Proposed Amendments to the German Digital Signature Law



Draft Law concerning the Conditions for Electronic Signatures and for the Amendment of Further Legal Provisions
As approved by the Federal Cabinet on August 16, 2000

Translation and Commentary by Christopher Kuner, Esq.
Morrison & Foerster LLP, Brussels
Translation copyright 2000 Christopher Kuner.  Reproduction is permitted, provided that this translator’s note, including the above copyright notice, is retained in its entirety.

Commentary:  This is a translation of the complete text of the proposed amendments to the German digital signature law, as approved by the Federal Cabinet on August 16, 2000; the original German text is available at http://www.iid.de/iukdg/eval/RefE-DLR.pdf, and the government’s commentary (Begründung) at http://www.iid.de/iukdg/eval/Begruendung-DLR.pdf.  The revision of the Law consists of two sets of draft legislation:  the amendments to the Digital Signature Law (translated here), and a second set of proposed amendments to civil law and civil procedure law, which would give electronic signatures enhanced legal status, and which were approved by the Federal Cabinet on September 6, 2000 (the second set of drafts is available in German at http://www.bmj.bund.de/ggv/bgbrege1.pdf).  The complete package will now be considered by the German parliament (Bundestag), with a view toward having it enacted into law by early 2001.

The proposed amendments to the Digital Signature Law would represent a substantial change to existing law.  Besides implementing the provisions of the EU Directive on Electronic Signatures into German law, they would substantially change the structure and terminology used in the Law.  A scheme for voluntary accreditation of certification service providers would be introduced, as well as de facto incentives for the use of accredited CSPs (for example, foreign certificates would only have the same legal effect as officially-accredited certificates if they demonstrate “equivalent security”, see § 23(2)).  At the same time, the amendments would retain the basic concept of the Digital Signature Law, i.e., a voluntary, high-security infrastructure for electronic signatures based on PKI technology overseen by a government agency (translated here as “the Authority”).
 


Article 1

Section 1 General Provisions

§ 1 Objective and Area of Application

(1) The purpose of this law is to create general conditions for electronic signatures.

(2) The application of other procedures for electronic signatures is permitted, insofar as particular electronic signatures are not legally required.

§ 2 Definitions

Within the meaning of this law:

1. “electronic signatures” are data in electronic form, which are attached to other electronic data or are logically connected with them, and which are used for authentication.

2. “advanced electronic signatures” are electronic signatures within the meaning of 1., which:

a) are exclusively linked to the signature key owner;

b) are capable of identifying the signature key owner;

c) are created using means that the signature key owner can maintain under his exclusive control; and

d) are linked to the data to which they relate in such a manner that any subsequent change to the data is detectable.


3. “qualified electronic signatures” are electronic signatures within the meaning of 2., which:
 

a) are based on a qualified certificate that was valid at the time of their creation; and

b) were created with a secure signature creation device.

4. “signature keys” are unique electronic data (such as private cryptographic keys) used for the creation of an electronic signature.

5. “signature testing keys” are electronic data (such as public cryptographic keys) used for the testing of an electronic signature.

6. “certificates” are electronic attestations, by means of which a person’s signature testing keys may be attributed and the identity of such person may be confirmed.

7. “qualified certificates” are electronic attestations under 6. for natural persons that satisfy the requirements of § 7, and are issued by certification service providers satisfying the requirements of this Law and the Ordinance under § 24.

8. “certification service providers” are natural or legal persons that issue qualified certificates or qualified time stamps.

9. “signature key owners” are natural persons who possess signature keys and to whom the corresponding signature testing keys are attributed by means of qualified certificates.

10. “secure signature creation devices” are software or hardware devices for the storage and use of the corresponding signature keys, and which satisfy the requirements of this Law and the Ordinance under § 24 and are intended for qualified electronic certificates.

11. “signature application components” are software or hardware products that are intended to:

a) introduce data to the process of creating or testing qualified electronic signatures, or

b) test qualified electronic signatures or re-test qualified certificates, and display the results.

12. “technical components for certification services” are software or hardware products intended to:
a) create signature keys and transfer them into a secure signature creation device;

b) publicly re-test qualified certificates and, if necessary, make them accessible; or

c) create qualified time stamps.

13. “electronic signature products” are secure signature creation devices, signature application components, and technical components for certification services.

14. “qualified time stamps” are electronic attestations of a certification service provider satisfying the requirements of this Law and the Ordinance under § 24 that it had certain electronic data at a certain point in time.

15. “voluntary accreditation” is a procedure for granting permission coupled with special rights and duties for the operation of certification services.

§ 3 The Authority

The Authority’s duties under this Law and the Ordinance under § 24 shall be carried out by the agency specified in § 66 of the Telecommunications Act.
 


Section 2 Certification Service Providers

§ 4 General Requirements

(1) The operation of a certification service does not require a license, within the scope of existing law.

(2) A certification service may only be operated by someone who demonstrates the necessary reliability, expertise, and financial coverage under § 12, and who ensures compliance with the requirements for the operation of a certification service under this Law and the Ordinance under § 24 nos. 1 and 3.  The necessary reliability is demonstrated by guaranteeing compliance with the legal provisions relevant for operation of a certification service.  The necessary expertise exists when the personnel working in the certification service possess the necessary knowledge, experience, and skill.  The further requirements for the operation of a certification service exist when the measures to fulfill the security requirements under this Law and the Ordinance under § 24 nos. 1 and 3 have been demonstrated to the Authority in a Security Plan, and when they are appropriate and have been practically implemented.

(3) Whoever begins operation of a certification service shall notify this to the Authority by commencement of operations at the latest.  Fulfillment of the requirements under (2) shall be appropriately declared upon notification.

(4) Fulfillment of the requirements under (2) shall be ensured during the entire period that the certification service is in operation.  Circumstances that no longer make this possible shall be immediately notified to the Authority.

(5) A certification service provider may transfer duties under this Law and the Ordinance under § 24 to third parties, as long as this is mentioned in the Security Plan under (2) sent. 4.

§ 5 Issuance of Qualified Certificates

(1) A certification service provider shall reliably identify persons who apply for a qualified certificate.  It shall confirm the attribution of a signature testing key to an identified person by a qualified certificate, and shall maintain access to such at all times for the public over publicly-accessible telecommunications channels in a verifiable manner.  Access to a qualified certificate may only be maintained with the agreement of the signature key owner.

(2) Upon demand of the applicant, a qualified certificate may contain information about his representation of a third party, as well as professional or other information concerning his person (“attributes”).  Consent of such third party shall be proven with regard to information about representation; professional or other information about a person shall be confirmed with the relevant professional body or other competent instance.  Information about representation of a third party may only be included in a qualified certificate upon proof of consent under sent. 2, and professional or other information only upon presentation of confirmation under sent. 2.  Further personal information may only be included in a qualified certificate with consent of the person affected.

(3) Upon demand of the applicant, the certification service provider shall list a pseudonym in a qualified certificate instead of the applicant’s name.  If a qualified certificate includes information about representation of a third party, or professional or other information concerning a person, the pseudonym may only be used with consent of such third party or of the relevant professional body or other competent instance.

(4) A certification service provider shall take measures to ensure that data for qualified certificates cannot be imperceptibly forged or falsified, and shall take further measures to guarantee the security of the signature key.  Storage of signature keys outside a secure signature creation device is not permitted.

(5) In performing certification services, a certification service provider shall use reliable personnel and electronic signature products under this Law and the Ordinance under § 24.

(6) A certification service provider shall convince itself in an appropriate fashion that the applicant possesses the accompanying secure signature creation device.

§ 6 Duty of Instruction

(1) A certification service provider shall instruct the applicant under § 5(1) about the measures necessary to further the security of qualified electronic signatures and their reliable testing.  It shall inform the application that data with a qualified electronic signature must, in some cases, be re-signed before the security of the signature decreases over time.

(2) A certification service provider shall inform the applicant that a qualified electronic signature has the same legal value as a handwritten signature, as long as not otherwise provided by law.  For this purpose the applicant shall be provided with a written notification, the receipt of which he shall confirm by a separate signature.  Electronic form may not be used for the initial application.

§ 7 Content of Qualified Certificates

(1) A qualified certificate shall bear a qualified electronic signature, and shall contain the following information:

1. the name of the signature key owner, which shall contain an addendum in case there is a danger of confusion, or an unmistakable pseudonym attributed to the signature key owner which shall be discernible as such;
2. the attributed signature testing key;
3. the designation of the algorithms with which the signature testing key of the signature key owner and the signature testing key of the certification service provider can be used;
4. the serial number of the certificate;
5. the beginning and end of the certificate’s validity;
6. the name of the certification service provider and the country in which it is established;
7. information about whether the signature key is limited to certain uses, either by type or amount;
8. information that the certificate is a qualified certificate; and
9. attributes of the signature key owner (when appropriate).


(2) Attributes may also be listed in a separate qualified certificate (“qualified attribute certificate”).  For such a certificate, the information under (1) may be replaced by unambiguous reference data of the qualified certificate to which they refer, as long as they are not necessary for use of the qualified attribute certificate.

§ 8 Blocking of Qualified Certificates

(1) A certification service provider shall immediately block a qualified certificate if a signature key holder or his representative so demands, if the certificate was issued based on false information under § 7, the certification service provider terminates operations and they are not continued by another certification service provider, or if the Authority orders blocking under § 19(4).  Blocking shall indicate the point in time from which it takes effect.  Retrospective blocking is not permitted.  If a qualified certificate was issued based on false information, the certification service provider may in addition mark the certificate as such.

(2) If a qualified certificate contains information under § 5(2), then, in addition, such third party or the relevant professional body or other competent instance may demand blocking of the relevant certificate under (1), if the requirements for the professional or other information concerning the person cease to be valid after their inclusion in the qualified certificate.

§ 9 Qualified Time Stamps

If a certification service provider issues qualified time stamps, § 5(5) shall apply accordingly.

§ 10 Documentation

(1) A certification service shall document the security measures for compliance with this Law and the Ordinance under § 24(1) and (3), as well as qualified certificates issued in accordance with sent. 2, so that the data and their genuineness can be tested at any time.  Such documentation shall immediately be implemented so that it cannot be retroactively changed in a way which is imperceptible.  This also applies to the issuance and blocking of qualified certificates.

(2) Upon demand, the signature key owner shall be allowed to test data and procedural information concerning him.

§ 11 Liability

(1) If a certification service provider violates the requirements of this Law or the Ordinance under § 24, or if its electronic signature products or other technical security measures fail, then it shall compensate third parties for damages suffered by relying on information in a qualified certificate, on a qualified time stamp, or on other information under § 5(1) sent. 2.  The duty of compensation shall not apply if the third party knew or should have known that the information was incorrect.

(2) The duty of compensation is excluded if the certification service provider was not liable for the violation.

(3) If a qualified certificate limits use of the signature key by type or amount, then the duty of compensation applies only within the scope of such restrictions.

(4) The certification service provider is liable for its agents under § 4(5) and for guaranteeing foreign certificates under § 23(1) no. 2 in the same manner as for its own actions.  § 831(1) sent. 2 of the Civil Code shall not apply.

§ 12 Financial Coverage

A certification service provider shall have appropriate financial coverage to cover damages culpably caused by the operation of a certification service.  The minimum amount shall be DM 500,000.00 to cover damages caused by an occurrence leading to liability of the type referred to in § 11.

§ 13 Cessation of Operations

(1) A certification service provider shall immediately inform the Authority if it ceases operations.  It shall ensure that qualified certificates valid at the time of cessation of operations are taken over by another certification service provider, or that they are blocked.  It shall also inform the affected signature key owners about the cessation of its operations and the assumption of qualified certificates by another certification service provider.

(2) A certification service provider shall turn over the documentation under § 10 to the certification service provider which takes over the certificates under (1).

(3) The certification service provider shall immediately provide the Authority with any application for commencement of bankruptcy proceedings.

§ 14 Data Protection

(1) A certification service provider may collect personal data only directly from the affected person and only insofar as necessary for the purposes of a qualified certificate.  Collecting data from a third party is only permissible if the person affected gives his consent.  Data may only be used for purposes other than those described in sent. 1 if this Law so permits or the affected person has consented.

(2) In the case of a signature key owner using a pseudonym, the certification service provider shall transmit data concerning his identity to the proper authorities upon request, insofar as this is necessary to prosecute crimes or misdemeanors, to protect against dangers to public safety or public order, or to fulfill the legal duties of the constitutional protection authorities of the federal government and the federal states, the federal security services, the military security services, or the tax authorities, or if so ordered by a court in a pending case.  Such information shall be documented.  The requesting authorities shall inform the signature key owner about disclosure of the pseudonym as soon as the exercise of their legal duties will no longer be thereby impaired, or if the signature key owner’s interest in being so informed outweighs other considerations.

(3) Paras. (1) and (2) shall also apply to certification service providers other than those referred to in § 2.8. that issue certificates for electronic signatures.
 


Section 3 Voluntary Accreditation

§ 15 Voluntary Accreditation of Certification Service Providers

(1) Certification service providers may apply for accreditation from the Authority; the Authority may make use of private instances when performing accreditations.  Accreditation shall be granted if the certification service provider demonstrates that the provisions of this Law and the Ordinance under § 24 have been complied with.  Accredited certification service providers shall receive a seal from the Authority, which demonstrates the comprehensively-tested technical and administrative security of the qualified electronic signatures that are based on their qualified certificates.  They may refer to themselves as “accredited certification service providers” and in business and legal transactions may refer to the security which they have demonstrated.

(2) In the public sector, qualified electronic signatures based on a qualified certificate of a certification service provider under (1) may be required by law.

(3) In order to fulfill the requirements of (1), the Security Plan under § 4(2) sent. 4 shall be comprehensively tested and certified for suitability and practical implementation.  Testing and certification shall be repeated upon changes having an effect on security, as well as at regular intervals.

(4) Accreditation may be made contingent on further requirements, insofar as this is necessary to ensure fulfillment of the requirements under this Law and the Ordinance under § 24 upon commencement of operations and during operation.

(5) Accreditation shall be refused if the requirements under this Law and the Ordinance under § 24 have not been fulfilled; § 19 shall apply accordingly.

(6) If the duties under this Law or the Ordinance under § 24 have not been fulfilled, or if there are grounds for refusal under (5), then the Authority shall revoke accreditation, or shall cancel it (if the reasons already existed when accreditation was granted), if measures under § 19(2) are likely to be ineffective.

(7) In case of revocation or cancellation of accreditation or in case of cessation of operations by an accredited certification service provider, the Authority shall ensure the assumption of operations by another accredited certification service provider, or the winding up of agreements with the signature key owners.  The same shall also apply in case of application for the commencement of bankruptcy proceedings, if operations are not continued.  If no other accredited certification service provider takes over the documentation under § 13(2), then the Authority shall do so.

(8) With regard to electronic signature products, fulfillment of the requirements under § 17(1)-(3) and of the Ordinance under § 24 shall be adequately tested under the academic and technical state of the art, and shall be certified by an instance under § 18; (1) sent. 3 shall apply accordingly.  The accredited certification service provider shall:

1. only use electronic signature products that have been tested and certified under sent. 1 for its certification operations;

2. only issue qualified certificates for persons who have been proven to possess tested and certified secure signature creation devices under sent. 1;

3. inform signature key owners in the scope of § 6(1) about signature application components tested and certified under sent. 1.


§ 16 Certificates of the Authority

(1) The Authority shall issue to accredited certification service providers the qualified certificates necessary for their operations.  The regulations for the issuance of qualified certificates by accredited certification service providers shall also apply to the Authority.  It shall block qualified certificates which it has issued if an accredited certification service provider ceases operations, or if accreditation is revoked or cancelled.

(2) The Authority shall maintain access to the following at all times for the public over publicly-accessible telecommunications channels in a verifiable manner:

1. the names, addresses, and communications channels of accredited certification service providers;
2. the revocation or cancellation of accreditations;

3. the certificates which it has issued, as well as their blocking; and

4. the cessation and the prohibition of the operation of an accredited certification service provider.


(3) The Authority shall also issue any electronic attestations needed by certification service providers or manufacturers for the automatic authentication of products under § 15(8).
 


Section 4 Technical Security

§ 17 Electronic Signature Products

(1) For the storage of signature keys and the creation of qualified electronic signatures, secure signature creation devices shall be used which make the forgery of signatures and the falsification of signed data reliably perceptible, and which protect against unauthorized use of the signature keys.  Para. (3) no. 1 applies correspondingly if the signature keys are created in a secure signature creation device.

(2) For the representation of data to be signed, signature application components shall be used which allow the creation of a qualified electronic signature to be unmistakably displayed before the fact, and which allow it to be determined which data the signature refers to.  For the testing of signed data, signature application components shall be used which allow the following to be determined:

1. which data the signature refers to;
2. whether the signed data have been changed;
3. to which signature key owner the signature is to be attributed;
4. which data are contained in the qualified certificate that the signature is based on (including any accompanying attribute certificates); and

5. what has been the result of re-testing of the certificates under § 5(1) sent. 2.


Signature application components shall, if necessary, also sufficiently allow the contents of the signed data or the data to be signed to be determined.  The signature key owner should use secure signature application components, or should take other appropriate measures to ensure the security of qualified electronic signatures.

(3) Technical components for certification services shall contain measures that ensure the following:

1. regarding the creation and transmission of signature keys, the uniqueness and secrecy of the signature keys shall be assured, and storage outside the secure signature creation device shall be excluded;
2. qualified certificates made accessible or subject to testing under § 5(1) sent. 2 shall be protected from unauthorized alteration and access; and
3. regarding the creation of qualified time stamps, forgeries and falsifications shall be excluded.


(4) Satisfaction of the requirements under (1) and (3) no. 1 as well as of the Ordinance under § 24 is to be determined by an instance under § 18.  A declaration by the manufacturer of an electronic signature product is sufficient to satisfy the requirements under (2) and (3) nos. 2-3.

§ 18 Recognition of Testing and Certification Instances

(1) Upon application, the Authority shall recognize a natural or legal person as a certification instance under § 17(4) or § 15(8) sent. 1, or as an testing and certification instance under § 15(3), if such person demonstrates the necessary reliability, independence, and expertise for such activity.  Such recognition may be restricted in substance, may be temporary, or may be made for a limited period and made contingent on meeting certain requirements.

(2) Those instances recognized under (1) shall carry out their duties impartially, without direction, and conscientiously.  They shall document all tests and certifications, and provide such documentation to the Authority if they cease operations.
 


Section 5 Supervision

§ 19 Supervisory Measures

(1) Supervision of compliance with this Law and with the Ordinance under § 24 is to be carried out by the Authority, which may make use of private instances in carrying out its supervisory functions.  A certification service provider becomes subject to supervision by the Authority upon commencement of operations.

(2) The Authority may take measures to ensure compliance by certification service providers with this Law and the Ordinance under § 24.

(3) The Authority shall temporarily, partially, or wholly forbid a certification service provider from commencing or continuing operations, if facts justify the assumption that the certification service provider:

1. does not possess the reliability necessary for the operation of a certification service;

2. does not demonstrate that it possesses the necessary expertise;
3. does not have the necessary financial coverage;
4. uses inappropriate electronic signature products;
5. does not satisfy the further requirements for the operation of a certification service under this Law and the Ordinance under § 24.


and that measures under (2) are unlikely to solve the problem.

(4) The Authority may block qualified certificates if facts justify the assumption that such certificates have been forged or are not sufficiently secure from forgery, or that secure signature creation devices demonstrate security lapses which would permit the forgery of qualified electronic signatures (or of data signed by such signatures) to go undetected.

(5) The validity of qualified certificates issued by a certification service provider shall remain unaffected by the prohibition of operations or by its cessation, as well as by the revocation and repeal of accreditation.

(6) The Authority shall make publicly available the names of certification service providers that have notified themselves to it, as well those as of certification service providers that have ceased operations under § 13 or which have been forbidden to commence or continue operations under § 19(3).

§ 20 Duty of Cooperation

(1) Certification service providers and third parties working on their behalf under § 4(5) shall grant to the Authority and persons empowered by it the right to enter business premises during normal business hours; upon request shall present for inspection relevant books, records, receipts, writings, and other materials (also ones kept in electronic form); shall give information; and shall provide all necessary support.

(2) One under a duty to provide information may refuse to do so, if by so doing he would put himself or a family member referred to in § 383(1) nos. 1-3 of the Civil Procedure Code in danger of criminal prosecution or of prosecution under the Law on Misdemeanors.  He is to be reminded of this right.
 


Section 6 Concluding Provisions

§ 21 Fines

(1) Anyone committing any of the following acts, either intentionally or negligently, shall be guilty of a misdemeanor:

1. operating a certification service in violation of § 4(2) sent. 1, also in conjunction with the Ordinance under § 24 nos. 1 and 3;
2. failing to make a notification, or making an incorrect or tardy notification in violation of § 4(3) sent. 1 or § 13(1) sent. 1;
3. failing to identify a person, or identifying a person incorrectly or tardily in violation of § 5(1) sent. 1 in conjunction with § 24(1);
4. failing to keep a qualified certificate accessible for re-testing in violation of § 5(1) sent. 2, also in conjunction with the Ordinance under § 24 no. 1;
5. keeping a qualified certificate accessible in violation of § 5(1) sent. 3;
6. incorporating information in a qualified certificate in violation of § 5(2) sent. 3;
7. failing to take measures or taking them incorrectly in violation of § 5(4) sent. 2, also in conjunction with the Ordinance under § 24 no. 1;
8. storing a signature key in violation of § 5(4) sent. 3;

9. failing to document a security measure or a qualified certificate, or doing so incorrectly or tardily in violation of § 10(1) sent. 1, also in conjunction with the Ordinance under § 24 no. 1;
10. failing to ensure that a qualified certificate is taken over by another certification service provider and failing to block a qualified certificate or doing so tardily in violation of § 13(1) sent. 2, also in conjunction with the Ordinance under § 24 no. 1;
11. failing to notify a signature key owner, or doing so incorrectly or tardily in violation of § 13(1) sent. 3 in conjunction with the Ordinance under § 24 no. 1.


(2) Such misdemeanor may be punished by a fine of up to DM 100,000.00 (in cases involving nos. 1, 7, and 8), or of up to DM 20,000.00 (for the remaining nos.).

(3) The administrative authority within the meaning of § 36(1) no. 1 of the Act regarding Misdemeanors is the Regulatory Authority for Telecommunications and Postal Services.

§ 22 Costs and Contributions

(1) The Authority shall charge costs (fees and expenses) for the following official acts:
 

1. measures within the scope of the voluntary accreditation of certification service providers under § 15(1) and § 15(3)-(8) and of the Ordinance under § 24;

2. measures within the scope of issuing qualified certificates under § 16(1) as well as issuing attestations under § 16(3);
3. measures within the scope of recognizing testing and certification instances under § 18 and under the Ordinance (§ 24);
4. measures within the scope of supervision under § 19(1)-(4) in conjunction with § 4(2)-(4) and the Ordinance under § 24.


Costs shall also be levied for the administrative expense incurred by the Authority in the course of supervising private instances; the Act on Administrative Costs shall apply.

(2) Certification service providers that have notified their operations under § 4(3) shall pay a fee to the Authority on an annual basis, as compensation for the administrative expense of continual compliance with the requirements under § 19(6).  Certification service providers that are accredited under § 15(1) shall pay a fee to the Authority on an annual basis, as compensation for the administrative expense of continual compliance with the requirements under § 16(2).

§ 23 Foreign Electronic Signatures and Electronic Signature Products

(1) Electronic signatures that can be tested by means of signature testing data for which a foreign qualified certificate from another Member State of the European Union or from another Contracting State of the Treaty on the European Economic Area is present are deemed equivalent to qualified electronic signatures, as long as they satisfy Art. 5(1) of the Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community Framework for Electronic Signatures.  Electronic signatures from third countries are deemed equivalent to qualified electronic signatures, as long as the certificate is publicly issued as a qualified certificate by a certification service provider from such country, such certificate is intended to be used with an electronic signature within the meaning of Art. 5(1) of Directive 1999/93(EC), and:

1. the certification service provider fulfils the requirements of the Directive and has been accredited in a Member State of the European Union or in another Contracting State of the Treaty on the European Economic Area; or

2. a certification service provider established in the Community which fulfils the requirements laid down in the Directive guarantees the certificate; or

3. the certificate or the certification service provider is recognized under a bilateral or multilateral agreement between the European Union and third countries or international organizations.


(2) Electronic signatures under (1) are deemed equivalent to qualified electronic signatures based on the qualified certificate of a certification service provider under § 15(1), as long as they demonstrably have the same level of security.

(3) Electronic signature products, in relation to which it is ascertained in another Member State of the European Union or in another Contracting State of the Treaty on the European Economic Area that they satisfy the requirements of Directive 1999/93/EC, shall be recognized.  Electronic signature products from a State mentioned in sent. 1, or from a third country, are deemed equivalent to products tested under § 15(8), as long as they demonstrably have the same level of security.

§ 24 Ordinance

The Federal Government is hereby empowered to enact by ordinance the legal provisions necessary to implement §§ 3-23 with regard to the following:
 

1. the structure of the duties of certification service providers regarding the commencement of operations, the operations themselves, and the cessation of operations, under § 4(2)-(3), § 5, § 6(1), § 8, § 10, § 12, § 13, and § 15;

2. facts leading to the imposition of fees and their level, as well as the amount of  contributions and the procedure for imposing contributions by the Authority (contributions are to be based on administrative expenses, e.g., costs for personnel and material, to the extent that such expenses have not already been compensated for by fees);

3. the structure of the substance and the validity period of qualified certificates under § 7;

4. further requirements for electronic signature products under § 17(1)-(3), as well as the testing of such products and confirmation that the requirements have been fulfilled under § 17(4) and § 15(8);

5. the details of the certification procedure and of the operation of testing and certification instances under § 18;

6. the time period and the procedure according to which data should be re-signed with a qualified electronic signature under § 6(1) sent. 2;

7. the procedure for determining equivalent security of foreign electronic signatures and foreign signature products under § 23.


§ 25 Transitional Provisions

(1) The certification instances accredited under the Digital Signature Law of July 28 1997 (BGBl. I p. 1870, 1872) shall be deemed to be accredited within the meaning of § 15.  Such instances shall provide the Authority with proof of financial coverage under § 12 within three months of this Law entering into force.

(2) Certificates issued under § 5 of the Digital Signature Law of July 28 1997 (BGBl. I p. 1870, 1872) by the certification instances referred to in (1) up to entry into force of this Law are deemed to be qualified certificates.  Owners of certificates under sent. 1 are to be notified appropriately within six months of this Law entering into force by the certification instances in accordance with § 6(2) sents. 1 and 2.

Article 2

Adjustment to the Euro

The Digital Signature Law of ….. (BGBl. I p. …..) is hereby amended as follows:

1. In § 12(2), the words “DM 500,000” are hereby replaced by the words “Euros 250,000”.
2. In § 21(2), the words “DM 100,000” are hereby replaced by the words “Euros 50,000”, and the words “DM 20,000” are hereby replaced by the words “Euros 10,000”.

Article 3

Adaptation of Federal Law

(1) In § 15 sent. 2 of the Ordinance on the Awarding of Public Contracts of ….. 2000 (BGBl. I p. …..), the words “signature within the meaning of the Digital Signature Law” are hereby replaced by the words “a qualified electronic signature under the Digital Signature Law”.

(2) In § 7(3) of the Social Insurance Calculation Ordinance of July 15 1999 (BGBl. I p. 1627), the words “digital signature within the meaning of § 2(1) of the Digital Signature Law (Article 3 of the Law of July 22 1997, BGBl. I p. 1870, 1872)” are hereby replaced by the words “a qualified electronic signature under the Digital Signature Law”.

Article 4

Return to a Uniform Order

The portions of the amended Ordinance based on Article 3(1)-(2) may be amended by ordinance based on the relevant authorizations.

Article 5

Entry into Force; Repeal

This Law enters into force (except as provided in sent. 2) on the day after its promulgation; the Digital Signature Law of July 28 1997 (BGBl. I p. 1870, 1872) is simultaneously repealed.  Article 2 enters into force on January 1 2002.