Presidência do Conselho de Ministros (Council of Ministers' Presidency)
Administrative Rule
Decree-Law no. 290-D/1999, of 2 August, which approves the legal scheme of electronic documents and digital signatures, provides that all certifying bodies issuing qualified certificates must be registered with the accreditation authority.
Decree-Law no. 116-A/2006, of 16 June, created the Sistema de Certificação Electrónica do Estado - Infra-Estrutura de Chaves Públicas (State’s Electronic Certification System - Public Key Infrastructure) (SCEE) and appointed the Autoridade Nacional de Segurança - ANS – (National Safety Authority) as the national accreditation authority, in lieu of Instituto das Tecnologias da Informação da Justiça (Institute for Justice Information Technologies), with the power to accredit and monitor certifying bodies of the SCEE.
Paragraph 2 j) of Decree-Law no. 170/2007, of 3 May, which approved the organisation of the Gabinete Nacional de Segurança (National Safety Office), further to the Programa para a Reestruturação da Administração Central do Estado (General Government Restructuring Programme), established that it is incumbent on this service to act as accrediting and monitoring authority both as regards bodies working in the scope of the SCEE and of bodies working in the legal scheme of electronic documents and electronic signatures, for the purposes defined therein.
More recently, Decree-Law no. 88/2009, of 9 April, altered not only the legal scheme of electronic documents and electronic signatures but also the SCEE legal scheme, in order to provide a better legal protection to the use of electronic certification services in public and private sectors.
At the level of monitoring tasks included in the electronic certification activities carried out by the national accreditation authority, it is maintained that certifying bodies issuing qualified certificates must be registered with that authority. In this regard, and safeguarded the necessary compatibility of the regime of electronic documents and electronic signatures with Directive no. 1999/93/EC, of the European Parliament and of the Council, of 13 December, it has been provided that certifying bodies accredited in or subject to a supervision system under another Member State of the European Union, or certifying bodies of third countries that fulfil the requirements laid down in the mentioned directive, are also subject to the obligation of registration with the national accreditation authority, notwithstanding the fact that the activity pursued by such bodies is acknowledged as being equivalent to that of certifying bodies established in Portugal. This registration obligation aims to evidence that those bodies are deemed to be fully equivalent to other certifying bodies, as well as to guarantee the appropriate publicizing of the activity carried out by such bodies, taking into account the legal security of users of electronic certification services.
The purpose of this Administrative Rule is thus to adjust the terms of the registration of certifying bodies issuing qualified certificates both to the new framework of the national accreditation authority further to the creation of the SCEE by Decree-Law no. 116-A/2006, of 16 June, as well as to the alterations recently introduced into the legal scheme of electronic documents and electronic signatures by Decree-Law no. 88/2009, of 9 April.
Therefore:
Pursuant to paragraph 2 of article 9 of Decree-Law no. 290-D/1999, of 2 August, as amended by Decree-Law no. 62/2003, of 3 April, by Decree-Law no. 165/2004, of 6 July, by Decree-Law no. 116-A/2006, of 16 June, and by Decree-Law no. 88/2009, of 9 April, and to Decree-Law no. 116-A/2006, of 16 June, as amended by Decree-Law no. 88/2009, of 9 April, and under paragraph 1 h) of Order no. 14 405 (II Series), of 21 June, published in the Official Gazette, II Series, no. 124, of 30 June 2005:
The Government, through the Secretary of State of the Presidency of the Council of Ministers, hereby decrees as follows:
Article 1
Subject-matter
This Administrative Rule establishes the terms of the registration of certifying bodies issuing qualified certificates pursuant to Decree-Law no. 290-D/1999, of 2 August.
Article 2
Scope
1 – The registration obligation governed herein applies to:
a) Certifying bodies issuing qualified certificates that directly or indirectly provide electronic certification services in Portugal;
b) Certifying bodies accredited in other Member States of the European Union or in third countries that directly or indirectly provide electronic certification services in Portugal.
2 - The registration obligation governed herein applies also, as regards the provision of electronic certification services by a body under national law, in subcontracting situations or in other circumstances of legal representation.
3 – The accreditation authority shall promote, of its own motion, the registration of national certifying bodies subject to the accreditation procedure provided for in Decree-Law no. 290-D/1999, of 2 August, in the scope of the referred procedure, to enable such bodies to pursue the activity related to the issue of qualified certificates.
Article 3
Competent entity
The Autoridade Nacional de Segurança – ANS (National Safety Authority) is hereby appointed as the body competent to perform registrations, pursuant to paragraph 1 of article 8 of Decree-Law no. 116-A/2006, of 16 June, as amended by Decree-Law no. 88/2009, of 9 April, and paragraph 2 j) of article 2 of Decree-Law no. 170/2007, of 3 May.
Article 4
Application
1 – The registration is applied to by filling in a specific form, made available by the National Safety Authority in the respective website, which includes the particulars on the activity pursued by the certifying body.
2 – The application for registration shall attach the following documents:
a) Statement signed by the certifying body that it is aware of all legal and regulatory provisions that apply to certifying bodies issuing qualified certificates and that it undertakes to comply therewith;
b) Statement signed by the security auditor that the certifying body complies with all legal and regulatory provisions that apply to certifying bodies issuing qualified certificates;
c) Copy of the legal person’s bylaws, and where a company is concerned, copy of the company contract, or, where a natural person in concerned, copy of the respective identification;
d) Where a trading company is concerned, a list of all partners, specifying the respective participations, as well as of members of administrative and supervisory bodies and, where a share company is concerned, a list of all shareholders with significant shares, either direct or indirect;
e) Evidence of the asset base and of available financial means, and where a trading company is concerned, evidence that shares have been fully paid up;
f) Copy of the insurance contract referred to in article 24 d) of Decree-Law no. 290-D/1999, of 2 August, where it has been provided by an insurance company;
g) Copy of the certificate policy and of the statement of certification practises;
h) Description of the electronic signature products used;
i) Certificates of conformity with secure signature creation devices, issued by a certification body accredited in accordance with article 37 of Decree-Law no. 290-D/1999, of 2 August.
3 – Foreign certifying bodies within the meaning of paragraphs 1, 2 and 3 of Decree-Law no. 290-D/1999, of 2 August, shall attach the following documents to the application for registration:
a) Statement signed by the accreditation authority of the country where the certifying entity is established, attesting that the latter is either certified or subject to a supervision system;
b) Copy of the accreditation certificate, where appropriate;
c) Copy of the accreditation report, where appropriate.
4 – Bodies within the meaning of paragraph 6 of article 38 of Decree-Law no. 290-D/1999, of 2 August, shall attach the following documents to the application for registration:
a) Statement signed by the certifying body that it is aware of all legal and regulatory provisions that apply to certifying bodies issuing qualified certificates and that it undertakes to comply therewith, in the scope of services provided;
b) Copy of the legal person’s bylaws, and where a company is concerned, copy of the company contract, or, where a natural person in concerned, copy of the respective identification;
c) Where a trading company is concerned, a list of all partners, specifying the respective participations, as well as of members of administrative and supervisory bodies and, where a share company is concerned, a list of all shareholders with significant shares, either direct or indirect;
d) Copy of the contract with the certifying body, that includes the terms, conditions and responsibilities connected to the provision of the respective service;
5 – The application for registration may be presented at the National Safety Authority, in paper, either directly or by registered mail, or also by email, insofar as it bears a qualified electronic signature and as documents attached are submitted to the National Safety Authority within the following three days.
6 – Without prejudice hereto, the National Safety Authority may request, with a supplementary nature, additional information or documents deemed to be necessary to pursue its monitoring activity.
Article 5
Rejection of the application for registration
1 – The registration shall be rejected where:
a) The required information or documents failed to be attached to the application;
b) The application is not accurate or includes false information.
2 – Where required information or documents have not been duly attached, the National Safety Authority, prior to rejecting the application, shall notify the applicant thereof and grant it a reasonable deadline to remedy the deficiency or omission.
Article 6
Revocation of registration
1 – The registration shall be revoked where it is found that the certifying body does not comply with legal and regulatory provisions that apply to certifying bodies issuing qualified certificates.
2 - The National Safety Authority, prior to revoking the registration, shall notify the certifying body thereof and grant it a reasonable deadline to remedy the deficiencies or omissions.
Article 7
Communication of alterations
Alteration to elements and documents referred to herein shall be communicated to the National Safety Authority within 30 days at the most.
Article 8
Cessation of business
The cessation of business of a certifying body issuing qualified certificates must be entered in the registration, identifying the body to which its documentation has been transferred.
Article 9
Automatic registration
The National Safety Authority shall enter in the registration of certifying bodies, of its own motion, the following information on accredited certifying bodies:
a) Decisions of the National Safety Authority on the granting, renewal or revocation accreditation, indicating the date on which they were taken and published in Series II of the Official Gazette;
b) Indication that the accreditation has expired, respective date and reference to the publication in Series II of the Official Gazette;
c) Identification of accreditation bodies that issued conformity certificates and number of the respective certificates.
Article 10
Disclosure
The National Safety Authority shall organize and maintain a register in its website that ensures the disclosure of information on certifying bodies that pursue activities connected to the issue of qualified certificates.
Article 11
Repealing provision
Administrative Rule no. 1350/2004, of 23 October, is hereby repealed.
Article 12
Entry into force
This Administrative Rule takes effect on the day following that of its publication.
The Secretary of State of the Presidency of the Council of Ministers, Jorge Lacão Costa, on 1 June 2009.
