Ga verder naar contentGa verder naar content en skip ook inhoudsopgave
In- en Uitvoer
Home

2013/132/EU: Decision of the European Central Bank of 11 January 2013 laying down the framework for a public key infrastructure for the European System of Central Banks (ECB/2013/1)

2013/132/EU: Decision of the European Central Bank of 11 January 2013 laying down the framework for a public key infrastructure for the European System of Central Banks (ECB/2013/1)

THE GOVERNING COUNCIL OF THE EUROPEAN CENTRAL BANK,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 127 thereof,

Having regard to the Statute of the European System of Central Banks and of the European Central Bank (hereinafter the ‘Statute of the ESCB’), and in particular Article 12.1 in conjunction with Article 3.1, Article 5, Article 12.3 and Articles 16 to 24 thereof,

Whereas:

  1. Pursuant to Article 12.1 of the Statute of the ESCB, the Governing Council adopts the guidelines and takes the decisions necessary to ensure the performance of the tasks entrusted to the European System of Central Banks (ESCB) and to the Eurosystem under the Treaty and the Statute of the ESCB. This includes the power to decide on the organisation of ancillary activities that are necessary for the performance of such tasks, such as the issuance and management of electronic certificates for securing information stored and processed in ESCB and Eurosystem electronic applications, systems, platforms and services, and for data communication to and from them.

  2. Pursuant to Article 12.3 of the Statute of the ESCB, the Governing Council also has the power to determine the internal organisation of the European Central Bank (ECB) and its decision-making bodies. Accordingly, the Governing Council has the power to decide that the ECB will use electronic certificates issued by the Eurosystem’s own public key infrastructure.

  3. The number of users accessing a growing number of constantly evolving ESCB and Eurosystem electronic applications, systems, platforms and services is increasing. The Governing Council has identified a need for advanced information security services, such as strong authentication, electronic signatures and encryption, through the use of electronic certificates.

  4. Few ESCB central banks have their own public key infrastructure and many users from third parties that work jointly with ESCB central banks do not have easy access to a certification authority accepted by the ESCB in accordance with its certificate acceptance framework.

  5. There is a need for the Eurosystem to create its own public key infrastructure which can issue all types of electronic certificates such as personal and technical certificates for ESCB and non-ESCB users, and which is flexible enough to adapt to developments in ESCB and Eurosystem electronic applications, systems, platforms and services. This public key infrastructure (hereinafter the ‘ESCB-PKI’) should complement the services provided by other certification authorities accepted by the ESCB in accordance with the ESCB certificate acceptance framework or by certification authorities accepted by the ESCB for TARGET2 and TARGET2 Securities for those two applications.

  6. On 29 September 2010 the Governing Council decided to launch the ESCB-PKI project to build and implement the ESCB-PKI and to provide the resources required for its completion. It decided that the ESCB-PKI will be developed, hosted and operated by the Banco de España.

  7. The ESCB-PKI indirectly supports the performance of ESCB and Eurosystem tasks. It is based on three levels of governance: Level 1 consists of the Governing Council and the Executive Board, Level 2 of the Eurosystem central banks and Level 3 of the providing central bank.

  8. At Level 1, the Governing Council is responsible for the direction, management and control of the activities and deliverables needed to develop and operate the ESCB-PKI. It is also responsible for decision-making in relation to the ESCB-PKI and decides on the allocation of tasks not specifically attributed to Levels 2 and 3.

  9. The Eurosystem central banks are responsible for the tasks assigned to Level 2, within the general framework defined by the Governing Council. They have competences regarding the technical means of implementing the ESCB-PKI.

  10. The ESCB Information Technology Committee (ITC) has a steering role in the development of the ESCB-PKI. It guides, assesses, controls and approves the project deliverables against the acceptance criteria in accordance with the ESCB certificate acceptance framework, the scope and the schedule approved by the Governing Council.

  11. At Level 3, the Banco de España has been appointed as the providing central bank to carry out the tasks assigned to it within the general framework defined by the Governing Council. The providing central bank has put in place the technical infrastructure and secure devices and services required to create and use a public key infrastructure in accordance with: (a) the national law transposing Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures(1), as applicable to it; (b) the national law transposing Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(2), as applicable to it; and (c) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data(3).

  12. Since electronic certificates are essential elements used in electronic applications both as an authentication mechanism to implement electronic signatures, and for public key-based encryption, the ESCB-PKI will take into account existing ESCB and Eurosystem electronic applications, systems, platforms and services and current ESCB projects in order to ensure that their needs are covered.

  13. Non-euro area national central banks (NCBs) may decide to use the certificates and services provided by the ESCB-PKI,

HAS ADOPTED THIS DECISION:

Article 1 Definitions

For the purposes of this Decision:

  1. ‘certificate’ or ‘electronic certificate’ means an electronic file, issued by a certification authority, which binds a public key with a certificate subscriber’s identity and is used for all or some of the following: (a) to verify that a public key belongs to a certificate subscriber; (b) to authenticate a certificate subscriber; (c) to check a certificate’s subscriber signature; (d) to encrypt a message addressed to a certificate subscriber; (e) to verify a certificate subscriber’s access rights to ESCB and Eurosystem electronic applications, systems, platforms and services. Any reference in this Decision to a certificate or electronic certificate includes a reference to the data carrier devices on which the certificate or electronic certificate is held;

  2. ‘ESCB and Eurosystem electronic applications, systems, platforms and services’ means the electronic applications, systems, platforms and services that the ESCB and/or the Eurosystem use when carrying out the tasks entrusted to them under the Treaty and the Statute of the ESCB;

  3. ‘public key infrastructure’ means the set of individuals, policies, procedures, and computer systems necessary to provide authentication, encryption, integrity and non-repudiation services by way of public and private key cryptography and electronic certificates;

  4. ‘user’ means either a certificate subscriber or a relying party, or both;

  5. ‘authentication’ means the process of verifying the identity of a certificate applicant or certificate subscriber;

  6. ‘ESCB central bank’ means either a Eurosystem central bank or a non-euro area NCB;

  7. ‘Eurosystem central bank’ means either an NCB of a Member State whose currency is the euro, including the providing central bank, or the ECB;

  8. ‘providing central bank’ means the NCB appointed by the Governing Council to develop the ESCB-PKI and to provide ESCB-PKI services on behalf of and for the benefit of the Eurosystem central banks;

  9. ‘non-euro area NCB’ means an NCB of a Member State whose currency is not the euro;

  10. ‘ESCB-PKI certification authority’ means the entity, trusted by users, to issue, manage, revoke and renew certificates on behalf of the ESCB central banks or the Eurosystem central banks in accordance with the ESCB certificate acceptance framework;

  11. ‘ESCB-PKI validation authority’ means the entity, trusted by users, which provides information on the validity of certificates issued by the ESCB-PKI certification authority;

  12. ‘certificate subscriber’ means either an individual who is the subject of an electronic certificate and has been issued an electronic certificate, or a technical component manager who has accepted an electronic certificate issued by the ESCB-PKI certification authority for a technical component, or both;

  13. ‘ESCB certificate acceptance framework’ means the criteria established by the ESCB ITC to identify the certification authorities, both internal and external to the ESCB, which can be trusted in relation to ESCB and Eurosystem electronic applications, systems, platforms and services;

  14. ‘registration authority’ means an entity, trusted by users, which verifies the identity of a certificate applicant before the ESCB-PKI certification authority issues a certificate;

  15. ‘relying party’ means an individual or an entity other than a certificate subscriber which accepts and relies on a certificate;

  16. ‘audit policy’ means the ESCB audit policy defined by the Governing Council on 7 October 1998, as published on the ECB’s website(4);

  17. ‘certificate applicant’ means an individual who requests the issuance of a certificate for themself or for a technical component;

  18. ‘technical component’ means any software or any hardware equipment that can be identified by using electronic certificates.

Article 2 Scope

1.

This Decision establishes the framework for the ESCB-PKI. The ESCB-PKI is the Eurosystem’s own public key infrastructure developed by the providing central bank on behalf of and for the benefit of the Eurosystem central banks, which issues, manages, revokes and renews certificates in accordance with the ESCB’s certificate acceptance framework.

2.

As ESCB-PKI services may affect relying parties, this Decision also sets out the conditions under which such parties may rely on ESCB-PKI certificates.

Article 3 Scope and objectives of the ESCB-PKI

1.

ESCB and Eurosystem electronic applications, systems, platforms and services with medium or above medium criticality shall only be accessed and used if a user has been authenticated by means of an electronic certificate issued and managed by a certification authority accepted by the ESCB in accordance with the ESCB certificate acceptance framework, including by the ESCB-PKI certification authority, or by certification authorities accepted by the ESCB for TARGET2 and TARGET2 Securities for those two applications.

2.

The ESCB-PKI certification authority shall issue electronic certificates and provide other electronic certification services for certificate subscribers of the ESCB central banks and of third parties working with them to enable them to securely access and use ESCB and Eurosystem electronic applications, systems, platforms and services.

3.

The ESCB-PKI shall provide the following certification services:

  1. certificate issuance, renewal and revocation, and confirmation of a certificate’s validity with regard to different certificate types;

  2. issuance of certificates for authentication, electronic signature and encryption in relation to ESCB and non-ESCB users, and technical certificates;

  3. private key recovery to ensure the recovery of public key-based encrypted information in the case of certificate loss;

  4. delivery and management of cryptographic tokens to certificate subscribers when needed;

  5. provision of information on ESCB-PKI certificate management procedures, and technical support to ESCB project managers to help them to integrate ESCB-PKI certificates into their applications.

Other services may be added in the future as required by ESCB and Eurosystem electronic applications, systems, platforms and services.

Article 4 ESCB-PKI framework

1.

Subject to this Decision, the responsibilities and functions of the providing central bank and of the other Eurosystem central banks with regard to ESCB-PKI implementation, operation and use shall be set out in a Level 2 – Level 3 Agreement and further specified in ESCB-PKI certificate policies and the ESCB-PKI certification practice statement.

2.

The Level 2 – Level 3 Agreement, which includes the Service Level Agreement, contains the agreement negotiated between the providing central bank and the Eurosystem central banks in relation to the responsibilities and functions of the providing central bank and the Eurosystem central banks. It shall be submitted for endorsement by the Governing Council and then signed by the providing central bank and the Eurosystem central banks.

3.

The Service Level Agreement is both an agreement defining the level of services to be provided by the providing central bank to the Eurosystem, and an agreement defining the level of services to be provided by the Eurosystem to the non-euro area NCBs and third parties in relation to the ESCB-PKI.

4.

The ESCB-PKI certification practice statement is a set of rules governing the life cycle of electronic certificates, from the initial request to the subscription end or revocation, as well as the relationships between the certificate applicant or subscriber, the ESCB-PKI certification authority and the relying parties. It covers electronic certificates falling under the scope of Directive 1999/93/EC, and electronic certificates falling outside its scope. It also sets out the roles and responsibilities of all parties and establishes the procedures concerning issuing and managing certificates. It is annexed to the Level 2 – Level 3 Agreement.

5.

An ESCB-PKI certificate policy is a set of rules which is applicable to each type of certificate issued. Each set provides implementation details relating to the ESCB-PKI certification practice statement for each type of certificate issued. ESCB-PKI certificate policies are annexed to the Level 2 – Level 3 Agreement.

6.

The ESCB-PKI certificate policies and the ESCB-PKI certification practice statement shall be published on the ESCB-PKI website(5).

7.

Information concerning the ESCB-PKI certification authority, including its identity, and its technical components is set out in the Annex to this Decision.

Article 5 Responsibilities and roles of the providing central bank

Article 6 Responsibilities and roles of the Eurosystem central banks

Article 7 Relationships between the Eurosystem central banks, third parties and certificate subscribers

Article 8 Relationships with relying parties

Article 9 Rights to the ESCB-PKI

Article 10 Liability of Eurosystem central banks towards users

Article 11 Participation of non-euro area NCBs in the ESCB-PKI

Article 12 Data protection

Article 13 Audit

Article 14 Financial arrangements

Article 15 Role of the Executive Board

ANNEX