Signature Act (Germany)
|Title:||Law on framework conditions for electronic signatures|
|Short title:||Signature law|
|Scope:||Federal Republic of Germany|
|Legal matter:||Commercial administrative law|
|Original version from:||July 22, 1997
( Federal Law Gazette I, pp. 1870, 1872 )
|Entry into force on:||August 1, 1997|
|Last revision from:||May 16, 2001
( BGBl. I p. 876 )
|Entry into force of the
new version on:
|May 22, 2001|
|Expiry:||July 29, 2017
(Art. 12 G of July 18, 2017, Federal Law Gazette I p. 2745, 2756 )
|Please note the note on the applicable legal version.|
The purpose of the Signature Act ( Act on Framework Conditions for Electronic Signatures , SigG for short ) was to create framework conditions for electronic signatures . It was largely superseded on July 1, 2016 by Regulation (EU) No. 910/2014 on electronic identification and trust services for electronic transactions in the internal market ( eiDAS Regulation ), expired on July 29, 2017 and was replaced by the Trust Services Act ( VDG) replaced.
The aim was to obtain increased legal security for internet-based business transactions ( e-commerce ) and electronic processes in public administration ( e-government ) through the use of electronic signatures . The Signature Act and the associated Signature Ordinance (SigV) stipulate requirements for certification service providers (ZDAs) , products for electronic signatures, as well as for testing and confirmation bodies that check compliance with or implementation of these requirements. Certification services within the meaning of the Signature Act are the issuance of qualified certificates and qualified time stamps , i. H. the signature law exclusively regulated the provision of these certification services.
Types of electronic signature
The Signature Act defined next to the (simple) electronic signature advanced electronic signature , the increased demands on the asset must meet, and the qualified electronic signature , an advanced electronic signature based on a qualified certificate, with a secure signature creation device (SSCD) created has been.
Requirements for qualified certificates and qualified time stamps
Qualified certificates certify the assignment of signature verification keys to a natural person and their identity ( § 2 Paragraph 7 SigG). They must have certain minimum content ( § 7 SigG and § 14 SigV). In particular, they must unmistakably identify the signature key holder; the use of pseudonyms is expressly permitted. Furthermore, they must contain the name and country of the issuer, the certified signature verification key and the algorithms with which it can be used, a defined period of validity, a serial number, identification as a qualified certificate and, if applicable, restrictions on the use of the certified signature key. Qualified certificates must have a qualified electronic signature. The period of validity of a qualified certificate may not exceed ten years ( Section 14 (3) SigV).
Additional attributes for a holder of a qualified certificate, e.g. B. about a power of representation, a profession or other information can either be included in the certificate itself or in a qualified attribute certificate that refers to it. The validity of a qualified attribute certificate ends with the validity of the qualified certificate to which it refers ( § 14 Paragraph 3 SigV).
Qualified time stamps certify that certain data was available at a specified time. The technical components used for their exhibition must ensure that the legal time valid at the time of generation is recorded in an undistorted manner in the time stamp ( Section 15 (3) SigV), and that forgeries and falsifications are excluded ( Section 17 (3) No. 1 SigG). Qualified time stamps do not necessarily have to be provided with an electronic signature.
Requirements for certification services and their providers
A ZDA, i.e. a provider of qualified certificates or qualified time stamps, must meet the following requirements:
- He must reliably identify the applicant (i.e. the certificate holder) ( Section 5 (1) SigG and Section 3 (1) SigV) and ensure that he / she owns the associated SSEE or personally hand over the SSEE and its activation data ( Section 5 (2) SigV). If additional information is to be included in the qualified certificate or in a qualified attribute certificate, he must reliably check this ( Section 3 (2) SigV).
- He must inform the certificate holder about measures for the security of qualified electronic signatures and their reliable verification, as well as about their legal validity ( § 6 SigG and § 6 SigV).
- Issued certificates must be verifiable in a public directory at any time and up to 5 years after their expiry date and - if the holder agrees - be kept accessible ( Section 5 SigG and Section 4 Paragraph 1 SigV).
- He must take precautions so that the qualified certificates cannot be forged or falsified ( Section 5 (4) SigG).
- The certificates must be blocked immediately at the request of the holder or another person authorized to block them ( § 8 SigG). He must convince himself of the identity and authorization of this person ( § 7 SigV). For errors there is a fault liability with reversal of the burden of proof ( § 11 SigG).
- He must document the issue of qualified certificates and qualified time stamps to the specified extent ( § 8 SigV).
- He must comply with data protection regulations.
- The personnel deployed must have the necessary specialist knowledge and reliability.
- The products for qualified electronic signatures used for the certification service must have the security properties specified in § 17 SigG and § 15 SigV. In addition to secure signature creation units and signature application components, these products also include the components for generating and transmitting signature keys (key generator), guaranteeing the verifiability of the certificates (information service) and the issuing of qualified time stamps. The fulfillment of the requirements must have been checked and confirmed by a recognized body in accordance with the ITSEC or Common Criteria test criteria specified in Annex 1 SigV .
The ZDA is liable for damage resulting from a breach of its obligations ( § 11 SigG) and must show a defined financial security ( § 12 SigG and § 9 SigV).
Before discontinuing its certification services, the ZDA must notify the Federal Network Agency in good time and ensure that the blocking and information services continue until the certificates issued have expired ( Section 13 SigG and Section 10 SigV). In case of doubt, the Federal Network Agency must take over these services.
ZDAs can obtain accreditation from the Federal Network Agency ( § 15 SigG and § 11 SigV). To do this, they must prove that the requirements of the law have been implemented by means of an examination and confirmation by a recognized body. In addition, they must keep the certificates they have issued verifiable for at least thirty years ( Section 4 (2) SigV). Signatures that are based on qualified certificates issued by accredited providers are referred to in the literature as "accredited signatures". They offer the highest level of security.
With its own certification service, the Federal Network Agency issues accredited ZDAs the certificates they need for their activities ( Section 16 SigG). This certification service represents the root authority (Root CA) in the certification hierarchy.
Recognition of testing and confirmation bodies
The Federal Network Agency can authorize bodies to check and confirm compliance with the requirements for certification services or for products for qualified electronic signatures ( Section 18 SigG and Section 16 SigV). The bodies must prove their independence, reliability and specialist knowledge. Testing and confirmation bodies for products must in particular have sufficient experience with the necessary test criteria.
Implementation of supervision
A ZDA is subject to supervision by the Federal Network Agency ( Section 19 , SigG) and must report the start of its business operations to it ( Section 4 SigG and Section 1 SigV). In doing so, he must present a security concept in which he shows that the requirements have been met ( § 10 , SigG and § 2 SigV). During operation, the Federal Network Agency monitors compliance with the regulations and may temporarily or completely prohibit operation in the event of violations. The certification authority can also order the revocation of individual or all issued certificates if there are indications that their security is no longer guaranteed.
As part of its supervision, the Federal Network Agency can also withdraw an accreditation that has been granted. In this case, the certificate issued by the root CA is revoked. The validity of the certificates issued by the ZDA concerned remains unaffected.
Legal consequences of qualified electronic signatures
The Signature Act does not determine the legal consequences of the use of qualified electronic signatures. Rather, according to the initially highly controversial conception of the legislature, this is reserved for the laws that also otherwise make certain formal requirements. The electronic form of civil law according to § 126a BGB, that of public law according to § 3a VwVfG and that of procedural law ( § 130a ZPO) should be mentioned. In Germany, § 14 UStG required a qualified electronic signature on electronically transmitted invoices by mid-2011. Otherwise, the company receiving the invoice was not entitled to deduct input tax. This obligation was repealed by the Tax Simplification Act 2011. Qualified electronic signatures have the appearance of authenticity on their side, § 371a ZPO.
The Signature Act was first enacted in 1997 as part of the Information and Communication Services Act IuKDG ( Federal Law Gazette I p. 1870, 1872 ; FNA: 9020-8). In this version, it provided for an approval requirement for certification bodies (today's certification service providers). Before the approval, the safety of the processes and products had to be checked by the authorities.
In 1998, Sections 11 and 13 of the Act were amended by the Act amending the Introductory Act to the Insolvency Code and other laws to the effect that instead of "bankruptcy or settlement proceedings" it was now called "Insolvency proceedings" ( Federal Law Gazette I, p. 3836, 3840 ). The editorial change had become necessary because of the entry into force of the insolvency regulation , which replaced the previous bankruptcy regulation and settlement regulation.
The enactment of the European Signature Directive 1999/93 / EC made a fundamental revision of the law necessary. Above all, it had to be ensured that certification services could also be operated without a permit. In return, they should be strictly liable for errors that occur. These requirements were taken into account when the SigG 2001 was enacted, which was published on May 21, 2001 as Article 1 of the “Act on Framework Conditions for Electronic Signatures and for Changes to Other Regulations” ( Federal Law Gazette I p. 876 ) and on May 22, 2001 in Strength kicked. The previously approved certification bodies are now considered to be accredited providers. The liability regulation can be found in § 11 SigG.
In 2004 the signature law was changed. With the 1st SigÄndG discrepancies were resolved. Above all, however, the legislature reacted with it to the wishes of the German banking system , which want to offer certification services themselves and thus improve their position in terms of evidence in online banking . The federal government hoped that the credit institutes would step in and the EC card with signature function that was made possible in this way would allow the certificate-based signature technology, which has so far hardly been accepted by the market, to be widely used. In addition, Section 2 No. 9 SigG clarified that a certificate is only required for qualified signatures. This enables providers of biometric signature systems to use the handwritten signature as an identification feature for advanced electronic signatures. A second, slightly modified draft eventually became law. It is published in the Federal Law Gazette 2005 Part I P. 2 and came into force on January 11, 2005.
The Signature Act was changed by the “Electronic Business Transactions Unification Act” of February 26, 2007, which came into force on March 1, 2007 ( Federal Law Gazette I p. 179 ). With Art. 4 of this , the legislature corrected editorial errors that it had caused itself with the “Second Law for the New Regulation of Energy Industry Law ” ( BGBl. 2005 I p. 1970 ).
It was then changed by Art. 4 of the law for the implementation of the Services Directive in trade law and in other legal provisions of July 17, 2009 ( Federal Law Gazette I p. 2091 ). With this in § 20a SigG the "procedure via a single body " of §§ 71a ff. VwVfG was declared applicable.
- Grigorjew, Olga: Proof suitability of advanced electronic signatures , Kassel 2015, ISBN 9783862199600
- Skrobotz, Jan: "Lex Deutsche Bank": The 1st SigÄndG , Data Protection and Data Security (DuD) 2004 , 410
- Lenz, Jörg Matthias / Schmidt, Christiane: The electronic signature , Dt. Sparkassen-Verl., Stuttgart 2004, ISBN 3-09-305705-1
- Comments on the Signature Act and the Signature Ordinance:
- Manssen, Gerrit (Ed.): Telecommunications and multimedia law . Erich Schmidt Verlag, Berlin, ISBN 3-503-04817-0
- Roßnagel, Alexander (Hrsg.): Law of the multimedia services . CH Beck, Munich, ISBN 3-406-44463-6
- Spindler, Gerald / Schmitz, Peter / Geis, Ivo (eds.): TDG . CH Beck, Munich, ISBN 978-3-406-49548-9
- Text of the Signature Act
- Information on signature rights in Germany with numerous links on the OpenLimit website
- ↑ Justification for the draft of a law on framework conditions for electronic signatures and for changes to other regulations ( Memento of the original of July 14, 2007 in the Internet Archive ) Info: The archive link has been inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice.
- ↑ BT-Drs. 15/3417
- ↑ BT-Drs. 15/4172
- ↑ On this also BT-Drs. 16/12784 and BT-Drs. 16/13399 .