Teksta versija
LEGAL ACTS OF THE REPUBLIC OF LATVIA
home
 
Republic of Latvia

Cabinet
Regulation No. 560
Adopted 19 September 2017

Regulations Regarding the Technical and Organisational Requirements for the Qualified and Qualified Increased Security Electronic Identification Service Provider and the Service Provided Thereby

Issued pursuant to
Section 13 of the Law on Electronic
Identification of Natural Persons

I. General Provisions

1. The Regulation prescribes:

1.1. the technical and organisational requirements to which the following must correspond:

1.1.1. the qualified and qualified increased security electronic identification service provider;

1.1.2. the authentication;

1.1.3. the means of electronic identification;

1.2. the procedures by which the termination of the operation of the means of the qualified and qualified increased security electronic identification is ensured;

1.3. the procedures for carrying out a safe verification of electronic identification;

1.4. the procedures for the issue and storage of an authentication certificate and information related to unsuccessful authentication attempts;

1.5. the procedures and time limits for the security verification of the information systems, equipment and procedures by which the electronic identification service is provided.

2. The following terms are used in this Regulation:

2.1. mutual recognition - the process during which a natural person and the qualified or qualified increased security electronic information service provider ascertain the identity of one another, using a mutually coordinated set of electronic identification elements;

2.2. safe data transmission channel - way of information exchange which is protected against leaking and modification of data during their transmission;

2.3. termination of the operation of the means of electronic identification - set of operations which are carried out by the qualified or qualified increased security electronic identification service provider in the cases referred to in Section 6, Paragraph two of the Law on Electronic Identification of Natural Persons in order to permanently terminate the operation of the means of electronic identification;

2.4. electronic identification system - set of electronic identification processes in which the means of electronic identification are issued to natural persons;

2.5. element - a component of a tangible or intangible means of electronic identification which may be used one or several times during the electronic identification process;

2.6. inclusion of the personal data in the electronic identification scheme - the process of a natural person becoming the recipient of a specific electronic identification service.

II. Technical and Organisational Requirements to which the Qualified and Qualified Increased Security Electronic Identification Service Provider shall Correspond

3. The qualified and qualified increased security electronic identification service provider shall meet the following technical and organisational requirements:

3.1. ensure that the availability of the electronic identification service - authentication, termination of the operation of the means of electronic identification - insofar as it depends on the qualified and qualified increased security electronic identification service provider is at least 99.5 % during the working days of the calendar month from 9.00 to 18.00 in the time zone of Latvia, and at least 97 % in the remaining time;

3.2. retain information regarding the natural persons to whom and the time at which the operation of the means of electronic identification has been terminated. The information shall be stored for 10 years after the termination of the operation of the means of electronic identification;

3.3. ensure the possibility to terminate the operation of the means of electronic identification without delay round-the-clock;

3.4. the qualified or qualified increased security electronic identification service provider or the legal or natural person specified in Section 5, Paragraph five of the Law on Electronic Identification of Natural Persons ascertains the identity of the natural person on-the-spot in accordance with the requirements of laws and regulations prior to inclusion of the natural person in the electronic identification scheme;

3.5. the qualified or qualified increased security electronic identification service provider or the legal or natural person specified in Section 5, Paragraph five of the Law on Electronic Identification of Natural Persons ensures that the natural person has become acquainted with the conditions for the use of the means of electronic identification in accordance with the requirements of laws and regulations;

3.6. ensure that the information indicated in the description of the security of the information systems, equipment and procedures by which the electronic identification service is provided (hereinafter - the security description) (except for the information regarding the plan for the continuity of the operation, regarding the plan for the termination of the operation, regarding the person who is responsible for the management of the resources, technical resources, and security of the information systems, regarding the description of the internal procedures as regards ensuring the security of the information systems, regarding the security measures of equipment which are met by the electronic identification service provider, the manufacturer and the supplier of equipment, regarding the procedures for the protection and operation of equipment used in the electronic identification process, regarding the primary identity verification of a natural person, regarding the preservation of the means of electronic identification, regarding the management of the data, regarding the authentication ensured, and regarding the inventory and issuing of the means of electronic identification, as well as the information as to updating of the information systems and equipment used during electronic identification) is available;

3.7. ensure that the means of electronic identification, the operation of which has been terminated, cannot be re-used;

3.8. regularly analyse the records of the verification in order to minimise the risks of unauthorised use of the means of electronic identification;

3.9. the means of electronic identification which has not been personalised shall be stored in closed form, and regularly undergo stock-taking, the results of the stock-taking shall be recorded.

4. The qualified electronic identification service provider shall deploy the technical resources, software, and human resources used in the electronic identification scheme and store the personal data included in the electronic identification scheme and unused means of identification in the territory within the jurisdiction of the States of the European Union or the European Economic Area.

5. The qualified increased security electronic identification service provider shall deploy the technical resources, software, and human resources used in the electronic identification scheme and store the personal data included in the electronic identification scheme and unused means of identification in the territory within the jurisdiction of the Republic of Latvia.

III. Technical and Organisational Requirements to which the Authentication and the Means of Electronic Identification shall Conform

6. The authentication of the qualified and qualified increased security electronic identification service provider shall conform to the following requirements:

6.1. it is carried out by using at least two different elements;

6.2. each authentication session is encrypted and contains a unique parameter that can be used once;

6.3. each password entered by a natural person is replaced with a unique sequence of symbols;

6.4. mutual recognition is used in authentication;

6.5. an unambiguous reference to the logo of the qualified or qualified increased security electronic identification service provider is added to all notifications and events created during authentication which are visible to the natural person;

6.6. an unforgeable time stamp is added to all entries of the verification created during authentication;

6.7. the natural person to be authenticated has at least one element from the authentication of several elements in his or her possession.

7. The means of electronic identification of the qualified and qualified increased security electronic identification service provider shall conform to the following requirements:

7.1. they are linked to a specific natural person throughout their life cycle;

7.2. they are rendered unusable in the cases referred to in Section 6, Paragraph two of the Law on Electronic Identification of Natural Persons or in cases when they have left the possession of the natural person;

7.3. they are activated prior to the first use.

8. In addition to the requirements specified in Paragraph 7 of this Regulation, the means of electronic identification of a qualified increased security electronic identification service provider shall conform to the following requirements:

8.1. the information contained thereby is stored in a protected technical module which conforms to the regulations of the European Union and internationally recognised regulations governing the field of electronic identification;

8.2. they are activated within the time period specified by the qualified increased security electronic identification service provider according to the description of activation of the means of electronic identification of the qualified increased security electronic identification service provider;

8.3. the tangible materials are labelled and equipped with anti-counterfeit designations (for example, holograms or stickers);

8.4. they are equipped with a unique sequential number.

9. The term of validity for an element of the means of electronic identification containing personal data is:

9.1. not more than three years for the means of electronic identification issued by the qualified electronic identification service provider;

9.2. not more than five years for the means of electronic identification issued by the qualified increased security electronic identification service provider.

IV. Procedures by which the Termination of the Operation of the Means of the Qualified and Qualified Increased Security Electronic Identification is Ensured, and Procedures for Carrying out a Safe Verification of Electronic Identification

10. Upon terminating the operation of the means of electronic identification, the qualified and qualified increased security electronic identification service provider shall ensure the fulfilment of the following requirements:

10.1. comply with the requirement referred to in Sub-paragraph 3.2 of this Regulation;

10.2. implement measures to ensure that the terminated operation of the means of electronic identification cannot be renewed;

10.3. if possible, delete the data that are in the means of electronic identification;

10.4. if the electronic identification element containing personal data is returned to the qualified or qualified increased security electronic identification service provider, the relevant element is rendered unusable.

11. A safe verification of electronic identification shall be deemed to have taken place, if the following conditions are met:

11.1. the natural person has been identified, using the means of electronic identification issued by the qualified or qualified increased security electronic identification service provider;

11.2. electronic identification has taken place in accordance with the information indicated in the documents governing the operation of the qualified or qualified increased security electronic identification service provider and with the requirements of laws and regulations;

11.3. the qualified electronic identification service provider has checked the means of electronic identification of the natural person and elements thereof, including the conformity with the requirements referred to in Sub-paragraph 3.2 of this Regulation, updating the information at least once in 24 hours, and has obtained a certification that the means of electronic verification are valid;

11.3. the qualified increased security electronic identification service provider has checked the means of electronic identification of the natural person and elements thereof, including the conformity with the requirements referred to in Sub-paragraph 3.2 of this Regulation, updating the information without delay, and has obtained a certification that the means of electronic verification are valid.

V. Procedures for the Issue and Storage of an Authentication Certificate and Information Related to Unsuccessful Authentication Attempts

12. Upon a request of the electronic service provider, the qualified or qualified increased security electronic identification service provider shall issue an authentication certificate via a safe data transmission channel.

13. If possible, the qualified or qualified increased security electronic identification service provider shall save the following information regarding unsuccessful authentication attempts:

13.1. an indication of the security level of the used electronic identification service;

13.2. data of the natural person who made an unsuccessful authentication attempt;

13.3. date and time of the attempt of authentication which corresponds to the coordinated universal time (UTC) of the actual event with the accuracy of one second;

13.4. the Internet Protocol address from which the unsuccessful authentication attempt was made;

13.5. the name of the browser and version identification data;

13.6. the name of the electronic service for which the natural person made an unsuccessful authentication attempt;

13.7. the session identifier.

14. During the storage of authentication certificates and information regarding unsuccessful authentication attempts, the qualified or qualified increased security electronic identification service provider shall ensure:

14.1. the integrity of such information;

14.2. the measures to prevent that the information falls at the disposal of third parties;

14.3. permanent deletion of such information after expiry of the specified storage period.

VI. Procedures and Time Limits for the Security Verification of the Information Systems, Equipment and Procedures by which the Electronic Identification Service is Provided

15. An expert who has been included in the list of experts approved by the supervisory body (hereinafter - the expert) shall check whether the electronic identification service provider, prior to registration with the register, or a qualified or qualified increased security electronic identification service provider meets the requirements laid down in the Law on Electronic Identification of Natural Persons.

16. The expert shall carry out a security verification of the electronic identification service provider and the qualified or qualified increased security electronic identification service provider not later than within four months after agreeing on the carrying out of a security verification.

17. The expert shall prepare the statement of the security verification in Latvian and submit it to the electronic identification service provider and the qualified or qualified increased security electronic identification service provider. If the statement of the security verification has initially been prepared in a foreign language, it shall be submitted to the electronic identification service provider and the qualified or qualified increased security electronic identification service provider together with the statement of security verification in Latvian.

18. Costs of the security verification shall be covered by the electronic identification service provider or the qualified or qualified increased security electronic identification service provider.

19. The Regulation shall come into force on 1 January 2018.

Prime Minister Māris Kučinskis

Minister for Defence Raimonds Bergmanis

 


Translation © 2018 Valsts valodas centrs (State Language Centre)

 
Document information
Title: Noteikumi par kvalificēta un kvalificēta paaugstinātas drošības elektroniskās identifikācijas .. Status:
In force
in force
Issuer: Cabinet of Ministers Type: regulation Document number: 560Adoption: 19.09.2017.Entry into force: 01.01.2018.Publication: Latvijas Vēstnesis, 188, 21.09.2017. OP number: 2017/188.3
Language:
LVEN
Related documents
  • Amendments
  • Issued pursuant to
  • Annotation / draft legal act
293654
{"selected":{"value":"01.01.2018","content":"<font class='s-1'>01.01.2018.-30.12.2024.<\/font> <font class='s-3'>Sp\u0113k\u0101 eso\u0161\u0101<\/font>"},"data":[{"value":"31.12.2024","iso_value":"2024\/12\/31","content":"<font class='s-1'>31.12.2024.-...<\/font> <font class='s-2'>N\u0101kotnes<\/font>"},{"value":"01.01.2018","iso_value":"2018\/01\/01","content":"<font class='s-1'>01.01.2018.-30.12.2024.<\/font> <font class='s-3'>Sp\u0113k\u0101 eso\u0161\u0101<\/font>"}]}
01.01.2018
87
0
  • Twitter
  • Facebook
  • Draugiem.lv
 
0
Latvijas Vestnesis, the official publisher
ensures legislative acts systematization
function on this site.
All Likumi.lv content is intended for information purposes.
About Likumi.lv
News archive
Useful links
For feedback
Contacts
Mobile version
Terms of service
Privacy policy
Cookies
Latvijas Vēstnesis "Everyone has the right to know about his or her rights."
Article 90 of the Constitution of the Republic of Latvia
© Official publisher "Latvijas Vēstnesis"