Regulations Regarding the Information to be Indicated in the Description of the Security of the Information Systems, Equipment and Procedures for the Provision of the Qualified or Qualified Increased Security Electronic Identification Service

Issued pursuant to
Section 10, Paragraph one of the Law on Electronic Identification of Natural Persons

1. The Regulation prescribes the information to be indicated in the description of the security of the information systems, equipment and procedures related to the provision of the qualified or qualified increased security electronic identification service (hereinafter - the security description).

2. The following terms are used in this Regulation:

2.1. termination of the operation of the means of electronic identification - the set of operations which are carried out by the provider of qualified or qualified increased security electronic identification service in the cases referred to in Section 6, Paragraph two of the Law on Electronic Identification of Natural Persons in order to irreversibly terminate the operation of the means of electronic identification;

2.2. equipment - the device used in the provision of the electronic identification service which has access to the information encryption algorithm and which is used for processing the information present in the means of electronic identification during its life cycle;

2.3. information system - the set of equipment, software, and procedures specified in this Regulation which are used in order to ensure the electronic identification service;

2.4. procedure - the set of operations for the provision of the electronic identification service which is performed by a qualified or qualified increased security electronic identification service provider in order to guarantee the security of the electronic identification service.

3. Information regarding the following shall be indicated in the security description:

3.1. the general security measures which an electronic identification service provider shall comply with in his or her activity;

3.2. the conformity with the regulations;

3.3. the security measures of information systems;

3.4. the security measures of equipment;

3.5. the security measures of procedures;

3.6. the plan for renewal of information systems and equipment;

3.7. the third persons involved in the provision of the electronic identification service;

3.8. the person who is responsible for the supervision of implementation of the security description.

4. The following information regarding the electronic identification service provider shall be indicated in the information regarding general security measures:

4.1. the general security principles;

4.2. the procedures for the provision of the service;

4.3. the procedures for the use of the means of electronic identification;

4.4. the principles for continuity of operation;

4.5. the plan for continuity of operation;

4.6. the principles for termination of operation;

4.7. the plan for termination of operation.

5. The regulations of the European Union and internationally recognised electronic identification regulations and the regulations related thereto, for example, the standards which are complied with by the electronic identification service provider in its operation, shall be indicated in the information regarding the conformity with the regulations.

6. The following shall be indicated in the information regarding security measures of the information systems:

6.1. the person of the electronic identification service provider who is responsible for the management of the resources, technical resources, and security of information systems;

6.2. the description of the internal procedures of security measures of information systems;

6.3. the principles for the protection and data encryption of information systems which guarantee safe online authentication of a natural person.

7. The security measures which are conformed to by the electronic identification service provider, the manufacturer of equipment, and the supplier shall be indicated in the information regarding security measures of equipment:

8. If an electronic identification service provider wishes to provide a qualified increased security electronic identification service, the following security measures shall be indicated in addition to the requirements referred to in Paragraph 7 of this Regulation which apply to:

8.1. the procedures for the protection of equipment used in the electronic identification process;

8.2. the procedures for the use of equipment.

9. The following shall be indicated in the information regarding security measures of the procedures:

9.1. the description of the first identity check of a natural person;

9.2. the description of the life cycle of the means of electronic identification, including activation and termination;

9.3. the description of the storage of the means of electronic identification;

9.4. the description of the data management;

9.5. the description of the ensured authentication.

10. If an electronic identification service provider wishes to provide a qualified increased security electronic identification service, the description of the inventory and issue of the means of electronic identification shall be indicated in addition to the requirements referred to in Paragraph 9 of this Regulation.

11. The following shall be indicated in the information regarding the plan for renewal of information systems and equipment:

11.1. how the information systems and equipment used during the electronic identification shall be renewed;

11.2. the time period within which the information systems and equipment used during electronic identification shall be renewed.

12. Natural or legal persons involved in the provision of the electronic identification service shall be indicated in the information regarding the third persons involved in the provision of the electronic identification service.

13. The given name, surname, and contact details of the person responsible for the supervision of the implementation of the security description shall be indicated in the information regarding the person.

14. The Regulation shall come into force on 1 January 2018.

Prime Minister Māris Kučinskis

Minister for Defence Raimonds Bergmanis

Translation © 2019 Valsts valodas centrs (State Language Centre)