to Article 8(2). The Member State whose electronic identification scheme is being peer reviewed may refuse the participation of any representative in case of conflict of interest.
2. Taking into account the guidance provided by the Cooperation Network, the Member State whose electronic identification scheme is being peer reviewed and the peer Member States shall agree on:
(a) |
the scope and the arrangements of the peer review on the bases of the scope of Article 7(g) or Article 9(1) of Regulation (EU) No 910/2014 and interest expressed by the peer Member States in the initiation phase; |
(b) |
timing of the peer review activities by determining an end deadline which cannot exceed 3 months after the peer Member States provided the names and contact details of their representatives pursuant to paragraph 1; |
(c) |
other organisational arrangements relating to the peer reviewing process. The Member State whose electronic identification scheme is being peer reviewed shall inform the Cooperation Network of the agreement. |
Article 10
Peer reviewing
1. The Member States involved shall conduct the peer review jointly. The Member States' representatives shall choose one representative from among themselves to coordinate the peer review.
2. The Member State whose electronic identification scheme is being peer reviewed shall provide the peer Member States with the notification form submitted to the Commission or a description of the scheme pursuant to Article 7(g) of Regulation (EU) No 910/2014 if the respective electronic identification scheme has not yet been notified. All supporting documents and additional relevant information shall also be provided.
3. Peer reviewing may include, but is not limited to, one or more of the following arrangements:
(a) |
the assessment of relevant documentation; |
(b) |
examination of processes; |
(c) |
technical seminars; and |
(d) |
consideration of independent third party assessment. |
4. The peer Member States may require additional documentation related to the notification. The Member State whose electronic identification scheme is peer reviewed shall provide such information unless:
(a) |
it does not possess such information and to obtain it would cause an unreasonable administrative burden; |
(b) |
such information concerns matters of public security or national security; |
(c) |
such information concerns matters of business, professional or company secrets. |
Article 11
Outcome of the peer review
The peer Member States shall prepare and present within 1 month from the end of the peer review process a report for the Cooperation Network. Members of the Cooperation Network may require further information or clarification from the Member State whose electronic identification scheme was peer reviewed or from the peer Member States.
CHAPTER IV
THE COOPERATION NETWORK
Article 12
Establishment and working methods
A network to promote the cooperation pursuant to Article 12(5)-(6) of Regulation (EU) No 910/2014 ('the Cooperation Network') is hereby established. The Cooperation Network shall conduct its work through a combination of meetings and written procedure.
Article 13
Draft notification form
When the notifying Member State provides the description of its electronic identification scheme pursuant to Article 7(g) of Regulation (EU) No 910/2014, it shall provide the Cooperation Network with the draft notification form properly filled in and all the necessary accompanying documentation as specified in Article 9(1) of Regulation (EU) No 910/2014 and in the implementing act referred to in Article 9(5) of Regulation (EU) No 910/2014.
Article 14
Tasks
The Cooperation Network shall be mandated to:
(a) |
facilitate the cooperation between Member States on the establishment and functioning of the interoperability framework pursuant to Article 12(5)-(6) of Regulation (EU) No 910/2014, through the exchange of information; |
(b) |
establish methods for the efficient exchange of information relating to all issues concerning electronic identification; |
(c) |
examine the relevant developments in the electronic identification sector and discuss and develop good practices on interoperability and security for electronic identification schemes; |
(d) |
adopt opinions on developments relating to the interoperability framework referred to in Article 12(2)-(4) of Regulation (EU) No 910/2014; |
(e) |
adopt opinions on developments concerning the minimum technical specifications, standards and procedures regarding assurance levels set out in the implementing act adopted pursuant to Article 8(3) of Regulation (EU) No 910/2014, and the guidance which accompanies that implementing act; |
(f) |
adopt guidance on the scope of peer review and its arrangements; |
(g) |
examine the outcome of the peer reviews pursuant to Article 11; |
(h) |
examine the filled draft notification form; |
(i) |
adopt opinions on how an electronic identification scheme to be notified, the description of which was provided pursuant to Article 7(g) of Regulation (EU) No 910/2014, meets the requirements of Article 7 and Articles 8(1)-(2) and 12(1) of that Regulation and the implementing act referred to in Article 8(3) of that Regulation. |
Article 15
Membership
1. The Member States and countries in the European Economic Area shall be the members of the Cooperation Network.
2. Representatives of acceding countries shall be invited by the Chair to attend the meetings of the Cooperation Network as observers as from the date of signature of the Treaty of accession.
3. The Chair may invite experts from outside the Cooperation Network with specific competence in a subject on the agenda to participate in the work of the Cooperation Network or sub-group on an ad hoc basis, after consultation with the Cooperation Network. In addition, the Chair may give observer status to individuals and organisations after consultation with the Cooperation Network.
Article 16
Operation
1. The meetings of the Cooperation Network shall be chaired by the Commission.
2. In agreement with the Commission, the Cooperation Network may establish sub-groups to examine specific questions on the basis of terms of reference defined by the Cooperation Network. Such sub-groups shall cease to exist as soon as their mandate is fulfilled.
3. Members of the Cooperation Network, as well as invited experts and observers, shall comply with the obligations of professional secrecy laid down by the Treaties and their implementing rules, as well as with the Commission's rules on security regarding the protection of EU classified information, laid down in the Annex to Commission Decision 2001/844/EC, ECSC, Euratom (2). Should they fail to respect these obligations, the Commission may take all appropriate measures.
4. The Cooperation Network shall hold its meetings on Commission premises. The Commission shall provide secretarial services.
5. The Cooperation Network shall publish its opinions adopted pursuant to Article 14(i) in a dedicated website. When such an opinion contains confidential information, the Cooperation Network shall adopt a non-confidential version of that opinion for the purposes of such publication.
6. The Cooperation Network shall adopt, by simple majority of its members, its rules of procedure.
Article 17
Meeting expenses
1. The Commission shall not remunerate those involved in the activities of the Cooperation Network for their services.
2. Travel expenses incurred by participants in the meetings of the Cooperation Network may be reimbursed by the Commission. Reimbursement shall be made in accordance with the provisions in force within the Commission and within the limits of the available appropriations allocated to the Commission services under the annual procedure for the allocation of resources.
Article 18
Entry into force
This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
Done at Brussels, 24 February 2015.
For the Commission
The President
Jean-Claude JUNCKER
(1) OJ L 257, 28.8.2014, p. 73.
(2) Commission Decision 2001/844/EC, ECSC, Euratom of 29 November 2001 amending its internal Rules of Procedure (OJ L 317, 3.12.2001, p. 1).