Decree-Law no. 88/2009, of 9 April

Presidência do Conselho de Ministros (Council of Ministers' Presidency)

Decree-Law

The field of technology constitutes one of the pillars of the agenda for change produced by the XVII Constitutional Government to mobilize Portuguese society for the challenges of modernization. Within the framework of this agenda, the Government established as a priority within public policy the adoption of a range of technological modernization initiatives, the aim of which was to facilitate the life of citizens and the activity of businesses, and also to increase the availability and improve the quality of public services.

The qualitative effort of the public policies adopted has allowed Portugal, in recent years, to begin a process of evolution and convergence in the international framework, in terms of technological innovation and modernization. One of the fields in which Portugal achieved results more rapidly was in the implementation of a public keys infrastructure entirely suitable for guaranteeing mechanisms of digital authentication of identities and qualified electronic signatures. In this context, the creation of the State Electronic Certification System, by means of Decree-Law no. 116-A/2006, of 16 June, was crucial, both in institutional and technical terms, in order to ensure the unity, integration and efficacy of a hierarchy of trust which guarantees electronic security and strong digital authentication of electronic transactions between the various services and bodies of the Public Administration and between the State and citizens and companies.

The State Electronic Certification System also allowed for the development of several public programmes for the promotion of the information and communication technologies and enabled the introduction of new procedures of relationship within society, between citizens, companies, non-governmental organizations and the State, aimed at strengthening the information society and e-government.

On the other hand, the generalized access of citizens and companies to the Internet, in addition to the dynamism of business activity and civil society in the incorporation of the new information and communication technologies created new needs and challenges for the distribution and provision of goods and services by private bodies via electronic means.

Not forgetting the need to maintain a stable structure for the State Electronic Certification System, based on criteria that guarantee its proper functioning and which do not fail to promote its economic rationality and efficacy and efficiency in the provision of electronic certification services, it is intended, by means of this Decree-Law, to accompany the recent evolution seen in Portugal and, taking into account the need to guarantee better legal protection in the use of the new information and communication technologies in the public and private sectors, the fourth amendment to Decree-Law no. 290-D/99, of 2 August, is produced, which establishes the legal regime for electronic documents and digital signatures, and also the first amendment to Decree-Law no. 116-A/2006, of 16 June, which creates the State Electronic Certification System - Public Keys Infrastructure and which appointed the National Security Authority as the national accreditation authority.

Regarding the regime of electronic documents and electronic signatures and safeguards for the requirements of ensuring compatibility with Directive no. 1999/93/EC, of the European Parliament and of the Council of 13 December, this Decree-Law undertakes the respective harmonization with Decree-Law no. 116-A/2006, of 16 June, namely with regard to the use of qualified certificates by public bodies.

Furthermore, the regime set out in Decree-Law no. 290-D/99, of 2 August, although highly detailed in the regulations regarding the nature of electronic certification and of electronic documents and legal acts, and also of access to the activity of electronic certification, did not provide for an adequate framework of sanctions for the exercise of supervision by the competent administrative authorities similar to that which occurs in other legal systems. Indeed, the desirable massification of the use of qualified digital certificates, both for the purposes of authentication and for the purposes of qualified electronic signature, with the fact that the evidential effect of the corresponding electronic documents will be recognized, requires the introduction of a series of sanctions with a purpose which is simultaneously preventive and persuasive of strict compliance with the legal rules by the certifying bodies that operate in this market.

Regarding the State Electronic Certification System, the amendments introduced by this Decree-Law seek to allow recognition by the State Electronic Certification Body of public or private certifying bodies which exercise, outside the State Electronic Certification System, the functions of a certifying body in accordance with the provisions of Decree-Law no. 290-D/99, of 2 August.

The possibility of the State Electronic Certification Body issuing certificates to certifying bodies which act outside the State Electronic Certification System will allow the other national certifying bodies to have a guarantee that their respective certificates will be internationally recognized, and will allow them to benefit from interoperability agreements that the State Electronic Certification System celebrates with other public keys infrastructures. Furthermore, taking into account the high technical and administrative requirements imposed within the scope of the State Electronic Certification System, the integration of those bodies will not only strengthen confidence in the certificates issued by them but also confer a higher level of robustness which will allow the respective certification services offered to become more competitive.

The bodies of the governments of the Autonomous Regions were consulted.

Accordingly:

Pursuant to the provisions of Article 198(1)(a) of the Constitution, the Government decrees the following:

Article 1
Amendment to Decree-Law no. 290-D/99, of 2 August

Articles 5, 28, 29, 38 and 40 of Decree-Law no. 290-D/99, of 2 August, amended by Decree-Laws nos. 62/2003, of 3 April, 165/2004, of 7 June, and 116-A/2006, of 16 June, shall now have the following wording:

«Article 5
Electronic documents from public bodies

1 - Public bodies may issue electronic documents bearing a qualified electronic signature in line with the rules of this Decree-Law and with the provisions of Decree-Law no. 116-A/2006, of 16 June.

2 - In operations regarding the creation, issue, storage, reproduction, copying and transmission of electronic documents which formalize administrative acts via computer systems, including the transmission thereof by telecommunications, data regarding the body concerned and the person who practised each administrative act may be indicated so as to render them readily identifiable and so as to record the function or position of the person who signs each document.

Article 28
[...]

1 - ...

2 - ...

3 - ...

4 - ...

a) ...

b) ...

c) ...

d) The evidential effect of documents bearing an electronic signature.

5 - ...

Article 29
[...]

1 - ...

a) ...

b) ...

c) ...

d) ...

e) ...

f) ...

g) ...

h) ...

i) ...

j) ...

l) An indication whenever the private key of the holder is stored on a secure signature creation device.

2 - ...

Article 38
[...]

1 - ...

2 - ...

3 - ...

4 - ...

5 - Also applicable to the bodies referred to in paragraphs 1, 2 and 3 which exercise their activity in Portugal is the obligation to register referred to in Article 9(2), in order to guarantee the indication that they are fully equivalent to certifying bodies in accordance with this Decree-Law.

6 - The obligation to register referred to in the previous paragraph is extensible to national bodies which provide electronic certification services using qualified certificates issued by the bodies referred to in paragraphs 1, 2 and 3.

Article 40
[...]

The accreditation authority responsible for the registration, accreditation and supervision of the certifying bodies issuing qualified certificates is the National Security Authority.»

Article 2

Addition to Decree-Law no. 290-D/99, of 2 August

Articles 36-A, 36-B and 36-C are added to Decree-Law no. 290-D/99, of 2 August, amended by Decree-Laws nos. 62/2003, of 3 April, 165/2004, of 7 June, and 116-A/2006, of 16 June, with the following wording:

«Article 36-A
Administrative offences

1 - The following constitute administrative offences:

a) The issue by certifying bodies of qualified certificates without prior registration with the accreditation authority;

b) Violation by the certifying body of the duties provided for in sub-paragraphs d), f), g), h), i), j), n), q) and r) of Article 24;

c) Failure by the certifying body to supply users with the information provided for in Article 24 l) and Article 28(4);

d) The supply of false information regarding the evidential effect of the certificates;

e) Violation by the certifying body of any of the duties provided for in Article 25;

f) Violation by the certifying body of the duties to inform provided for in Article 27(1) and (2);

g) Violation of the duties provided for in Article 28(3);

h) Failure to organize and maintain the record referred to in Article 28(5), and the respective updating;

i) The lack of one or more of the elements of information provided for in Article 29(1);

j) The failure by a certifying body to suspend a certificate whenever any of the situations provided for in Article 30(1) is confirmed;

l) The failure by a certifying body to revoke a certificate whenever any of the situations provided for in Article 30(3) is confirmed;

m) Violation of the duty of retention of information provided for in Article 30(6);

n) The placing of a condition on the trading or provision of a certain good or service, including the exclusively joint sale, to the choice of a particular certifying body;

o) The provision of false or incomplete declarations or information within the scope of the accreditation procedure provided for in Article 12 et seq.;

p) Violation of the duties provided for in Article 30(7) and (8);

q) Violation of the duties to inform provided for in Article 32(1)

2 - The following also constitute administrative offences:

a) Failure to comply with the time limits provided for in Article 13(3);

b) Failure by the certifying bodies to inform, within the time limit, of the amendments provided for in Article 22;

c) Violation by the certifying body of the duties provided for in Article 24(o) and (p);

d) Failure to inform the respective holder of the decision to suspend or revoke the qualified certificates provided for, respectively, in Article 30(2) and Article 30(4);

e) Violation of the duties to inform provided for in Article 32(2) and (3);

f) Failure to comply with the provisions of Article 33;

g) Violation of the duty to inform provided for in Article 34

Article 36-B
Sanctions

1 - Fines are applicable to the administrative offences provided for in paragraph 1 of the previous article of between 1500 and 3740.98 Euros, in the case of natural persons, and between 15,000 and 44,891.81, in the case of legal persons.

2 - Fines are applicable to the administrative offences provided for in paragraph 2 of the previous article of between 500 and 2500 Euros, in the case of natural persons, and between 6000 and 30,000, in the case of legal persons.

3 - Negligence is punishable, with the minimum and maximum limits of the fines applicable being reduced to half.

4 - Together with the fines provided for in the previous paragraphs and notwithstanding other sanctions provided for in this Decree-Law, depending on the severity of the infraction or the fault of the agent, an additional sanction may be applied prohibiting the exercise of the activity of the certifying body issuing qualified certificates up to a maximum period of two years.

5 - Whenever any of the administrative offences referred to in paragraph 1 of the previous article is committed, this fact should be advertised on the Internet site of the accreditation authority, and also on the register referred to in Article 9(2).

Article 36-C
Administrative offence proceedings

1 - The accreditation authority is responsible for initiating administrative offence and additional sanction proceedings, and its General Director is responsible for the application of fines.

2 - The proceeds from the application of fines shall revert in 60% to the State and in 40% to the accreditation authority.

3 - For all situations not provided for in this chapter, the general regime for administrative offences is additionally applicable.»

Article 3
Amendment to Decree-Law no. 116-A/2006, of 16 June

Articles 1, 3, 4, 5, 7 and 8 of Decree-Law no. 116-A/2006, of 16 June, shall now have the following wording:

«Article 1
[...]

1 - ...

2 - Only State certifying bodies recognized within the scope of the SECS may provide electronic certification services to State public bodies and to services and bodies of the Public Administration or other bodies which exercise certification functions in compliance with its public aims.

3 - The SECS may recognize beyond its scope, for the purposes of affiliation with the State’s core certification body, other public or private certifying bodies which exercise functions of a certifying body in accordance with the provisions of Decree-Law no. 290-D/99, of 2 August, and which comply with the requirements provided for in this Decree-Law.

4 - The public and private certifying bodies referred to in the previous paragraph are not part of the SECS.

Article 3
[...]

1 - ...

2 - ...

a) ...

b) ...

c) ...

d) ...

e) ...

f) ...

g) ...

h) ...

i) ...

j) Agência para a Modernização Administrativa, I. P. - Administrative Modernization Agency, Public Institute;

l) One representative of each public certifying body included within the SECS which is not represented by any of the bodies referred to in the previous sub-paragraphs.

3 - ...

4 - ...

5 - ...

6 - ...

7 - ...

Article 4
[...]

1 - ...

a) ...

b) ...

c) ...

d) ...

e) To pronounce on the exclusion from the SECS of certifying bodies in the case of failure to comply with the approved policies and practices, notifying the accreditation authority of such fact.

2 - ...

Article 5
[...]

1 - ...

2 - ...

3 - ...

4 - ...

5 - ...

6 - The State Electronic Certification Body issues certificates exclusively to the certifying bodies which are subject to it, and may not issue certificates to the general public.

7 - State certifying bodies, and the public or private certifying bodies referred to in Article 1(3) which comply with the requirements provided for in Article 7(1), may become affiliated to the State Electronic Certification Body.

Article 7
[...]

1 - State certifying bodies are bodies which exercise the functions of a certifying body in accordance with the provisions of Decree-Law no. 290-D/99, of 2 August, and the respective regulations, and which:

a) ...

b) ...

c) Are capable of having all the electronic certification services made available by them directly supervised by the accreditation authority.

2 - (Revoked.)

3 - (Revoked.)

4 - ...

5 - The registration services may be assigned to individual or collective bodies, appointed as registration bodies, with which the certifying bodies agree the provision of services of identification and registration of certificate users, and also the management of requests for certificate revocation, in accordance with the provisions of Article 4 (1) of Implementing Decree no. 25/2004, of 15 July.

Article 8
[...]

1 - The accreditation authority responsible for the registration, accreditation and supervision of the certifying bodies included within the SECS is the National Security Authority.

2 - Within the scope of the application of Article 1, the National Security Authority is responsible for issuing the accreditation certificate of the certifying bodies and exercising the powers of accreditation provided for in Decree-Law no. 290-D/99, of 2 August.

3 - ...»

Article 4

Heading

Chapter IV of Decree-Law no. 290-D/99, of 2 August, shall now have the following heading «Supervision and sanctions regime».

Article 5

Repeals Provision

Paragraphs 2 and 3 of Article 7 of Decree-Law no. 116-A/2006, of 16 June, are revoked.

Article 6

Republication

1 - Decree-Law no. 290-D/99, of 2 August, with its current wording is republished, in Annex I to this Decree-Law, of which it is an integral part.

2 - Decree-Law no. 116-A/2006, of 16 June, with its current wording is republished, in Annex II to this Decree-Law, of which it is an integral part.

Read and approved in the Council of Ministers of 5 March 2009. - José Sócrates Carvalho Pinto de Sousa - Fernando Teixeira dos Santos - Manuel Pedro Cunha da Silva Pereira - José Manuel dos Santos de Magalhães - Alberto Bernardes Costa - Mário Lino Soares Correia - José Mariano Rebelo Pires Gago.

Promulgated on 27 March 2009.

Issued.

The President of the Republic, Aníbal Cavaco Silva.

Authenticated on 31 March 2009.

The Prime Minister, José Sócrates Carvalho Pinto de Sousa.

ANNEX I

(referred to in Article 5(1))

Republication of Decree-Law no. 290-D/99, of 2 August

CHAPTER I

Electronic documents and legal acts

Article 1
Subject

This statute regulates the validity, efficacy and evidential effect of electronic documents, electronic signatures and the certification activity of certifying bodies established in Portugal.

Article 2
Definitions

For the purposes of this statute, the following terms shall have the following meanings:

a) «Electronic document»: a document created by electronic data processing;

b) «Electronic signature»: the result of electronic data processing, which can be the subject of an exclusive individual right and be used to indicate the authorship of an electronic document;

c) «Advanced electronic signature»: electronic signature which fulfils the following requirements:

i) It unequivocally identifies the holder as the author of the document;

ii) The inclusion thereof depends only on the will of the holder;

iii) It is created using means that the holder can maintain under his exclusive control;

iv) The link between the signature and the document is such that it is possible to detect all subsequent alterations thereof;

d) «Digital signature»: the type of advanced electronic signature based on an asymmetric cryptographic system, comprising an algorithm or series of algorithms, which generate a pair of asymmetric, exclusive and interdependent keys, one of which is private while the other is public, and which permits the holder to use the private key to indicate the authorship of the electronic document to which the digital signature is affixed and acceptance of the contents thereof, and which permits the person who receives the document to use the public key to confirm that the signature was created using the corresponding private key and to check whether the document has been altered since the signature was affixed thereto;

e) «Private key»: one of a pair of asymmetric keys which is known only to its holder, which is used by the holder to affix a digital signature to an electronic document, or which is used to decipher an electronic document encrypted with the corresponding public key;

f) «Public key»: one of a pair of asymmetric keys to be publicised, which is used to check the digital signature affixed to an electronic document by the holder of the pair of asymmetric keys, or to encrypt an electronic document to be transmitted to the holder of the said pair of keys;

g) «Qualified electronic signature»: digital signature or other type of advanced electronic signature that satisfies security requirements identical to those of the digital signature based on a qualified certificate and created by means of a secure signature creation device;

h) «Signature creation data»: unique data, such as private keys, used by the holder for the creation of an electronic signature;

i) «Signature creation device»: software or hardware used to enable handling of signature creation data;

j) «Secure signature creation device» signature creation device which, by appropriate technical and procedural means, ensures that:

i) The data necessary for the creation of a signature which is used to generate a signature may only occur a single time and that the confidentiality of this data is guaranteed;

ii) The data necessary for the creation of a signature which is used to generate a signature may not, with a reasonable level of assurance, be deduced from other data and that the signature is protected against forgery using currently available technology;

iii) The data necessary for the creation of a signature which is used to generate a signature may be effectively protected by the holder against illegitimate use by third parties;

iv) The data to be signed shall not be modified and may be presented to the holder prior to the signing procedure;

l) «Signature verification data»: data, such as public keys, used to verify an electronic signature;

m) «Accreditation»: the act by which a body which so requests and which exercises the activity of a certifying body is recognized as fulfilling the requirements defined in this statute for the purposes provided herein;

n) «Accreditation authority»: the body responsible for the accreditation and supervision of certifying bodies;

o) «Certifying body»: body or natural or legal person which creates or provides means for the creation and verification of signatures, issues certificates, ensures the publicity thereof and provides other services related to electronic signatures;

p) «Certificate»: electronic document which links the signature verification data to its holder and confirms the identity of that holder;

q) «Qualified certificate»: certificate which contains the elements referred to in Article 29 and is issued by a certifying body which fulfils the requirements defined in Article 24;

r) «Holder»: natural or legal person identified in a certificate as the holder of signature creation device;

s) «Electronic signature product»: software, hardware or specific components thereof, intended to be used in the provision of qualified electronic signature services by a certifying body or in the creation and verification of a qualified electronic signature;

t) «Certification organ»: public or private body responsible for assessing and certifying the compliance of the electronic signature processes, systems and products with the requirements referred to in Article 12(1)(c);

u) «Chronological validation»: statement by a certifying body which attests to the time and date of the creation, sending or receipt of an electronic document;

v) «Electronic address»: identification of computer equipment which is capable of receiving and storing electronic documents.

Article 3
Form and evidential effect

1 - An electronic document shall comply with the legal requirement that it be in writing when its contents can be represented as a written statement.

2 - When an electronic document with the contents referred to in the previous paragraph bears a qualified electronic signature certified by an accredited certifying body, it shall be of an equivalent evidential value to that of a private signed document, in accordance with Article 376 of the Civil Code.

3 - When an electronic signature, the contents of which may not be represented in the form of a written statement, bears a qualified electronic signature certified by an accredited certifying body, it shall be of an equivalent evidential value to that provided for in Article 368 of the Civil Code and Article 167 of the Code of Criminal Procedure.

4 - The provisions of the previous paragraphs shall not prevent the use of another means of proving the authorship and integrity of electronic documents, including other types of electronic signature, provided that the said means is adopted by the parties pursuant to a valid evidence agreement or is accepted by the person against whom the document is presented.

5 - Notwithstanding the provisions of the previous paragraph, the evidential effect of electronic documents which do not bear a qualified electronic signature certified by an accredited certifying body shall be assessed under the general terms of the law.

Article 4
Copies of documents

Copies of electronic documents, on an identical or different support, shall be valid and effective in accordance with the general provisions of the law and shall have the same evidential value afforded to photocopies by Article 387(2) of the Civil Code and Article 168 of the Criminal Procedure Code, provided that the requirements contained therein are complied with.

Article 5
Electronic documents from public bodies

1 - Public bodies may issue electronic documents bearing a qualified electronic signature in accordance with the rules of this Decree-Law and with the provisions of Decree-Law no. 116-A/2006, of 16 June.

Article 6
Communication of electronic documents

1 - Electronic documents sent by telecommunications shall be deemed to be sent and to be received by the addressee, if transmitted to and received at an electronic address stipulated by agreement between the parties.

2 - The date and time of the creation, transmission or receipt of an electronic document which contains a chronological validation issued by a certifying body may be raised between the parties thereto and in dealings with third parties.

3 - The transmission of an electronic document bearing a qualified electronic signature by a means of telecommunications which ensures effective receipt shall be equivalent to a delivery sent by registered mail, and if the reception thereof is proved by a confirmation message in the same form, addressed to the sender from the addressee, it shall be equivalent to a delivery by registered mail with recorded delivery.

4 - Data and documents transmitted by telecommunications shall be deemed to be in the power of the sender until received by the addressee.

5 - Operators which provide the means to transmit electronic documents by telecommunications shall not become aware of the contents thereof nor shall they, in any way, copy them or provide third parties with any information regarding the existence or contents of the said documents, including a summary or extract thereof, except when this information is intended to become public, either at the express request of the sender or because of the nature thereof.

CHAPTER II

Qualified electronic signatures

Article 7
Qualified electronic signature

1 - The inclusion of a qualified electronic signature in an electronic document shall be equivalent to a handwritten signature on a written document and shall give rise to the presumption that:

a) The person who included the qualified electronic signature is the holder of the signature or is the authorized representative of the legal person who is holder of the qualified electronic signature;

b) The qualified electronic signature was included with the intention of signing the electronic document;

c) The electronic document has not suffered any change since the qualified electronic signature was included in it.

2 - The qualified electronic signature shall refer unequivocally to a single natural or legal person and to the document in which it is included.

3 - The inclusion of a qualified electronic signature shall replace, for all legal purposes, the affixing of seals, stamps, markings or other elements identifying its holder.

4 - The inclusion of a qualified electronic signature on a certificate which is revoked, expired or suspended at the time of the signature or which does not comply with the conditions provided therein shall be equivalent to no signature.

Article 8
Obtaining of signature data and certificate

Whosoever intends to use a qualified electronic signature shall, in accordance with Article 28(1), generate or obtain the signature creation and verification data, and also obtain the respective certificate issued by a certifying body in accordance with this statute.

CHAPTER III

Certification

SECTION I

Access to the certification activity

Article 9
Free access to the certification activity

1 - The activity of a certifying body may be freely exercised, with the request for accreditation governed by Article 11 et seq. being optional.

2 - Notwithstanding the provisions of the previous paragraph, certifying bodies issuing qualified certificates shall register with the accreditation authority, under the terms to be set by ministerial order from the member of the Government responsible for the accreditation authority.

3 - Accreditation and registration are subject to the payment of fees according to the costs associated with the corresponding administrative, technical, operating and supervisory tasks, under the terms to be set by a joint order of the member of the Government responsible for the accreditation authority and the Minister for Finance, which shall constitute revenue of the accreditation authority.

Article 10
Free choice of the certifying body

1 - The choice of the certifying body is free.

2 - The selection of a specific agency shall not be a condition of the offer or completion of any legal transaction.

Article 11
Body responsible for accreditation

The accreditation of certifying bodies for the purposes of this statute shall be the responsibility of the accreditation authority.

Article 12
Accreditation of the certifying body

1 - Accreditation shall be granted, on presentation of an application to the accreditation authority, to certifying bodies of qualified electronic signatures which satisfy the following requirements:

a) They have sufficient capital and financial resources;

b) They provide guarantees of absolute integrity and independence in the exercise of the activity of certification and qualified electronic signatures;

c) They have at their disposal technical and human resources which comply with the security and efficacy standards foreseen in the regulations referred to in Article 39;

d) They have a valid contract of insurance which provides adequate civil liability cover for the certification activity.

2 - The accreditation is valid for a period of three years, and may be renewed for periods of equal length.

Article 13
Application for accreditation

1 - The certifying body's application for accreditation shall be supported by the submission of the following documents:

a) The articles of association of legal persons and, in the case of companies, the company contract or, in the case of natural persons, the respective identification and address;

b) In the case of company applicants, a list of all members, stating their holdings and the members of the board of directors and the audit committee, and, in the case of a public limited company, a list of all shareholders with significant direct or indirect holdings therein;

c) Signed declarations from all the legal and natural persons referred to in Article 15(1) that they are not in any of the situations indicating a lack of good standing referred to in paragraph 2 thereof;

d) Evidence of the asset base and financial resources available and, namely, in the case of companies, that the share capital is fully paid up;

e) A description of the internal organization and security plan;

f) Evidence of the technical and human means required in accordance with the implementing decree referred to in Article 12(1)(c), including compliance certificates of the electronic signature products issued by the recognized accredited certification organ under the terms of Article 37;

g) The name of the security auditor;

h) A general plan of the activity foreseen for the first three years;

i) A general description of the activity carried out in the last three years or since incorporation, if less, plus the balance sheets and profit and loss accounts of the corresponding financial years;

j) Proof of the existence of a valid contract of insurance, which provides adequate civil liability cover for the certification activity.

2 - If, on the date of the application, the legal person has not, as yet, been incorporated, the application shall be supported by the submission of the following documents, instead of the documents referred to in sub-paragraph a) of the previous paragraph:

a) The minutes of the meeting at which the decision to incorporate was taken;

b) Draft articles of association or company contract;

c) An undertaking, signed by all the founders, to the effect that the asset base required by law will be fully paid up at the time and as a precondition of the act of incorporation.

3 - The declarations provided for in paragraph 1(c) may be submitted following the submission of the application, under the terms and within the time limit to be fixed by the accreditation authority.

4 - Holdings of 10% or more of the share capital of a public limited company shall be deemed to be significant holdings for the purposes of this statute.

5 - Application for renewal of the accreditation shall be supported by the submission of the following documents:

a) A general plan of the activity foreseen for the next three years;

b) A general description of the activity carried out in the last three years plus the balance sheets and profit and loss accounts of the corresponding financial years;

c) A declaration that all the elements referred to in paragraph 1 of this article and Article 32 (2) and (3) have not changed since they were presented to the accreditation authority.

Article 14
Asset requirements

1 - Private certifying bodies which are legal persons shall have share capital of at least 200,000 Euros or, if not companies, an equivalent asset base.

2 - The asset base and the minimum share capital of companies shall be fully paid up on the date the license is granted, if the legal person has already been incorporated, or shall be fully paid up when the legal person is incorporated, when incorporation occurs subsequently.

3 - Certifying bodies which are natural persons shall have assets which are free of encumbrances with a value equivalent to that provided for in paragraph 1 for as long as they continue to trade.

Article 15
Good standing

1 - Natural persons, and in the case of legal persons, the members of the board of directors and audit committee, employees, agents and representatives of the certifying bodies with access to acts and instruments of certification, company shareholders, and, in the case of public limited companies, shareholders with significant holdings, shall always be of recognised good standing.

2 - The fact that, in addition to other relevant circumstances, the following applies to a person shall be deemed to indicate lack of good standing:

a) Conviction, in Portugal or abroad, of the crime of theft, robbery, fraud, computer and communications fraud, extortion, breach of confidence, infidelity, forgery, misrepresentation, criminal insolvency, negligent insolvency, fraudulent preference, issuing of cheque without provision, misuse of a guarantee or credit card, unlawful appropriation of state or co-operative property, wrongful mismanagement of a unit in the public or co-operative sector, usury, bribery, corruption, unauthorised reception of deposits or other reimbursable funds, unlawful acts or operations in the context of insurance business or pension funds, money laundering, insider trading, stock market manipulation or a crime foreseen in the Commercial Companies Code;

b) He or she has been declared, by a Portuguese or foreign court, to be bankrupt or insolvent or held liable for the bankruptcy or insolvency of an enterprise dominated by him or her or when he or she was a member of its board of directors or audit committee;

c) He or she has had penalties imposed, in Portugal or abroad, for offences against legal provisions or regulations which govern the business of the production, authentication, registration and conservation of documents, i.e. those governing notaries, public registries, court officials, public libraries and the certification of qualified electronic signatures.

3 - Failure to comply with the requirements of good standing provided for in this article shall be grounds for the refusal or revocation of accreditation, in accordance with Article 18(1)c) and Article 20(1)(f).

Article 16
Compulsory civil liability insurance

The Minister for Finance shall define the characteristics of the civil liability insurance contract referred to in Article 12(d), by ministerial order.

Article 17
Decision

1 - The accreditation authority may request applicants to provide additional information and conduct or order the conducting of such investigations, enquiries and inspections as it deems necessary in order to consider applications.

2 - Notice of the decision regarding the application for accreditation or its renewal shall be given to the interested parties within three months of receipt of the application or, where appropriate, of the date on which any additional information requested is received or on which any measures deemed necessary are concluded. The said period shall not exceed the period of six months from the date of receipt of the application.

3 - The accreditation authority may include additional conditions in the accreditation, provided that they are necessary in order to ensure compliance with the legal provisions and regulations applicable to the exercise of the activity by the certifying body.

4 - The accreditation shall be entered in the register referred to in Article 9(2) and shall be published in the 2nd series of the Official Journal.

5 - The European Commission and the other Member States of the European Union shall be notified of the accreditation decision.

Article 18
Accreditation refusal

1 - Accreditation shall be refused whenever:

a) The application is not supported by all the necessary information and documents;

b) There are errors or falsehoods in the information and documents supporting the application;

c) The accreditation authority considers that any of the requirements listed in Articles 12 et seq. have not been fulfilled.

2 - If insufficient information or documentation is submitted in support of the application, the accreditation authority shall inform the applicant, granting him a reasonable time period in which to remedy the shortcoming, before refusing the accreditation.

Article 19
Accreditation expiry

1 - The accreditation shall expire in the following cases:

a) When the activity of certification does not commence within a period of 12 months from receipt of the notification of the accreditation;

b) When, in the case of a legal person, the legal person is dissolved, notwithstanding the necessary proceedings in the respective winding up;

c) When, in the case of a natural person, he dies or there is a declaration of his legal disability or incapacity;

d) When, upon expiry, the accreditation has not been renewed.

2 - The accreditation expiry shall be entered in the register referred to in Article 9(2) and published in the 2nd series of the Official Journal.

3 - The European Commission and the other Member States of the European Union shall be notified of the accreditation expiry.

Article 20
Revocation of accreditation

1 - The accreditation is revoked, notwithstanding other sanctions applicable in accordance with the law, when any of the following circumstances arises:

a) If the accreditation was obtained by false declarations or other unlawful expedients;

b) If any of the requirements in Article 12 cease to be complied with;

c) If the agency ceases to exercise the certification activity or reduces it to an insignificant level, for 12 months or more;

d) In the event of any serious misconduct in the administration, organisation or internal supervision of the body;

e) In the event that unlawful acts which negatively affect or imperil public confidence in the certification are committed in the exercise of the activity of certification or other activity of the body;

f) If any of the circumstances indicative of lack of good standing, referred to in Article 15, arise in relation to any of the persons referred to Article 15(1);

g) If the certificates of the certification organ referred to in Article 13(1)(f) have been revoked.

2 - Revocation of accreditation shall be the responsibility of the accreditation authority, and be contained in a decision stating grounds, of which the body will be notified within eight working days.

3 - The revocation decision shall be entered in the register referred to in Article 9(2) and published in the 2nd series of the Official Journal.

4 - The European Commission and the other Member States of the European Union shall be notified of the revocation decision.

Article 21
Anomalies in management and supervisory bodies

1 - In the event that the requirements in the law or the articles of association regarding the normal working of the boards of directors or audit committees are, for any reason, no longer complied with, the accreditation authority shall stipulate a time limit within which the situation is to be remedied.

2 - In the event that the situation is not remedied within the stipulated time limit, the accreditation shall be revoked in accordance with the previous article.

Article 22
Notice of alterations

The accreditation authority shall be notified, within a period of 30 days, of any alterations to the certifying bodies issuing qualified certificates concerning:

a) Name or Company Name;

b) Object;

c) Address of registered office, unless the change is within the same municipality or to a neighbouring one;

d) Assets base or assets, provided that it is a significant alteration;

e) Management and supervisory structure;

f) Restriction of the powers of management and supervisory bodies;

g) De-merger, merger and dissolution.

Article 23
Registration of alterations

1 - Registration of the persons referred to in Article 15(1) shall be requested from the accreditation authority within 15 days of having taken up any of the positions referred to therein, following a request from the certifying body or interested parties, together with evidence that they have fulfilled the requirements laid down in the said article, failing which the accreditations shall be revoked.

2 - The certifying body or interested parties may request provisional registration, prior to their taking up any of the positions referred to in Article 15(1). Such registrations shall be converted into definitive registrations within 30 days of the appointment to office, failing which they shall expire.

3 - In the case of persons returned to office, this fact shall be noted in the register, at the request of the certifying body or interested parties.

4 - Registration shall be refused in the case of a lack of good standing in accordance with Article 15, and the interested parties and certifying body shall be notified of this refusal, and these shall take appropriate steps so that those concerned immediately cease to perform their functions or cease to be in the service of the legal person in the quality provided for in that article, in accordance, where applicable, with the provisions of Article 21.

5 - Notwithstanding other applicable legal provisions, failure to register shall not, per se, render void the legal acts practised by the person in question, in the exercise of his or her office.

SECTION II

Exercise of the activity

Article 24
Duties of the certifying body issuing qualified certificates

Certifying bodies issuing qualified certificates must:

a) Fulfil the requirements concerning assets established in Article 14;

b) Offer guarantees of absolute integrity and independence in the exercise of the activity of certification;

c) Demonstrate the reliability necessary for the exercise of the activity of certification;

d) Have a valid contract of insurance which provides adequate cover for any civil liability arising out of the activity of certification, under the terms provided for in Article 16;

e) Have at their disposal technical and human resources which comply with the security and efficacy standards in accordance with the implementing statute;

f) Use reliable systems and products which are protected against any modification and which guarantee the technical security of the processes for which they are provided;

g) Adopt suitable measures to prevent forgery or alteration of the data contained in the certificates and, in cases where the certifying body generates signature creation data, guarantee the confidentiality of this during the creation process;

h) Use reliable systems to store the certificates, such that:

i) The certificates may only be consulted by the public in cases where consent has been obtained from their holder;

ii) Only authorized persons may insert data and make alterations to the certificates;

iii) The authenticity of the information may be checked; and

iv) Any alterations of a technical nature which may affect the security requirements are immediately detectable;

i) Carefully check the identity of applicants holding certificates and, where these are representatives of legal persons, their respective powers of representation, and also, where applicable, the specific characteristics referred to in Article 29(1)i);

j) Retain the elements that prove the true identity of the applicants holding certificates under a pseudonym;

l) Inform the applicants in writing, and in a manner which is thorough and clear, of the procedure for the issue of qualified certificates and the exact terms and conditions of the use of the qualified certificate, including potential restrictions to its use;

m) Comply with the security rules regarding the handling of personal data established in the respective legislation;

n) Neither store nor copy the signature creation data of the holder to whom the certifying body has offered the services of key management;

o) Ensure the operation of a service which:

i) Allows for rapid and secure consultation of the computer records of the certificates issued, revoked, suspended and expired; and

ii) Guarantees the immediate and secure revocation, suspension or expiry of the certificates;

p) Immediately publicise the revocation or suspension of certificates, in the cases provided for in this statute;

q) Ensure that the date and time of the issue, suspension and revocation of the certificates may be determined by means of chronological validation;

r) Retain the certificates issued by them for a period of not less than 20 years.

Article 25
Data protection

1 - Certifying bodies may only collect such personal data as is necessary to the exercise of their activities, obtaining this directly from the persons interested in holding signature creation and verification data and respective certificates, or from third parties from whom the collection of such data has been authorized by them.

2 - Personal data collected by the certifying body may not be used for any purpose other than certification, unless another use is expressly authorized by law or by the person concerned.

3 - The certifying bodies and the accreditation authority shall comply with the legal provisions in force regarding the protection, handling and circulation of personal data and privacy in the telecommunications sector.

4 - The certifying bodies shall notify the judicial authorities, whenever so ordered by them under the terms provided for in law, of data concerning the identity of holders of certificates issued under a pseudonym, in accordance, where applicable, with the provisions of Article 182 of the Code of Criminal Procedure.

Article 26
Civil Liability

1 - The certifying body shall be subject to civil liability for the harm suffered by the holders of certificates and by third parties as a consequence of their failure to comply with the duties arising out of this statute and its regulations, unless it can be proved that they did not act in a wilful or negligent manner.

2 - Contractual provisions which seek to exclude or restrict the liability provided for in paragraph 1 shall be void.

Article 27
Cessation of activity

1 - If a certifying body issuing qualified certificates intends to voluntarily cease its activity, it shall notify the accreditation authority, and the persons to whom it has issued certificates which remain in force, of this intention, with at least three months prior notice, also indicating the certifying body to which it is going to transfer its documentation, or the revocation of the certificates within that period, and in the latter case, when it is accredited, it shall place its documentation with the accreditation authority.

2 - Certifying bodies issuing qualified certificates which are at risk of declaring bankruptcy, of entering a business recovery procedure, or of ceasing their activity for any other reason beyond their control shall immediately notify the accreditation authority of this.

3 - In the case provided for in the previous paragraph, if the certifying body ceases its activity, the accreditation authority shall procure the transfer of its documentation to another certifying body or, if such a transfer proves impossible, the revocation of the certificates issued and the retention of the elements of such certificates for the same period as the certifying body was required to do so.

4 - The cessation of the activity of the certifying body issuing qualified certificates shall be entered in the register referred to in Article 9(2) and shall be published in the 2nd series of the Official Journal.

5 - The European Commission and the other Member States of the European Union shall be notified of the cessation of the activity of the certifying body.

SECTION III

Certificates

Article 28
Issue of qualified certificates

1 - At the request of an interested natural or legal person and in favour thereof, certifying bodies shall issue signature creation and verification data or, if so requested, shall make available the technical means necessary for the creation thereof, having first checked, using a legally reliable and secure means, the identity and powers of representation, if any, of the applicant.

2 - The certifying body shall issue, at the request of the holder, one or more duplicates of the certificate and complementary certificate.

3 - The certifying body shall adopt suitable measures to prevent the forgery or alteration of the data contained in the certificates and to ensure compliance with the applicable legal provisions and regulations, through the use of duly qualified staff.

4 - The certifying body shall supply the holders of certificate with the information necessary for the correct and secure use of the signatures, namely those regarding:

a) The obligations of the certificate holder and the certifying body;

b) The procedure for affixing and verifying the signature;

c) The advisability of placing a further signature on documents which already bear a signature when technical circumstances so justify;

d) The evidential effect of documents bearing an electronic signature.

5 - The certifying body shall create and maintain a permanently updated computer record of the certificates issued, suspended or revoked, which shall be accessible to any person wishing to consult it, including consultation by means of telecommunications. The said record shall be protected against unauthorized alterations.

Article 29
Content of qualified certificates

1 - Qualified certificates shall contain at least the following information:

a) Name or company name of the holder of the signature and other elements necessary for the unequivocal identification and, where there are powers of representation, the name of the authorized representative or representatives, or a pseudonym of the holder, clearly identified as such;

b) Name and advanced electronic signature of the certifying body, as well as the indication of the country in which it is established;

c) Signature verification data corresponding to the signature creation data held by the holder;

d) Certificate serial number;

e) Certificate commencement and expiry dates;

f) Algorithm identifiers used to verify the signatures of the holder and the certifying body;

g) Indication as to whether the use of the certificate is restricted to certain types of use, as well as potential limits to the value of the transactions for which the certificate is valid;

h) Contractual exclusions of the certifying body’s liability, notwithstanding the provisions of Article 26(2);

i) Potential reference to a specific quality of the signature holder, depending on the use for which the certificate is intended;

j) Indication that the certificate is issued as a qualified certificate;

l) An indication whenever the private key of the holder is stored on a secure signature creation device.

2 - Information may be included in the signature certificate or in a complementary certificate, at the holder's request, regarding powers of representation granted to the holder by a third party, his or her professional status or other attributes, upon production of the respective proof or with the inclusion of a note to the effect that the said information has not been confirmed.

Article 30
Suspension and revocation of qualified certificates

1 - The certifying body shall suspend the certificate:

a) At the request of the holder, duly identified for the purpose;

b) Where there are reasonable grounds to believe that the certificate was issued based on false or misleading information, that the information contained in it no longer reflects reality or that the confidentiality of the signature creation data is not guaranteed.

2 - Suspension on the grounds provided for in sub-paragraph b) of the previous paragraph shall always be explained and notified to the holder promptly, and shall immediately be included in the certificate register. The suspension may be lifted when the said grounds no longer apply.

3 - The certifying body shall revoke the certificate:

a) At the request of the holder, duly identified for the purpose;

b) When, following suspension of the certificate, it is confirmed that the certificate was issued based on false or misleading information, that the information contained in it no longer reflects reality or that the confidentiality of the signature creation data is not guaranteed;

c) When the certifying body ceases its activities without transferring its documentation to another certifying body;

d) When the accreditation authority orders revocation of the certificate on legally justified grounds;

e) When there is notice of the death, legal disability or incapacity of a natural person or of the dissolution of a legal person.

4 - The grounds for the decision to revoke based on the provisions of sub-paragraphs b), c) and d) of paragraph 3 shall always be stated and notified to the holder, and shall immediately be registered.

5 - Suspension and revocation of the certificate may be raised against third parties from the date of the inclusion in the respective register, unless it is proved that the third party already had notice thereof.

6 - The certifying body shall retain the information regarding the certificates for a period of not less than 20 years from the suspension or revocation of each certificate and shall make it available to any interested party.

7 - Revocation or suspension of the certificate shall state the date and time from which it produces effects. This date and time shall not precede the date and time when the information is made public.

8 - As from the suspension or revocation of a certificate or upon expiry of its validity period, the issue of a certificate concerning the same signature creation data by the same or another certifying body is prohibited.

Article 31
Duties of the holder

1 - Certificate holders shall adopt all the necessary organizational and technical measures to avoid harm to third parties and to protect the confidentiality of the transmitted information.

2 - In cases of doubt as to the loss of confidentiality of signature creation data, the certificate holder shall request suspension of the certificate, and upon confirmation of the loss of confidentiality, its revocation.

3 - As from the suspension or revocation of a certificate or upon expiry of its validity period, the use by the certificate holder of the respective signature creation data to generate an electronic signature is prohibited.

4 - Whenever there are proper grounds to revoke or suspend a certificate, the certificate holder shall make the corresponding suspension or revocation application to the certifying body, with the necessary speed and diligence.

CHAPTER IV

Supervision and sanctions regime

Article 32
Duties of certifying bodies to inform

1 - Certifying bodies shall promptly provide the accreditation authority with full details of all the information requested by it for the purposes of the supervision of its activity and shall permit it to inspect their premises and to examine documents, objects, hardware and software equipment and operational procedures on-site, during the course of which the accreditation authority may make any copies or records deemed necessary.

2 - Accredited certifying bodies shall always inform the accreditation authority, as quickly as possible, of all relevant alterations that supervene on the requirements and elements referred to in Articles 13 and 15.

3 - Up until the last working day of each semester, accredited certifying bodies shall send the accreditation authority an up-to-date version of the lists referred to in Article 13(1)(b).

Article 33
Security auditor

1 - Certifying bodies issuing qualified certificates shall be audited by a security auditor who complies with the requirements set out in the regulations referred to in Article 39.

2 - The security auditor shall produce an annual security report which shall be submitted to the accreditation authority by 31 March of each calendar year.

Article 34
Official auditors and external auditors

The official auditors in the service of the certifying bodies and the external auditors who, by force of law, provide the said bodies with auditing services shall inform the accreditation authority of serious breaches of the legal provisions or regulations relevant to the supervision and which they detect in the course of the exercise of their functions.

Article 35
Appeals

In appeals against decisions taken by the accreditation authority in the exercise of its powers of accreditation and supervision, it shall be presumed, until the contrary is proven, that the suspension of the effect of the decision appealed against will seriously harm the public interest.

Article 36
Collaboration with the authorities

The accreditation authority may request the police and judicial authorities and public services to provide it with all such collaboration or aid as it deems necessary for the accreditation and supervision of the activity of certification.

Article 36-A
Administrative offences

1 - The following constitute administrative offences:

a) The issue by certifying bodies of qualified certificates without prior registration with the accreditation authority;

b) Violation by the certifying body of the duties provided for in sub-paragraphs d), f), g), h), i), j), n), q) and r) of Article 24;

c) Failure by the certifying body to supply users with the information provided for in Article 24 l) and Article 28(4);

d) The supply of false information regarding the evidential effect of the certificates;

e) Violation by the certifying body of any of the duties provided for in Article 25;

f) Violation by the certifying body of the duties to inform provided for in Article 27(1) and (2);

g) Violation of the duties provided for in Article 28(3);

h) Failure to organize and maintain the record referred to in Article 28(5), and the respective updating;

i) The lack of one or more of the elements of information provided for in Article 29(1);

j) The failure by a certifying body to suspend a certificate whenever any of the situations provided for in Article 30(1) is confirmed;

l) The failure by a certifying body to revoke a certificate whenever any of the situations provided for in Article 30(3) is confirmed;

m) Violation of the duty of retention of information provided for in Article 30(6);

n) The placing of a condition on the trading or provision of a certain good or service, including in it the exclusively joint sale, to the choice of a particular certifying body;

o) The provision of false or incomplete declarations or information within the scope of the accreditation procedure provided for in Article 12 et seq.;

p) Violation of the duties provided for in Article 30(7) and (8);

q) Violation of the duties to inform provided for in Article 32(1).

2 - The following also constitute administrative offences:

a) Failure to comply with the time limits provided for in Article 13(3);

b) Failure by the certifying bodies to inform, within the time limit, of the amendments provided for in Article 22;

c) Violation by the certifying body of the duties provided for in Article 24(o) and (p);

d) Failure to inform the respective holder of the decision to suspend or revoke the qualified certificates provided for, respectively, in Article 30(2) and Article 30(4);

e) Violation of the duties to inform provided for in Article 32(2) and (3);

f) Failure to comply with the provisions of Article 33;

g) Violation of the duty to inform provided for in Article 34.

Article 36-B
Sanctions

3 - Negligence is punishable, with the minimum and maximum limits of the fines applicable being reduced to half.

Article 36-C
Administrative offence proceedings

1 - The accreditation authority is responsible for initiating administrative offence and additional sanction proceedings, and its General Director is responsible for the application of fines.

2 - The proceeds from the application of fines shall revert in 60% to the State and in 40% to the accreditation authority.

3 - For all situations not provided for in this chapter, the general regime for administrative offences is additionally applicable.

CHAPTER V

Final provisions

Article 37
Certification organs

The compliance of electronic signature products with the technical requirements referred to in Article 12(1)(c) is verified and certified by:

a) A certification organ accredited within the scope of the Portuguese Quality System;

b) A certification organ accredited within the scope of the EA (European Co-Operation for Accreditation), with the respective acknowledgement being established by the competent body in the Portuguese Quality System for accreditation;

c) A certification organ designated by other Member States and notified to the European Commission in accordance with Article 11(1)b) of Directive no. 1999/93/EC, of the European Parliament and the Council, of 13 December.

Article 38
Certificates from other States

1 - Qualified electronic signatures certified by a certifying body accredited in another Member State of the European Union are the equivalent of qualified electronic signatures certified by a certifying body accredited in accordance with this diploma.

2 - Qualified certificates issued by a certifying body subject to the supervisory system of another Member State of the European Union are the equivalent of qualified certificates issued by a certifying body established in Portugal.

3 - Qualified certificates issued by certifying bodies established in other States are the equivalent of qualified certificates issued by a certifying body established in Portugal provided that one of the following circumstances is confirmed:

a) The certifying body fulfils the requirements established by Directive no. 1999/93/EC, of the European Parliament and the Council, of 13 December, and has been accredited in a Member State of the European Union;

b) The certificate is guaranteed by a certifying body established in the European Union which complies with the requirements established in the Directive referred to in the previous sub-paragraph;

c) The certificate or the certifying body is recognized based on an international agreement which is binding on the Portuguese State.

4 - The accreditation authority shall publicise, whenever possible and by the advertising means its deems appropriate, the information that it has at its disposal regarding certifying bodies accredited in foreign States, and make this information available, on request, to interested parties.

Article 39
Implementation rules

1 - The implementation of this statute, namely regarding technical and security rules, shall be introduced in an implementing decree, to be adopted within a period of 150 days.

2 - The services and organs of the Public Administration may issue implementation rules regarding the requirements to be complied with by the documents which they receive electronically.

Article 40
Appointment of the accreditation authority

The accreditation authority responsible for the registration, accreditation and supervision of the certifying bodies issuing qualified certificates is the National Security Authority.

Article 40-A
Accreditation of public certifying bodies

1 - The provisions set out in Chapters III and IV are only applicable to the activity of public certifying bodies strictly in relation to their suitability to the nature and powers of such bodies.

2 - The accreditation authority is responsible for establishing the criteria for the suitability of the application of the provisions of the previous paragraph, for the purposes of the issue of accreditation certificates to public certifying bodies to which such attribution is legally assigned.

3 - The accreditation certificates may be issued provisionally for annual periods, renewable up to a maximum of three years, whenever the accreditation authority considers it necessary to determine procedures for better compliance with the applicable technical requirements.

Article 41
Entry into force

This statute enters into force on the day following its publication.

ANNEX II

(referred to in Article 5(2))

Republication of Decree-Law no. 116-A/2006, of 16 June

CHAPTER I

General provisions

Article 1
Subject and scope

1 - The State Electronic Certification System – Public Keys Infrastructure, hereinafter referred to in its abbreviated form as SECS, is hereby created, aimed at introducing a structure of electronic trust, so that certifying bodies subject to it provide services which ensure:

a) The conducting of secure electronic transactions;

b) Strong authentication;

c) Electronic signatures in transactions or information and electronic documents, ensuring their authorship, integrity, acceptance and confidentiality.

2 - Only State certifying bodies recognized within the scope of the SECS may provide electronic certification services to State public bodies and to services and organs of the Public Administration or other bodies which exercise certification functions in compliance with its public aims.

4 - The public and private certifying bodies referred to in the previous paragraph are not part of the SECS.

Article 2
Structure and functioning of the SECS

1 - The SECS comprises:

a) The Management Council of the State Electronic Certification System;

b) The State Electronic Certification Body;

c) The State certifying bodies.

2 - The functioning of the SECS is governed by the rules established in this Decree-Law.

CHAPTER II

SECS Management Council

Article 3
Composition and functioning

1 - The SECS Management Council is the organ responsible for the overall management and administration of the SECS.

2 - The SECS Management Council is presided over by the Minister for the Presidency, with the possibility of delegation, and is composed of representatives from each of the following bodies, appointed by the competent members of the Government:

a) Agência para a Sociedade do Conhecimento, I.P. (UMIC) - Agency for Knowledge Society, Public Institute;

b) Centro de Gestão da Rede Informática do Governo (CEGER) - Government Network Management Centre;

c) Fundação para a Computação Científica Nacional (FCCN) - National Scientific Computing Foundation;

d) Gabinete Nacional de Segurança (GNS) - National Security Office;

e) ICP - Autoridade Nacional de Comunicações (ICP-ANACOM) - National Communications Authority;

f) Instituto de Informática (II) - Computer Institute;

g) Instituto de Telecomunicações (IT) - Telecommunications Institute;

h) Instituto das Tecnologias da Informação na Justiça (ITIJ) - Institute for Justice Information Technologies;

i) Rede Nacional de Segurança Interna - National Internal Security Network;

j) Agência para a Modernização Administrativa, I. P. - Administrative Modernization Agency, Public Institute;

l) One representative of each public certifying body included within the SECS which is not represented by any of the bodies referred to in the previous sub-paragraphs.

3 - Unless expressly indicated to the contrary in the appointment act, the member of the Government, in accordance with the previous paragraph, may delegate the presidency to any other member of the SECS Management Council.

4 - The SECS Management Council may request the collaboration of other public bodies as well as of private bodies or individuals to assess issues of a specialised technical nature, within the scope of the powers assigned to it by this Decree-Law.

5 - The ordinary meetings of the SECS Management Council shall take place twice a year, extraordinary meetings being held where convened by the president.

6 - The technical, administrative and logistic support to the SECS Management Council, as well as the costs of maintaining its operation, shall be borne by the body which is assigned the function of operating the State’s core certification body.

7 - Members of the SECS Management Council shall not earn any remuneration supplement on account of functions performed in that capacity, notwithstanding daily allowances which they may be entitled to, under the general terms of the law.

Article 4
Powers

1 - The SECS Management Council is responsible for:

a) Defining, in accordance with the law and taking into account internationally recognized rules or specifications, the certification policy and certification practices to be observed by the certifying bodies that are part of the SECS;

b) Ensuring that the certification practice declarations from the various State certifying bodies, as well as from the State's core certification body, comply with the SECS certification policy;

c) Proposing the criteria for the approval of certifying bodies that wish to be part of the SECS;

d) Assessing the compliance of the procedures followed by the State certifying bodies with the approved policies and practices, notwithstanding the powers legally assigned to the accreditation authority;

e) Pronouncing on the exclusion from the SECS of certifying bodies in the case of failure to comply with the approved policies and practices, notifying the accreditation authority of such fact;

f) Pronouncing on the best international practice in the exercise of the activities of electronic certification and proposing its application;

g) Representing the SECS institutionally.

2 - The SECS Management Council is also responsible for promoting the activities necessary for the conclusion of agreements on interoperability, based on cross certification, with other national or international public keys infrastructures, of a private or public nature, namely:

a) Giving guidance to the State's core certification body on the granting and revocation of certificates issued based on crossed certification;

b) Defining the terms and conditions for the start, suspension or conclusion of interoperability procedures with other public keys infrastructures.

CHAPTER III

State Electronic Certification Body

Article 5
Definition and powers

1 - The State Electronic Certification Body, as the State’s core certifying body, is the top certifying service in the SECS certification chain, implementing certificate policies and guidelines approved by the SECS Management Council.

2 - The State Electronic Certification Body is responsible for accepting the inclusion of certifying bodies that comply with the requirements established in this Decree-Law, as well as providing certification services to the certifying bodies at the level immediately below it in the certification chain, in compliance with the rules applicable to certifying bodies established in Portugal in the issue of qualified digital certificates.

3 - For the purposes provided for in the previous paragraph, the State Electronic Certification Body is responsible for obtaining the accreditation certificate referred to in Article 8(2).

4 - The State Electronic Certification Body provides the following digital certification services exclusively:

a) Procedure of registration of certifying bodies;

b) Generation of certificates, including qualified certificates, and management of their life cycle;

c) Disclosure of certificates, and the policies and practices of certification;

d) Management of revocation of certificates;

e) Provision of information on the state and situation of the revocations referred to in the previous sub-paragraph.

5 - The State Electronic Certification Body is also responsible for:

a) As a certifying body, ensuring compliance with and the implementation of all the rules and procedures established in the SECS certification policies document and certification practices declaration;

b) Implementing the policies and practices of the SECS Management Council;

c) Managing all of the infrastructure and resources which comprise and ensure the functioning of the State’s core certifying body, namely the staff, equipment and premises;

d) Managing all the activities related with the life cycle of the certificates issued by it to the certifying bodies directly below it;

e) Ensuring that only duly authorized and accredited staff may gain access to its main and alternative premises;

f) Managing the recruitment of technically qualified staff to carry out the tasks of management and operation of the State’s core certifying body;

g) Immediately notifying the SECS Management Council of any incident, namely anomalies or breaches of security.

6 - The State Electronic Certification Body issues certificates exclusively to the certifying bodies which are subject to it, and may not issue certificates to the general public.

Article 6
Management and Staff

1 - The State Electronic Certification Body is managed inherently by the director of the Centro de Gestão da Rede Informática do Governo (CEGER) – Government Network Management Centre.

2 - Notwithstanding the carrying out of functions in their original position, technical staff from the CEGER in the following categories shall perform functions within the State Electronic Certification Body:

a) A systems consultant, responsible for articulation between the State Electronic Certification Body and the SECS Management Council and between the former and the State certifying bodies;

b) A systems administrator, authorized to install, configure and maintain the system, having controlled access to security-related configurations;

c) A systems operator, responsible for operating the systems on a daily basis, authorized to make security copies and reposition information;

d) A security administrator, responsible for the management and implementation of the security rules and practices;

e) A registration administrator, responsible for approving the issue, suspension and revocation of certificates;

f) A systems auditor, authorized to monitor the systems activity files.

3 - In accordance with the legislation in force, the functions of systems administrator, security administrator and systems auditor shall be performed by different persons.

4 - For the purposes of the provisions of paragraph 2, the members of staff from the CEGER may be altered by a joint ministerial order from the members of the Government responsible for the areas of Finance and Public Administration and for the CEGER.

CHAPTER IV

State certifying bodies

Article 7
Requirements

a) Are accepted as certifying bodies, in accordance with Article 5(2);

b) Act in compliance with the certification practices declarations and with the certification policy and practices approved by the SECS Management Council;

c) Are capable of having all the electronic certification services made available by them directly supervised by the accreditation authority.

2 - (Revoked.)

3 - (Revoked.)

4 - Certifying bodies may not issue certificates of a level other than that directly below theirs, unless there is an agreement for lateral or crossed certification promoted and approved by the SECS Management Council.

5 - The registration services may be assigned to individual or collective bodies, appointed as registration bodies, with which the certifying bodies agree the provision of services of identification and registration of certificate users, and also the management of requests for certificate revocation, in accordance with the provisions of Article 4(1) of Implementing Decree no. 25/2004, of 15 July.

CHAPTER V

National accreditation authority

Article 8
Accreditation authority

1 - The accreditation authority responsible for the registration, accreditation and supervision of the certifying bodies included within the SECS is the National Security Authority.

3 - The National Security Authority is assisted in the performance of its powers by the accreditation technical board.

Article 9
Accreditation technical board

1 - The accreditation technical board is a consultative body of the accreditation authority, responsible for providing opinions on all issues submitted to it by the accreditation authority.

2 - The accreditation technical board may also issue opinions or recommendations to the accreditation authority on its own initiative.

Article 10
Composition

The accreditation technical board is composed of:

a) The National Security Authority, which presides;

b) Two persons appointed by the Prime Minister;

c) One person appointed by the Minister for Internal Administration;

d) One person appointed by the Minister for Justice;

e) One person appointed by the Minister for Science, Technology and Higher Education;

f) One representative of ICP-ANACOM.

Article 11
Meetings

The ordinary meetings of the accreditation technical board shall take place twice a year, extraordinary meetings being held on the initiative of the president.

Article 12
Logistic support

The Gabinete Nacional de Segurança - National Security Office shall ensure logistic and administrative support to the accreditation technical board, and shall also bear the costs of its operation.

Article 13
Collaboration with other bodies

The accreditation authority may request of other public bodies the collaboration that it deems necessary, within the scope of the powers assigned to it by this Decree-Law.

CHAPTER VI

Final and transitory provisions

Article 14
State Electronic Certification Body premises and equipment

In addition to that which is provided for in this Decree-Law, any other implementation aspects related to the premises and equipment of the State Electronic Certification Body shall be governed by an order of the member of Government responsible for the CEGER.

Article 15
Transitory provisions

In 2006, the Secretary-General of the Presidency of the Council of Ministers shall transfer to the National Security Office the amounts necessary for compliance with the provisions of Article 12 of this Decree-Law.

Article 16
Amendment to Decree-Law no. 290-D/99, of 2 August

Article 9 of Decree-Law no. 290-D/99, with the wording given to it by Decree-Law no. 62/2003, of 3 April, shall now have the following wording:

«Article 9
[...]

1 - ...

2 - Notwithstanding the provisions of the previous paragraph, certifying bodies issuing qualified certificates shall register with the accreditation authority, under the terms to be fixed by ministerial order from the member of the Government responsible for the accreditation authority.

Article 17
Addition to Decree-Law no. 290-D/99, of 2 August

Article 40-A, with the following wording, is added to Decree-Law no. 290-D/99, with the wording given to it by Decree-Law no. 62/2003, of 3 April:

«Article 40-A
Accreditation of public certifying bodies

1 - The provisions set out in Chapters III and IV are only applicable to the activity of public certifying bodies strictly in relation to their suitability to the nature and powers of such bodies.

Article 18
Repeals provision

The following are Revoked:

a) Decree-Law no. 234/2000, of 25 September;

b) Article 18(i) of Decree-Law no. 146/2000, of 18 July;

c) Article 5(j) of Decree-Law no. 103/2001, of 29 March.

See also:

Directive 1999/93/EC

Presidência do Conselho de Ministros (Council of Ministers' Presidency)

Decree-Law

Article 1Amendment to Decree-Law no. 290-D/99, of 2 August

«Article 5Electronic documents from public bodies

Article 28[...]

Article 29[...]

Article 38[...]

Article 40[...]

Article 2

Addition to Decree-Law no. 290-D/99, of 2 August

«Article 36-AAdministrative offences

Article 36-BSanctions

Article 36-CAdministrative offence proceedings

Article 3Amendment to Decree-Law no. 116-A/2006, of 16 June

«Article 1[...]

Article 3[...]

Article 4[...]

Article 5[...]

Article 7[...]

Article 8[...]

Article 4

Heading

Article 5

Repeals Provision

Article 6

Republication

ANNEX I

(referred to in Article 5(1))

Republication of Decree-Law no. 290-D/99, of 2 August

CHAPTER I

Electronic documents and legal acts

Article 1Subject

Article 2Definitions

Article 3Form and evidential effect

Article 4Copies of documents

Article 5Electronic documents from public bodies

Article 6Communication of electronic documents

CHAPTER II

Qualified electronic signatures

Article 7Qualified electronic signature

Article 8Obtaining of signature data and certificate

CHAPTER III

Certification

SECTION I

Access to the certification activity

Article 9Free access to the certification activity

Article 10Free choice of the certifying body

Article 11Body responsible for accreditation

Article 12Accreditation of the certifying body

Article 13Application for accreditation

Article 14Asset requirements

Article 15Good standing

Article 16Compulsory civil liability insurance

Article 17Decision

Article 18Accreditation refusal

Article 19Accreditation expiry

Article 20Revocation of accreditation

Article 21Anomalies in management and supervisory bodies

Article 22Notice of alterations

Article 23Registration of alterations

SECTION II

Exercise of the activity

Article 24Duties of the certifying body issuing qualified certificates

Article 25Data protection

Article 26Civil Liability

Article 27Cessation of activity

SECTION III

Certificates

Article 28Issue of qualified certificates

Article 29Content of qualified certificates

Article 30Suspension and revocation of qualified certificates

Article 31Duties of the holder

CHAPTER IV

Supervision and sanctions regime

Article 32Duties of certifying bodies to inform

Article 33Security auditor

Article 34Official auditors and external auditors

Article 35Appeals

Article 36Collaboration with the authorities

Article 36-AAdministrative offences

Article 1
Amendment to Decree-Law no. 290-D/99, of 2 August

«Article 5
Electronic documents from public bodies

Article 28
[...]

Article 29
[...]

Article 38
[...]

Article 40
[...]

«Article 36-A
Administrative offences

Article 36-B
Sanctions

Article 36-C
Administrative offence proceedings

Article 3
Amendment to Decree-Law no. 116-A/2006, of 16 June

«Article 1
[...]

Article 3
[...]

Article 4
[...]

Article 5
[...]

Article 7
[...]

Article 8
[...]

Article 1
Subject

Article 2
Definitions

Article 3
Form and evidential effect

Article 4
Copies of documents

Article 5
Electronic documents from public bodies

Article 6
Communication of electronic documents

Article 7
Qualified electronic signature

Article 8
Obtaining of signature data and certificate

Article 9
Free access to the certification activity

Article 10
Free choice of the certifying body

Article 11
Body responsible for accreditation

Article 12
Accreditation of the certifying body

Article 13
Application for accreditation

Article 14
Asset requirements

Article 15
Good standing

Article 16
Compulsory civil liability insurance

Article 17
Decision

Article 18
Accreditation refusal

Article 19
Accreditation expiry

Article 20
Revocation of accreditation

Article 21
Anomalies in management and supervisory bodies

Article 22
Notice of alterations

Article 23
Registration of alterations

Article 24
Duties of the certifying body issuing qualified certificates

Article 25
Data protection

Article 26
Civil Liability

Article 27
Cessation of activity

Article 28
Issue of qualified certificates

Article 29
Content of qualified certificates

Article 30
Suspension and revocation of qualified certificates

Article 31
Duties of the holder

Article 32
Duties of certifying bodies to inform

Article 33
Security auditor

Article 34
Official auditors and external auditors

Article 35
Appeals

Article 36
Collaboration with the authorities

Article 36-A
Administrative offences

Article 36-B
Sanctions

Article 36-C
Administrative offence proceedings

Article 37
Certification organs

Article 38
Certificates from other States

Article 39
Implementation rules

Article 40
Appointment of the accreditation authority

Article 40-A
Accreditation of public certifying bodies

Article 41
Entry into force

Article 1
Subject and scope

Article 2
Structure and functioning of the SECS

Article 3
Composition and functioning

Article 4
Powers

Article 5
Definition and powers

Article 6
Management and Staff

Article 7
Requirements

Article 8
Accreditation authority

Article 9
Accreditation technical board

Article 10
Composition

Article 11
Meetings

Article 12
Logistic support

Article 13
Collaboration with other bodies

Article 14
State Electronic Certification Body premises and equipment

Article 15
Transitory provisions

Article 16
Amendment to Decree-Law no. 290-D/99, of 2 August

«Article 9
[...]

Article 17
Addition to Decree-Law no. 290-D/99, of 2 August

«Article 40-A
Accreditation of public certifying bodies