Presidência do Conselho de Ministros (Presidency of the Council of Ministers)
Decree-Law
(This is not an official translation of the law)
Establishes the State's Electronic Certification System - Public Key Infrastructure and appoints the National Safety Authority as the national accreditation authority
Arising from the ongoing implementation of several public programmes for the promotion of information and communication technologies and from the introduction of new procedures of relationship within society, between citizens, companies, non-governmental bodies and the State, aiming at strengthening the information society and the eGovernment, the establishment of the Entidade de Certificação Electrónica do Estado - Infra-Estrutura de Chaves Públicas (State's Electronic Certification Body - Public Key Infrastructure) - ECEE-ICP - was approved, pursuant to Resolution of the Council of Ministers no. 171/2005, of 3 of November.
These programs involve, for specific purposes, mechanisms of strong digital authentication of identities and signatures, which may be carried out with the use of the so-called public keys infrastructures.
Thus, to ensure the unity, integration and effectiveness of strong digital authentication systems in the electronic relationships of natural and legal persons with the State and between public bodies, it is necessary to establish a State’s electronic certification system (SECS).
The SECS architecture thus enables a hierarchy of trust that guarantees the electronic security of the State and the strong digital authentication of e-transactions between the services and bodies of the Public Administration and between the State and citizens and companies.
The SECS comprises the Management Council, which establishes certification policies and practises, and the Entidade de Certificação Electrónica do Estado (State’s Electronic Certification Body), which approves the integration of certification bodies in the SECS, and that represents the first level in the hierarchic certification chain relatively to other State certification bodies subject thereto.
The SECS operates independently of private or foreign public keys infrastructure, but must allow the necessary interoperability with infrastructures that satisfy the necessary authentication precision requirements, by means of appropriate technical mechanisms and compatibility in terms of certification policies, namely within the scope of the European Union countries.
The SECS establishment occurs, duly adapted, in compliance with national and Community legislation, namely technical and security standards applicable to certification bodies established in Portugal involved in the issue of qualified certificates.
This Decree-Law assigns also the powers of accreditation authority, which had hitherto been assigned to the to Instituto das Tecnologias da Informação da Justiça (Institute for Justice Information Technologies), to the Autoridade Nacional de Segurança (National Security Authority).
These powers are hereby assigned to the National Safety Authority on account of its special ability to act as an accreditation authority, as well as by the fact that it is integrated in the Presidency of the Council of Ministers and ensures a strong security hierarchy.
Therefore:
Pursuant to point a) of paragraph 1 of article 198 of the Constitution, the Government decrees the following:
CHAPTER I
General provisions
Article 1
Subject-matter and scope
1 - The State's Electronic Certification System - Public Key Infrastructure, hereinafter referred to as SECS, is hereby established, aimed at introducing a structure of electronic trust, so that certification bodies subject thereto provide services that ensure:
a) Secure e-transactions;
b) Strong authentication;
c) Electronic signatures in transactions or information and electronic documents, ensuring their authorship, integrity, acceptance and confidentiality.
2 - The SECS operates for public entities and for services and bodies of the Public Administration or other bodies carrying out certification functions in compliance with aims under public law.
Article 2
Structure and functioning of the SECS
1 - The SECS comprises:
a) The Management Council of the State's Electronic Certification System;
b) The Entidade de Certificação Electrónica do Estado (State's Electronic Certification Body);
c) The State’s certification bodies.
2 – The functioning of the SECS is governed by the rules provided for herein.
CHAPTER II
SECS Management Council
Article 3
Composition and functioning
1 - The SECS Management Council is the body responsible for the overall management and administration of the SECS.
2 - The SECS Management Council is chaired by the Minister for the Presidency, with the possibility of delegation, and composed by representatives of each of the following entities, appointed by the competent members of State:
a) Agência para a Sociedade do Conhecimento, I.P. (UMIC) - Agency for Knowledge Society, Public Institute;
b) Centro de Gestão da Rede Informática do Governo (CEGER) - Government Network Management Centre;
c) Fundação para a Computação Científica Nacional (FCCN) - National Scientific Computing Foundation;
d) Gabinete Nacional de Segurança (GNS) - National Security Office;
e) ICP - Autoridade Nacional de Comunicações (ICP-ANACOM) - National Communications Authority;
f) Instituto de Informática (II) - Computer Institute;
g) Instituto de Telecomunicações (IT) - Telecommunications Institute;
h) Instituto das Tecnologias da Informação na Justiça (ITIJ) - Institute for Justice Information Technologies;
i) Rede Nacional de Segurança Interna - National Internal Security Network;
j) Unidade de Coordenação da Modernização Administrativa (UCMA) - Administrative Modernization Co-ordination Unit.
3 - Unless expressly indicated to the contrary in the appointment act, the member of the Government indicated under the preceding paragraph may delegate the chairmanship in any other member of the SECS Management Council.
4 - The SECS Management Council may request the collaboration of other public entities as well as of private bodies or individuals to assess issues of a specialised technical nature, in the scope of powers assigned hereunder.
5 - The ordinary meetings of the SECS Management Council shall take place twice a year, extraordinary meetings being held where convened by the chairman.
6 - The technical, administrative and logistic support to the SECS Management Council, as well as the costs of maintaining its operation, shall be borne by the entity which is assigned the powers of operating the State’s core certification body.
7 - Members of the SECS Management Council shall not earn any remuneration supplement on account of functions performed in that capacity, without prejudice to daily allowances which they may be entitled to, in the general terms of the law.
Article 4
Competence
1 - It is incumbent upon the SECS Management Council:
a) To define, according to the law and taking into account the standards or specifications acknowledged at international level, the certification policy and the certification practises to be complied with by certification bodies that integrate the SECS;
b) To ensure that the certification practise statements submitted by the State's certification bodies, as well as from the State's core certification body, comply with the SECS certification policy;
c) To put forward for consideration the criteria for approval of certification bodies that wish to integrate the SCES;
d) To assess the compliance of procedures followed by the State's certification bodies with approved policies and practises, without prejudice to competence assigned by law to the accreditation authority;
e) To deliver opinions concerning the exclusion from the SECS of State’s certification bodies, in case approved policies and practises are not complied with, notifying the accreditation authority thereof;
f) To deliver opinions concerning the best international practises on electronic certification activities and to propose their application;
g) To represent the SECS institutionally.
2 - It is also incumbent upon the SECS Management Council to promote the necessary activities for the conclusion of agreements on interoperability, based on cross certification, with other national or international public keys infrastructures, of a private or public nature, namely:
a) To give guidance to the State's core certification body on the granting and withdrawal of certificates issued based on crossed certification;
b) To define the terms and conditions for the start, suspension or completion of procedures on interoperability with other public keys infrastructures.
CHAPTER III
State's Electronic Certification Body
Article 5
Definition and competence
1 - The State's Electronic Certification Body, in the capacity of core certification body of the State, is the top certifying service in the SECS certification chain, implementing certificate policies and guidelines approved by the SECS Management Council.
2 - It is incumbent upon the State’s Electronic Certification Body to acknowledge the integration of certification bodies that comply with the requirements established herein, as well as to provide certification services to certification bodies at an immediately lower level in the certification chain, in compliance with rules applicable to certification bodies established in Portugal involved in the issue of qualified digital certificates.
3 - For the purposes provided for in the preceding paragraph, it is incumbent upon the State’s Electronic Certification Body to obtain the accreditation certificate referred to in paragraph 2 of article 8.
4 - The State's Electronic Certification Body provides exclusively the following digital certification services:
a) Procedure of registration of certification bodies;
b) Creation of certificates, including qualified certificates, and management of their life circle;
c) Disclosure of certificates and certification policies and practises;
d) Management of certificate withdrawal;
e) Provision of information on the state and situation of withdrawals referred to in the preceding point.
5 - It is also incumbent upon the State’s Electronic Certification Body:
a) To ensure, in the capacity of certification body, the compliance and implementation of all standards and procedures established in the document of certification policies and in the statement of certification practises of the SECS;
b) To implement the policies and practises established by the SECS Management Council;
c) To manage all the infrastructures and resources that comprise and guarantee the functioning of the State’s core certification entity, namely staff, equipment and premises;
d) To manage all activities related to the management of the circle of life of certificates issued to certification bodies at an immediately lower level;
e) To ensure that the access to its main and alternative premises is carried out only by duly authorized and accredited staff;
f) To manage the recruitment of staff qualified to perform the management and operation tasks of the State’s core certification entity;
g) To immediately notify any event, namely security malfunction or failure, to the SECS Management Council.
6 - The State's Electronic Certification Body issues exclusively certificates to subordinated State's certification bodies, not being entitled to issue certificates to the general public.
Article 6
Management and staff
1 - The State’s Electronic Certification Body is managed inherently by the director of the Centro de Gestão da Rede Informática do Governo (CEGER) - Government Network Management Centre.
2 - Without prejudice to the exercise of duties in the origin post, the technical staff of the CEGER under the categories described below shall perform tasks in the State's Electronic Certification Body:
a) A system consultant, responsible for the articulation between the State's Electronic Certification Body and the SECS Management Council, and between the former and State's certification bodies;
b) A system administrator, authorized to install, configure and maintain the system, with a controlled access to security-related configurations;
c) A system operator, responsible for running the day-to-day operation of systems, authorized to back-up copies and replace information;
d) A security administrator, responsible for the management and implementation of security rules and practises;
e) A registration administrator, responsible for approving the issue, suspension and withdrawal of certificates;
f) A system auditor, authorized to monitor records of system activity.
3 - Under legislation in force, the posts of system administrator, security administrator and system auditor shall be filled by different people.
4 - For the purpose of paragraph 2, the staff of CEGER may be altered by joint order of the members of the Government responsible for the areas of Finance and Public Administration and for CEGER.
CHAPTER IV
State’s certification bodies
Article 7
Requirements
1 - State's certification bodies shall means public entities that perform the duties of a certification body pursuant to Decree-Law no. 290-D/99, of 2 August, as amended by Decree-Law no. 62/2003, of 3 April, and by the present decree-law and respective regulations, and that:
a) Have been admitted as certification bodies, under paragraph 2 of article 5 hereof;
b) Act in compliance with the certification practise statements and certification policy and practises approved by the SECS Management Council.
2 - For the purpose of application of the regime provided for in the preceding paragraph, all bodies carrying out certification functions in compliance with aims under public law shall be comprised, irrespective of their nature.
3 - Only bodies acknowledged as certification bodies shall be entitled to provide electronic certification services, in the scope of the SECS, under the preceding paragraphs.
4 - Certification bodies are entitled to issue certificates of an immediately lower level only, except where agreements of a lateral or crossed certification have been promoted or approved by the SECS Management Council.
5 - The registration services may be assigned to individual or collective bodies, appointed as registration bodies, on which the State's certification bodies delegate the provision of services of identification and registration of certificates, as well as the management of requests for certificate withdrawal, pursuant to paragraph 1 of article 4 of Regulatory Decree no. 25/2004 of 15 July.
CHAPTER V
National accreditation authority
Article 8
Accreditation authority
1 - The National Security Authority shall be the accreditation authority competent for the accreditation and monitoring of certification bodies comprised in the SECS, under paragraph 3 of Decree-Law no. 217/97 of 20 August.
2 - Within the scope of application of article 1, the National Security Authority is competent to issue the accreditation certificate of certification bodies and to perform accreditation duties provided for in Decree-Law no. 290-D/99, of 2 August, as amended by Decree-Law no. 62/2003, of 3 April and by the present decree-law.
3 - The National Security Authority shall be assisted in the exercise of its powers by the accreditation technical board.
Article 9
Accreditation technical board
1 - The accreditation technical board is the consultative body of the accreditation authority, being responsible for delivering opinions on all issues submitted by the accreditation authority.
2 - The accreditation technical board may also, on its own initiative, deliver opinions or make recommendations to the accreditation authority.
Article 10
Composition
The accreditation technical board comprises:
a) The National Security Authority, with chairing powers;
b) Two individuals appointed by the Prime-Minister;
c) An individual appointed by the Minister for Internal Administration;
d) An individual appointed by the Minister for Justice;
e) An individual appointed by the Minister for Science, Technology and Higher Education;
f) A representative from ICP-ANACOM.
Article 11
Meetings
The ordinary meetings of the accreditation technical board shall take place twice a year, extraordinary meetings being held where convened by the chairman.
Article 12
Logistic support
The Gabinete Nacional de Segurança (National Security Office) shall ensure the logistic and administrative support of the accreditation technical board as well as its operating costs.
Article 13
Collaboration with other entities
The accreditation technical board may request of other public or private bodies all collaboration deemed necessary, in the scope of powers assigned hereunder.
CHAPTER VI
Final and transitional provisions
Article 14
Setting up and equipping the State’s Electronic Certification Body
In addition to the provisions herein, other regulatory aspects related to the setting up and equipping of the State’s Electronic Certification Body shall be governed by an order of the member of the Government responsible for the CEGER.
Article 15
Transitional provision
In the course of 2006, the General Secretariat of the Presidency of the Council of Ministers shall transfer to the National Security Office the necessary amounts for the compliance with article 12 hereof.
Article 16
Amendment to Decree-Law no. of 2 August
Article 9 of Decree-Law no. 290-D/99, of 2 August, as amended by Decree-Law no. 62/2003, of 3 April, shall be amended to read as follows:
«Article 9
[…]
1 - …
2 - Without prejudice to the preceding paragraph, certification bodies that issue qualified certificates shall register with the accreditation authority, under conditions to be laid down in an administrative rule issued by the member of the Government responsible for the accreditation authority.
3 - The accreditation and registration are subject to the payment of fees according to costs associated to the corresponding administrative, technical, operational and monitoring tasks, under conditions to be laid down in a joint order of the member of the Government responsible for the accreditation authority and the Minister for Finance, which shall be treated as receipts of the accreditation authority. »
Article 17
Addition to Decree-Law no. 290-D/99, of 2 August
In Decree-Law no. 290-D/99, of 2 August, as amended by Decree-Law no. 62/2003, of 3 April is inserted the following article 40-A:
«Article 40-A
Accreditation of public certification bodies
1 - The provisions in chapters III and IV solely apply to the activity of public certification bodies strictly to the extent they are fit as far as the nature and powers of such bodies are concerned.
2 - It is incumbent upon the accreditation authority to establish the fitness criteria for the application of the preceding paragraph, for the purpose of issuing accreditation certificates to public certification bodies to whom such powers have been assigned.
3 - Accreditation certificates may be issued provisionally, for renewable annual periods not exceeding three years, where the accreditation authority deems it necessary to determine procedures enabling a better compliance with applicable technical requirements. »
Article 18
Repealing provision
The following standards are hereby repealed:
a) Decree-Law no. 234/2000 of 25 September;
b) Point i) of article 18 of Decree-Law no. 146/2000 of 18 July;
c) Point j) of article 5 of Decree-Law no. 103/2001 of 29 March.
Checked and approved in the Council of Ministers of 4 May 2006. - José Sócrates Carvalho Pinto de Sousa - António Luís Santos Costa - Fernando Teixeira dos Santos - Manuel Pedro Cunha da Silva Pereira - Alberto Bernardes Costa - Mário Lino Soares Correia - José Mariano Rebelo Pires Gago.
Promulgated on 8 June 2006.
Let it be published.
The President of the Republic, ANÍBAL CAVACO SILVA.
Counter-signed on 12 June 2006.
The Prime Minister, José Sócrates Carvalho Pinto de Sousa.
