Legislation

Here are listed different regulations that SK follows.

eIDAS REGULATION

Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 June 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (hereinafter referred to as eIDAS Regulation) became effective as of 1 July 2016. This is a directly applicable regulation comprised of two parts.

The first part concerns Member State cooperation on the mutual recognition and assessment of electronic identification or eID means. Estonian eID means include ID-card, Mobile-ID and Digi-ID. While the Regulation does not interfere with the creation or management of electronic identities, it defines the levels of assurance for eID means and systems, allowing public electronic service providers to decide upon which eID means at which levels of assurance they recognise in their services.

The second part of the eIDAS Regulation contains the conditions and requirements for providing various trust services. These are necessary for digital security, such as electronic signature creation and verification, use of electronic seals on documents to guarantee their origin and integrity, certificates for increasing web security, etc.

Trust services that need to meet certain security requirements and service standards improve the security of and confidence in electronic processes and services, thereby enabling citizens, companies and public sector organisations of EU Member States to provide their services online.

Qualified trust services are trust services of the highest status. The eIDAS Regulation subjects qualified trust services to increased requirements, liability and the obligation to undergo regular and independent conformity assessment, after which the provider will be included in the trusted list https://sr.riik.ee/. The list contains all European qualified trust service providers (in addition to other trust service providers on a voluntary basis), allowing citizens and e-services to verify the level of the trust service provider and its service. SK is also included in the list as a provider of multiple qualified trust services.

ELECTRONIC IDENTIFICATION AND TRUST SERVICES FOR ELECTRONIC TRANSACTIONS ACT

Estonia enacted the Electronic Identification and Trust Services for Electronic Transactions Act for the implementation of the eIDAS Regulation. As eIDAS Regulation is directly applicable, this draft Act only regulates the matter to the extent permitted by the Regulation. Hence, this Act must be read in conjunction with the eIDAS Regulation. It mostly addresses organisation of state supervision and clarification of general requirements arising from the Regulation. The Act applies the margin of discretion allowed for by the eIDAS Regulation to the maximum extent possible for following Estonian practice in the field of electronic identity and trust services.  Furthermore, national regulation that previously existed is being linked to the eIDAS Regulation, ensuring the consistent use of the digital signature and digital seal. The Digital Signatures Act that used to regulate digital signatures is being repealed.

The eIDAS Regulation and Electronic Identification and Trust Services for Electronic Transactions Act require qualified trust service providers and those trust service providers that are included in the trusted list to undergo regular conformity assessment by an independent conformity assessment body within 24 months. This legislation also subject trust service providers to mandatory insurance.

IDENTITY DOCUMENTS ACT

The Identity Documents Act describes the role of the ID-card as the primary internal identity document and subjects Estonian residents to an identity document requirement. The Act also regulates procedures for issuance and revocation of other digital documents (Digi-ID, Mobile-ID). While the Act does not directly regulate SK’s day-to-day operations or services, it nevertheless relates to the ID-card and digital documents that constitute SK’s most important area of activity.

PERSONAL DATA PROTECTION

SK processes personal data according to European Personal Data Protection Act, which became effective as of May 25, 2018. This is a directly applicable regulation. The main purpose of the regulation is to ensure people, living in the information age, better control over their personal data. SK declares that it processes the personal data lawfully, fairly, purposefully, minimally, safely and transparently. SK´s principles of processing personal data can be found at: https://sk.ee/en/repository/data-protection/.

OTHER REGULATIONS

Aside from laws addressing SK’s specific area of activity we are of course subject to all laws regulating business in Estonia (General Part of the Civil Code Act, Commercial Code, Law of Property Act, etc.).

STANDARDS

In addition to the above legislation, SK’s services meet specific industry standards. There are many but to highlight some of the most important ones, examples include: ETSI EN 319 401 standard (General Policy Requirements for Trust Service Providers), ETSI EN 319 411-1 standard on certification services, ETSI EN 319 411-2 standard on qualified certification services, ETSI EN 319 421 standard on time-stamping services.

SK is certified under the standard ISO/IEC 27001: 2013 “Information technology. Security techniques. Information security management systems.”, which addresses the information security framework and sets information security objectives for the organisation.

Certificates of conformity and audit reports for SK and SK services are available at: https://www.sk.ee/repositoorium/audit/

OTHER DOCUMENTS

In addition to the above legislation and standards, SK’s service requirements are set forth in service policies.

SK practice statement for trust services, certification and time-stamping service describe how SK as organisation and SK’s services in particular meet the policy requirements.

SK Trust Services Practice Statement applies to all SK’s trust services and public key infrastructure, describing the joint principles for providing SK’s trust services and the shared information security management system, processes, infrastructure and measures.

Certification Practice Statement describes SK’s role in the issuance and service provided involving various certificates.

Time­-Stamping Authority Practice Statement describes SK’s role in the processes carried out for time-stamping and verification and technical means in use.