LAWON ELECTRONIC DOCUMENT, ELECTRONIC IDENTIFICATION AND TRUST SERVICES IN ELECTRONIC BUSINESS("Off. Herald of the RS", Nos. 94/2017 and 52/2021) |
Article 1
This Law shall regulate electronic document, electronic identification and trust services in electronic business.
Meanings of Individual Expressions
Article 2
Individual expressions, within the meaning of this Law, shall have the following meanings:
1) Electronic business shall be the use of data in electronic format, means of electronic communication and electronic data processing in conducting the business of natural and legal persons;
2) Electronic format of data shall be a digital recording of data suitable for electronic processing and transmission by electronic communications means;
3) Electronic transaction shall be a business activity between two or more parties that is carried out electronically;
4) Electronic document shall be a set of data comprised of letters, numbers, symbols, graphic, audio and video materials, in electronic format;
5) A product shall be hardware, software, i.e. hardware with accompanying software, or the relevant components thereof, which are intended for electronic processing, electronic transmission i.e. storage of data;
6) Interoperability shall be the ability of two or more systems or their components to exchange data and enable joint use of data and knowledge;
7) A public government authority shall be a state authority, an authority of the autonomous province, an authority of a local self-government unit, of a company, institution or organization, and individuals entrusted with the tasks within the competence of the Republic of Serbia, i.e. public powers;
8) A natural person in the capacity of a registered entity shall be a natural person registered to conduct an activity in compliance with the law;
9) Authentication shall be the process of identity verification of a legal person, natural person or a natural person in the capacity of a registered entity, including verification of integrity and origin of data which is presumed to be created, i.e. sent by such person;
10) Identification data shall represent a set of data based on which it is be possible to uniquely establish the identity of a legal person, a natural person or a natural person in the capacity of a registered entity;
11) Electronic identification shall be the procedure of using personal identification data in electronic format which uniquely designates a legal person, a natural person or a natural person in the capacity of a registered entity;
12) Means of electronic identification shall be a material i.e. non-material device which contains identification data and which is used to prove identity on the occasion of authentication;
13) Electronic identification scheme shall be a system for issuing electronic identification means to a legal person, natural person or a natural person in the capacity of a registered entity;
14) Electronic identification service shall be a service which enables the use of a certain electronic identification scheme in electronic transactions, where within such service guarantees are provided that identification data from the electronic identification means correspond to the person to which the means was issued;
14a) Node shall represent a connection point that is part of the structure of interoperability of electronic identification and it shall enable cross-border authentication of persons and shall have the function of recognizing and processing, i.e. forwarding data transmission to other nodes by ensuring that the electronic identification infrastructure of one state is connected to the electronic identification infrastructure of another state;
15) Trust service shall be an electronic service facilitating a business activity between two or more parties, where it is based on the service provider's guarantees of authenticity of certain data to the parties, which is as such determined by this Law;
16) Trust service provider shall be a legal person or a natural person in the capacity of a registered entity which provides one or more trust services;
17) Relying party shall be a legal or natural person that relies upon electronic identification service i.e. trust service;
18) Qualified trust service shall be a trust service that meets the requirements laid down by this Law for the qualified trust service;
19) Provider of a qualified trust service shall be a legal person or a natural person in the capacity of a registered entity which provides one or more qualified trust services, in accordance with this Law;
20) Electronic signature shall be a set of data in electronic format which is attached or logically associated with other (signed) data in electronic format in such a manner that an electronic signature verifies the integrity of such data and the identity of the signatory;
21) Electronic seal shall be a set of data in electronic format which is attached or logically associated with other (sealed) data in electronic format in such a manner that an electronic seal verifies the integrity of such data and the identity of the seal creator;
22) Electronic signature i.e. seal creation data shall be unique data used by the signatory i.e. seal creator for creating of the electronic signature i.e. seal and which are logically associated with the relevant data for electronic signature i.e. seal validation;
23) Data for validation of electronic signature i.e. seal shall be data based on which it is checked whether an electronic signature i.e. seal corresponds to data that have been signed i.e. sealed;
24) Certificate for electronic signature i.e. seal shall be an electronic attestation verifying the link between the data for validation of electronic signature i.e. seal and the identity of the signatory i.e. creator of the seal;
25) Signatory shall be a natural person who has created an electronic signature and whose identification data have been stated in the certificate based on which such electronic signature was created, i.e. in the certificate attesting the link between the identity of such signatory and data for electronic signature validation which correspond to data for electronic signature creation used by the signatory on occasion of creating that electronic signature;
26) Creator of a seal shall be a legal person, a natural person in the capacity of a registered entity, a natural person entrusted with the exercise of public authority or a natural person who in the performance of activities in accordance with special regulations has the right to use the seal (e.g. persons licensed to perform tasks or carry out activities), on behalf of whom an electronic seal is created and whose identification data are specified in the certificate based on which such electronic seal has been created, i.e. in the certificate attesting the link between the identity of such creator of a seal and electronic seal validation data corresponding to data for electronic seal creation that have been used according to the authorization of the creator of the seal in creation of such electronic seal;
27) Electronic signature i.e. seal creation device shall be a technical device (software i.e. hardware) that is used to create an electronic signature i.e. seal with the use of data for electronic signature i.e. seal creation;
28) Validation shall be a procedure of verification and confirmation of the validity of an electronic signature i.e. electronic seal;
29) Advanced electronic signature shall be an electronic signature which meets additional requirements for the provision of a higher level of reliability in verification of data integrity and signatory's identity in compliance with this Law;
30) Qualified electronic signature shall be an advanced electronic signature that is created by a qualified electronic signature creation device and which is based on a qualified certificate for electronic signature and which is issued by a provider of a qualified trust service in accordance with this Law;
31) Qualified electronic signature creation device shall be a device that complies with the requirements prescribed by this Law;
32) Qualified certificate for electronic signature shall be a certificate for electronic signature which is issued by a provider of qualified trust service and which complies with the requirements provided by this Law;
33) Advanced electronic seal shall be an electronic seal which complies with additional requirements for the provision of a higher level of reliability of verification of data integrity and identity of a creator of the seal in compliance with this Law;
34) Qualified electronic seal shall be an advanced electronic seal that has been created by means of a qualified electronic seal creation device and which is based on a qualified certificate for electronic seal;
35) Qualified electronic seal creation device shall be a device complying with the requirements prescribed by this Law;
36) Qualified certificate for electronic seal shall be a certificate for electronic seal that is issued by a provider of a qualified trust service and that complies with the requirements provided for by this Law;
36a) Management service of a qualified tool for creating an electronic signature remotely shall be a service for creating a qualified electronic signature remotely through an electronic signature creation tool managed on behalf of the signatory by a provider of a qualified trust service and guaranteed by the same provider that the data for creating of the electronic signature are used under the exclusive control of the signatory, in accordance with this Law;
36b) Management service of a qualified tool for creating an electronic seal remotely shall be a service for creating a qualified electronic seal remotely through an electronic seal creation tool managed on behalf of the creator of the seal by a provider of qualified trust service and guaranteed by the same provider that the data for creating of the electronic seal are used under the exclusive control of the creator of the seal, in accordance with this Law;
37) Certificate for website authentication shall be an attestation by means of which it is possible to perform authentication of a website and by means of which a website is linked to the identity of a natural or legal person to whom the certificate has been issued;
38) Qualified certificate of website authentication shall be a certificate for website authentication which is issued by a provider of qualified trust service and which complies with the requirements provided for by this Law;
39) Electronic time stamp shall be the official time attached to data in electronic format whereby it is confirmed that such data existed at that moment in time;
40) Qualified electronic time stamp shall be an electronic time stamp which complies with the requirements laid down by this Law for a qualified electronic time stamp and shall be issued by a provider of qualified trust service in accordance with this Law;
41) Electronic delivery service shall be a data transfer service by electronic means within which the service provider provides evidence relating to the handling of the transmitted data, including proof of sending and receiving of data, whereby data transmitted shall be protected against the risk of loss, theft, damage, i.e. any other unauthorized alterations;
42) Conversion shall be the translation of a document from one format into another in such a manner as to preserve the document contents;
43) Digitalization shall be the conversion of a document from a format that is not an electronic into an electronic format;
44) Digitalized document shall be a document that has been created by means of digitalization of the original document;
45) Conformity assessment body shall be a body authorized to conduct conformity assessment of a provider of qualified trust service and of a qualified trust service provided by such provider with the requirements for the provision of qualified trust services.
All terms used in this Law in the masculine gender shall include the same terms in the feminine gender.
Article 3
A trust service provider shall provide trust services in compliance with this Law.
The provisions of this Law shall not apply to the trust services provided exclusively within a closed system, i.e. within a limited circle of participants, which may be designated by an agreement, an internal act or a regulation, and which have no impact on any third party, i.e. which are not binding on any third parties outside of such system.
Processing and Protection of Data
Article 4
A provider of trust services i.e. of electronic identification service on the occasion of personal data processing shall act in compliance with the law governing personal data protection.
Within an electronic transaction, parties may use pseudonyms to identify themselves unless where it is stipulated otherwise by a regulation, contract or in some other obliging manner.
Consent to Identification and Authentication
Article 5
A procedure of electronic identification and authentication can be initiated only at a request of a legal or natural person that is the subject of identification, unless where a regulation stipulates otherwise.
Availability and Access for Persons with Disabilities
Article 6
Trust services, electronic identification services and products used for the provision of these services shall be equally accessible to the persons with disabilities as well.
Validity and Admissibility as Evidence of an Electronic Document
Article 7
Validity, admissibility as evidence or the written form of an electronic document cannot be denied only because it is presented in electronic format.
Creation of an Electronic Document
Article 8
An electronic document shall be created by applying one of available and usable information and communications technologies, unless where laid down otherwise by the law.
The electronic document comprising archival material shall be created in a format that complies with the requirements prescribed by this Law for reliable preparation for electronic storing.
Formats of Electronic Document Presentation
Article 9
An electronic document shall consist of internal and external view.
The internal view shall consist of the technical and programming type of recording of the contents of the electronic document.
The external view shall consist of a visual or other intelligible presentation of the contents of the electronic document.
If a document contains an electronic signature or an electronic seal, such fact should be clearly indicated in the external view of the electronic document.
If an electronic document contains an electronic signature or seal of a natural person or of an authorized person of a legal person, any other shape of signature or seal of the same natural person or authorized person of the legal person shall be unnecessary.
Article 10
An electronic document that has originally been created in electronic format shall be deemed as an original.
An electronic document that has the identical digital record as that of the original electronic document shall be deemed as an original.
A hardcopy of an electronic document shall be created by printing the external view of the electronic document.
An electronic document that has been created by means of digitalization of the original document whose format was not electronic shall be considered to be a copy of the original document.
Certification of a Digitalized Act
Article 11
An act that has been digitalized shall be equally admissible as evidence as the original act providing that the following requirements are met cumulatively, namely:
1) That the digitalization of the act has been carried out in one of the following manners, i.e. under the supervision of:
(1) A natural person, i.e. authorized person of a natural person in the capacity of a registered entity or authorized person of the legal person to whom this act belongs, or
(2) A person authorized to conduct certification of signatures, manuscripts and transcripts in compliance with the law governing certification of signatures, manuscripts and transcripts, or
(3) A person authorized by means of a separate law to perform certification of a digitalized act;
2) That the identical nature of the digitalized act and the original has been validated by means of a qualified electronic seal or a qualified electronic signature of the persons referred to in sub-items (1) through (3) of this paragraph or of the person to whom competencies based on which the act was passed were transferred.
The authorized person of the public governmental authority can, in the procedures conducted in exercising their public powers, digitalize the act and certify the digitalized act with the qualified electronic seal of the authority or with its own qualified electronic signature, whereby the identical nature the digitalized act and the original document shall be validated.
The digitalized act that was certified by the authorities referred to in paragraph 2 of this Article shall be equally admissible as evidence as the original in conducting such a procedure.
Certification of a Printed Copy of the Electronic Document
Article 12
A printed copy of an electronic document shall be equally admissible as evidence as the original act, providing that the following requirements are met cumulatively, namely:
1) That printing of the electronic document was carried out under the supervision of:
(1) A natural person, authorized person of a natural person in a capacity of the registered entity, i.e. authorized person of a legal person whose the act is, or
(2) A person authorized to conduct certification of signatures, manuscripts and transcripts in compliance with the law governing certification of signatures, manuscripts and transcripts;
2) That the identical nature of the printed copy of the electronic document and the original has been validated, with a note indicating that it is a printed copy of the electronic document:
(1) By means of handwritten signature of the natural person, or
(2) By means of the handwritten signature of the authorized person of a natural person in capacity of a registered entity, i.e. of authorized person of a legal person, as well as by means of the seal of a natural person acting in the capacity of a registered entity, i.e. seal of a legal person, where there is the statutory obligation for the act to contain a seal, or
(3) By a person authorized to certify signatures, manuscripts and transcripts in compliance with the law governing certification of signatures, manuscripts and transcripts.
The authorized person of a public government authority can, in the procedures conducted in exercising of public powers, print the electronic document on paper and certify the printed copy of the electronic document in the manner referred to in paragraph 1, item 2), sub-item (2) of this Article, provided that the printed copy of the electronic document must include a seal specified by a law that governs a seal of state and other authorities.
A printed copy of the electronic document that has been certified by the authorities referred to in paragraph 2 of this Article shall be equally admissible as evidence as the original thereof in conducting of such proceedings.
Confirmation of Receipt of an Electronic Document
Article 13
The confirmation of receipt of an electronic document shall be the proof of receipt of such a document by the recipient.
The confirmation of receipt of an electronic document shall be issued by the recipient of the electronic document or alternatively by the provider of the electronic delivery service.
The obligation to issue the confirmation of receipt of an electronic document and elements of the contents of the confirmation shall be governed by regulations or by will of the parties, unless determined otherwise by the law.
Duplicating of Electronic Documents
Article 14
Each received electronic document shall be considered to be a separate document, unless where the identical document has been received several times and the recipient knew or must have known that it was an identical document.
Electronic Communication and Electronic Delivery among the Public Governmental Authorities and Parties
Article 15
Electronic communication and electronic delivery among the public governmental authorities and parties shall be performed in accordance with the law governing general administrative procedure, the law regulating electronic governance and other regulations, as well as through the qualified electronic delivery service.
Delivery of Electronic Documents among the Public Governmental Authorities
Article 16
Delivery of electronic documents among the public governmental authorities shall be carried out through electronic mail, the service bus of the authorities, a qualified electronic delivery service or through another electronic channel, in compliance with a regulation.
1. Electronic Identification Schemes
Mandatory Requirements for an Electronic Identification Scheme
Article 17
An electronic identification scheme must:
1) Contain data for identification of persons on issued identification means, which shall uniquely identify the legal or natural person;
2) Ensure that the provider of a service of electronic identification provides identification data within the electronic identification means that match the person to which the means is issued;
3) Clearly define the technical and other requirements that enable the relying party to check the identity;
4) Comply with the requirements for the level reliability to which it has been categorized, as referred to in Article 18 of this Law.
Levels of Reliability of Electronic Identification Schemes
Article 18
The electronic identification schemes shall be categorized according to the level of reliability to:
1) The schemes of basic assurance level, which provide a limited degree of confidence in the identity assumed by the person and use the means and procedures the purpose of which is to reduce the risk of misuse, i.e. false presentation;
2) The schemes of medium assurance level, which provide significant trust in the identity assumed by the person and use the means and procedures the purpose of which is to significantly reduce the risk of misuse, i.e. false presentation;
3) The schemes of high assurance level, which provide high trust in the identity assumed by the person and use the means and procedures the purpose of which is to prevent the misuse, i.e. false presentation.
The Government, at the proposal of the ministry in charge of information society affairs (hereinafter: the Ministry), shall regulate more detailed requirements which must be met by the electronic identification schemes as pertained to certain assurance levels, and in particular:
1) The manner of proving and verifying the identity of the natural, i.e. legal person which requests the issuance of electronic identification means;
2) The method of issuance of electronic identification means;
3) The authentication mechanism, through which a natural, i.e. legal person by using the electronic identification means confirm their identity to the other party in an electronic transaction;
4) The requirements that should be fulfilled by the provider of a service of electronic identification;
4a) Conditions relating to data used in the process of cross-border cooperation involving natural and legal persons when using registered electronic identification schemes, and which, relating to personal data, contain name and surname, date of birth, residential address and gender, all for the purpose of reliable verification of personal identity;
5) The requirements that should be fulfilled by other participants included in the electronic identification means issuance procedure;
6) The technical and security characteristics of means of electronic identification that are being issued;
7) The minimum technical and organizational requirements with a view to ensuring interoperability of the electronic identification schemes in compliance with the domestic and international standards in this field.
Entry into Register of Providers of Electronic Identification Services and Electronic Identification Schemes
Article 19
The Register of Providers of Electronic Identification Services and Electronic Identification Schemes shall be a set of data on the providers of electronic identification services and electronic identification schemes, maintained by the Ministry.
A provider of the electronic identification service shall submit to the Ministry an application and required documentation for entry in the Register of the Providers of Electronic Identification Services and Electronic Identification Schemes.
Concerning personal data, the Register referred to in paragraph 1 of this Article shall contain data on responsible persons, namely: name, surname, function and contact information such as the official address, official telephone number and the official e-mail address for the purpose of availability of data to service users about the provider of electronic identification service.
An integral part of the Register referred to in paragraph 1 of this Article shall also be the electronic identification schemes from the list published by the European Commission, in accordance with Article 9 of the eIDAS Regulation.
The Ministry shall prescribe the contents and method for maintaining the Register referred to in paragraph 1 of this Article, as well as the method of submission of applications for entry into the Register, in compliance with the law governing general administrative procedure, documentation required with the application, application form and method of publication of data from such Register.
Use of Electronic Identification Schemes in Electronic Business and in Communication with a Public Governmental Authority
Article 20
The electronic identification schemes that are entered in the Register referred to in Article 19 of this Law, as well as the electronic identification schemes that are not entered in the Register can be used for establishing of identity in electronic business.
An expression of will cannot be contested solely on the grounds that the electronic identification schemes referred to in paragraph 1 of this Article were used instead of signatures.
The electronic identification scheme that is entered in the Register referred to in Article 19 of this Law (hereinafter: a registered electronic identification scheme) can be used to establish the identity of a party in communication with a public governmental authority.
In communication of a party with the public governmental authorities, an identity of a party established on the basis of a registered electronic identification scheme of a high assurance level shall replace the party's signature on a submission.
A regulation may specify that in the case referred to in paragraph 4 of this Article an electronic identification scheme of the medium or basic assurance level can be used, where the risk of misuse and potential damage from misuse are such that it is not necessary to use a scheme of the high assurance level.
Liability in Electronic Identification
Article 21
An issuer of the electronic identification means shall be liable for the damage incurred where the identification means has not been issued in compliance with the electronic identification scheme which fulfills the requirements referred to in Article 17 of this Law.
For any damage incurred due to the incorrectly conducted authentication procedure, a party conducting such a procedure shall be liable, if the damage was caused intentionally or negligently.
Security Requirements that the Providers of Electronic Identification Services Need to Fulfill
Article 22
Providers of electronic identification services shall take the required technical, physical and organizational measures to manage the risks that compromise a reliable and secure provision of such services.
The technical and organizational measures shall ensure that the security level corresponds to the risk level and to the envisaged assurance level of the electronic identification scheme, by taking into account the latest available technological solutions, and measures for prevention of security incidents and restricting the harmful consequences of the potential incidents shall in particular be taken, as well as for notifying the interested parties of the undesired effects of the security incidents.
2. Cross-Border Cooperation in the Field of Electronic Identification
Interoperability of Technical Systems
Article 23
The Ministry shall cooperate with the competent international bodies concerning the issues of cross-border interoperability of the electronic identification schemes and shall take measures within its competence in order to establish the highest possible interoperability level among the electronic identification schemes on the national level.
Cross-border interoperability of registered electronic identification schemes shall be realized through establishment of a node enabling cross-border authentication of persons, thus ensuring that the electronic identification infrastructure of one country is connected to the electronic identification infrastructure of another country.
The node shall be established and managed by the Government service competent for design, development, construction, maintenance and improvement of the computer network of the republic authorities.
In the process of managing the node, the authority referred to in paragraph 3 of this Article shall:
1) Ensure connection with nodes of other states whose electronic identification schemes are an integral part of the Register referred to in Article 19 of this Law, i.e. that are recognized on the basis of an international treaty;
2) Apply protection measures in order to prevent unauthorized access to data exchanged and ensure the integrity of data transmitted between nodes by using appropriate technical solutions and practices;
3) Ensure that personal data are not stored in the node;
4) Use technical solutions that ensure the integrity and authenticity of data, and are used in cross-border connection of nodes;
5) Ensure that a node meets the prescribed requirements relating to the message format;
6) Enable the delivery of node management metadata in a standard format suitable for automatic data processing, in a secure and reliable manner;
7) Provide automatic processing of parameters related to security;
8) Keep data that would, in the event of an incident, enable the determination of the place and type of incident within the legal time limit.
9) Provide transmission of data that ensure reliable introduction of a natural or legal person, based on the use of a registered electronic identification scheme during cross-border cooperation in accordance with the law.
The requirements referred to in paragraph 4, items 5), 8) and 9) of this Article that relate to a node shall be stipulated in more detail by a regulation of the Government referred to in Article 18, paragraph 2 of this Law.
Article 24
The Ministry can notify the European Commission of the registered electronic identity schemes that meet the requirements from the EU Regulation No. 910/2014 of the European Parliament and the Council (hereinafter: the eIDAS Regulation).
Liability of a Trust Service Provider and Burden of Proof
Article 25
A trust service provider shall be liable for any damage caused due to a failure to act in compliance with this Law where the damage is caused intentionally or negligently.
The burden of proving intention or negligence of a trust service provider shall lie with the natural or legal person claiming the damage referred to in paragraph 1 of this Article.
The burden of proving that the damage was not caused intentionally or negligently by a qualified trust service provider referred to in paragraph 1 of this Article shall lie with such service provider.
The trust service provider shall not be liable for damage caused due to the use of service which exceeds the indicated limitation, where the trust service user has been duly informed in advance of such limitation.
Liability of Trust Service Users for Protection of Tools and Data for Forming Electronic Signature i.e. Seal
Article 26
The trust service user shall protect the tools and data for forming an electronic signature i.e. seal from unauthorized access and use, and to use them in compliance with the provisions of this Law.
Security Requirements to be Fulfilled by Trust Service Providers
Article 27
The trust service providers, including the providers of qualified trust services, shall take the necessary technical and organizational measures to manage the risks that compromise the reliable and secure provision of such trust services.
The technical and organizational measures shall ensure that the level of security is commensurate to the degree of risk, taking into account the latest available technological solutions, and in particular measures shall be taken to prevent security incidents and to limit the adverse consequences of potential incidents, as well as to inform the interested parties of the unwanted effects of security incidents.
Trust service providers, including the providers of qualified trust services shall, without delay, and within 24 hours after having become aware of it at the latest, notify the Ministry of any breach of security or loss of integrity of the service which have a significant impact on the provision of trust services.
Where the breach of security or loss of integrity of a trust service could adversely affect the trust service users, the trust service provider shall, without delay, notify the trust service user of the breach of security or loss of integrity of the service.
The Ministry shall inform the general public or require the trust service provider to do so where it determines that disclosure of information on the breach of security or loss of integrity of the service is in the public interest.
The Ministry shall achieve cooperation with the relevant institutions of other states concerning the exchange of data on the breach of security and integrity, in compliance with the relevant ratified international treaties.
Article 28
The Ministry shall carry out the following tasks:
1) Maintain the register of qualified trust service providers;
2) Analyze the reports on the check of compliance with the requirements for the provision of qualified trust services;
3) Perform inspection supervision of the work of the trust service providers;
4) Order an extraordinary check of compliance with the requirements for the provision of qualified trust services, in accordance with the law;
5) Cooperate with the competent authority for personal data protection and notify it, without delay, if it becomes aware of any failure by the qualified trust service providers to act in compliance with the regulations on personal data protection;
6) Verify the existence and correct application of provisions on the plans for suspending of operations in cases where the qualified trust service provider suspends its activities, including the manner in which the accessibility of information issued and received by the qualified trust service provider is maintained;
7) Cooperate with the supervisory bodies referred to in Article 17 of the eIDAS Regulation;
8) Inform the public of the breach of security or loss of integrity of the trust services which have significant impact on the trust service provided or the personal data contained therein.
Jurisdiction of the Ministry in Cross-Border Cooperation in the Field of Trust Services
Article 29
The Ministry shall additionally carry out the following tasks:
1) Notifying the competent bodies of the foreign states of the breach of security or loss of integrity with significant impact on the trust service provided or on the personal data contained therein;
2) Reporting to the European Commission about its activities in compliance with the eIDAS Regulation, starting from the day of accession of the Republic of Serbia into the membership of the European Union.
2. General Provisions on Qualified Trust Services
Establishing Relation between Provider and User of Qualified Trust Service
Article 30
A contract shall be concluded on the provision of a qualified trust service between the provider and the user of the qualified trust service, at the request of the user.
The qualified trust service provider shall, prior to concluding the contract referred to in paragraph 1 of this Article, inform the person submitting the request for provision of a qualified trust service about all the important circumstances regarding the use of the service and in particular about:
1) The regulations and rules pertaining to the use of a qualified trust service;
2) Any limitations in use of the qualified trust service;
3) Measures that should be implemented by the qualified trust service users and about the technology required for the secure use of the qualified trust service.
A qualified trust service user can use the trust services of one or several trust service providers.
Requirements for Provision of Qualified Trust Services
Article 31
A provider of qualified trust services must:
1) Have employees who possess the necessary expertise, experience and qualifications for application of administrative and management procedures that are corresponding to the domestic and international standards and who have received appropriate training in the field of information security and personal data protection;
2) Be insured against liability for damage incurred through the provision of qualified trust service;
3) Use secure devices and products that are protected from unauthorized modification and that guarantee technical safety and reliability of the processes they support;
4) Use secure systems for storing data entrusted to it so that:
(1) They are publicly available only where the consent of the person to whom the data belongs has been obtained,
(2) Only authorized persons can enter data and make changes,
(3) Authenticity of data can be checked;
5) Implement measures against forgery and theft of data;
6) Store for an appropriate period of time all relevant information that relate to data created or received by the provider of qualified trust services, and in particular for the purpose of providing evidence in legal proceedings. Storing may be done electronically;
7) Maintain updated, accurate and by means of secure measures, protected database of issued electronic certificates where it provides the service of issuing qualified electronic certificates, as well as a base of data created or received by the provider of qualified trust services within the provision of qualified trust services;
8) Have an up-to-date windup plan which ensures continuity of qualified trust services;
9) Ensure processing of personal data in compliance with the laws of the Republic of Serbia.
The provider of a qualified trust service shall pass the acts whereby it shall determine:
1) The general terms of service that shall be publicly available;
2) The service policies and practical rules governing the provision of services used by the provider of qualified trust service in order to ensure provision of service in compliance with the regulations and general terms referred to in item 1) of this paragraph;
3) Information security.
Trust service providers who issue qualified electronic certificates shall submit to the Ministry data on the number of certificates issued from the beginning of service provision until 31 December of the calendar year and data on the number of valid certificates on 31 December of the calendar year.
The updated data referred to in paragraph 3 of this Article shall be submitted regularly, no later than 15 January for the previous year, as well as unscheduled, if necessary, at the request of the Ministry.
The Government shall, at the proposal of the Ministry, regulate in more detail the requirements for the provision of qualified trust service referred to in paragraph 1 of this Article and the contents of acts referred to in paragraph 2 of this Article, including setting the applicable international standards.
Insurance from Professional Liability
Article 32
The Ministry shall prescribe the lowest amount of insurance from the risk of liability for the damage incurred through performing the service of a qualified trust service.
Verification of Identity of Qualified Trust Service Users
Article 33
On the occasion of issuing of a qualified certificate for trust services, the qualified trust service provider shall check data on identity of the natural, i.e. legal person contained in the qualified certificate, in compliance with the law.
Verification of data referred to in paragraph 1 of this Article shall be performed by the qualified trust service provider:
1) In the physical presence of the natural person or the authorized representative of the legal person, or
2) By means of a legal instrument that serves as the means of remote identification, in compliance with the law, or
3) By means of remote identification in accordance with the law.
The verification of data referred to in paragraph 2 of this Article shall be performed in a manner governed by the regulation referred to in Article 31 of this Law, which regulates in more detail the conditions for the provision of qualified trust services.
The natural i.e. legal person shall, without delay, notify the qualified trust service provider of any change of data referred to in paragraph 1 of this Article.
Assessment of Fulfillment of Conditions for Provision of Qualified Trust Services
Article 34
Assessment of fulfillment of conditions for provision of qualified trust services (hereinafter: assessment of fulfillment of conditions) shall be carried out by a conformity assessment body which is, in accordance with the law governing accreditation, accredited for assessment of conformity of qualified trust service providers and the qualified trust services they provide.
Following a conducted assessment of fulfillment of conditions, the conformity assessment body shall draw up a conformity assessment report.
Assessment of fulfillment of conditions shall be carried out prior to the commencement of provision of qualified trust services and at least once in 24 months.
Following a completed assessment of fulfillment of conditions, the trust service provider shall deliver to the Ministry the conformity assessment report, within three working days from the date of receipt thereof.
The Ministry can order an unscheduled assessment of fulfillment of conditions where irregularities have been determined in the provision of qualified trust services or where an incident has occurred that has compromised or breached information security to a significant degree.
The unscheduled assessment of fulfillment of conditions shall be carried out by a conformity assessment body which has not been connected to the performance of previous assessment.
The costs of assessment of fulfillment of conditions, including the unscheduled assessments, shall be borne by the qualified trust service provider.
The Ministry shall lay down a list of standards that each conformity assessment body must fulfill, mandatory contents of the conformity assessment report and procedure of assessment of fulfillment of conditions i.e. conformity assessment of qualified trust services.
Entry in the Register of Qualified Trust Service Providers
Article 35
The Register of Qualified Trust Service Providers shall represent a set of data about the qualified trust service providers and on the qualified trust services maintained by the Ministry.
A qualified trust service provider shall submit an application to the Ministry for the entry into Register of Qualified Trust Service Providers.
A qualified trust service provider must be entered in the register referred to in paragraph 1 of this Article prior to the commencement of qualified trust service provision.
Proof of facts declared in the application shall be submitted attached to the application referred to in paragraph 1 of this Article, including the conformity assessment report referred to in Article 34, paragraph 4 of this Law in which it has been assessed that the applicant and the qualified trust services that he intends to provide comply with the conditions referred to in this Law.
The Ministry shall decide on the entry of a qualified trust service provider in the register referred to in paragraph 1 of this Article within 60 days from the day of submission of a proper application.
In the decision-making procedure referred to in paragraph 4 of this Article, the Ministry can request provision of additional evidence, as well as additional check of technical and security components and of operational work.
Where a service provider ceases to comply with the conditions prescribed by this Law, the Ministry shall pass a decision on its deletion from the register referred to in paragraph 1 of this Article.
Regarding personal data, the Register referred to in paragraph 1 of this Article shall contain data on responsible persons, namely: name, surname, function and contact information such as the official address, official telephone number and the official e-mail address for the purpose of availability of data on the qualified trust service provider with whom the service provision contract is concluded.
The Ministry shall prescribe the contents and method of maintaining of the register referred to in paragraph 1 of this Article, the method of submission of applications for entry in the register referred to in paragraph 1 of this Article in compliance with the regulations governing the general administrative procedure, required documentation that is to be attached to the application, application form and method of assessment of fulfillment of conditions for the provision of qualified trust service.
Termination of Provision of Service of Issuance of Qualified Electronic Certificates
Article 36
An issuer of qualified electronic certificates intending to windup its business activity shall notify each user of the qualified trust service and the Ministry of the intention to terminate the contracts, at least three months prior to the occurrence of the intended cessation of the business activity.
The issuer of qualified electronic certificates winding up its business shall provide with another trust service provider the continuation of provision of services for users of qualified trust service to whom it has issued the certificate, and where this is not possible, such issuer shall revoke all issued certificates and immediately notify the Ministry of the measures taken.
The issuer of qualified electronic certificates shall deliver complete documentation and necessary technical tools related to trust service provision to another issuer to whom it transferred the obligations to carry out one or several trust services.
Where the issuer of qualified electronic certificates fails to act in compliance with paragraph 3 of this Article, it shall deliver complete documentation to the Ministry which shall revoke all certificates, without delay, at the expense of the issuer of the qualified electronic certificates.
In case of a temporary ban on the provision of services, the certificates issued by the date of the occurrence of the cause due to which the ban has been ordered shall remain valid.
Use of Qualified Electronic Certificates and Qualified Electronic Time Stamps in Software Solutions of Public Governmental Authorities
Article 36a
In provision of e-governance services, a public governmental authority shall, in terms of the law governing e-governance, enable in software solutions the use of qualified electronic certificates and qualified electronic time stamps issued by all qualified trust service providers entered in the Register referred to in Article 35 of this Law.
State Authority as a Provider of Qualified Trust Services
Article 37
A state authority can provide qualified trust services if it fulfills the conditions for the provision of services envisaged by this Law.
The assessment whether the state authority has fulfilled the conditions for provision of a trust service shall be performed by the Ministry, i.e. by the inspector in charge of electronic identification and trust services, upon submitted application.
Notwithstanding paragraph 2 of this Article, the assessment of fulfillment of the conditions shall be performed on the basis of an internal control performed in cooperation with the competent ministry, only in the case where the provider of a qualified trust service is the ministry of defense, with the obligation to submit a report about the internal control to the competent ministry.
After assessment of fulfillment of conditions, the Government shall issue a regulation whereby determining that the state authority can perform the qualified trust service that has been the subject of the assessment referred to in paragraph 2 of this Article.
The inscription of the state authority into the register referred to in Article 35 of this Law shall be done by the Ministry, based on the regulation referred to in paragraph 4 of this Article.
Public List of Qualified Trust Services
Article 38
The Public List of Qualified Trust Services shall in an automated manner provide relying parties with reliable information on the status of qualified trust service providers and their qualified services in accordance with the data entered in the register referred to in Article 35 of this Law.
The Public List of Qualified Trust Services shall contain information on the relevant past events related to the status of current and former providers and their services over time, including information on commencement of provision, loss of integrity of trust service, temporary ban, termination of service provision, deletion from the register and other events recorded within the register maintenance operations, inspection supervision or events reported by the provider, and that affect the acceptability of a qualified trust service and the procedure for determining its status at a certain point in time.
The data referred to in paras. 1 and 2 of this Article, as well as other data determined by the regulation of the Ministry referred to in paragraph 6 of this Article and the relevant standards shall be entered into the Public List of Qualified Trust Services.
Providers of qualified trust services shall, upon request of the Ministry, within seven days, submit the data referred to in paragraph 3 of this Article, as well as notify the Ministry of any change in the data referred to in paragraph 3 of this Article without delay.
Data on the certificate supporting the signature of the Public List of Qualified Trust Services, including the sha-256 print, shall be published in the "Official Herald of the Republic of Serbia".
The Ministry shall prescribe the technical conditions, format and manner of publishing of the public list of qualified trust services and the conditions that the ministry in charge of publishing the public list of qualified trust services must provide during its formation, signing and publishing.
The format and manner of publishing of the public list of qualified trust services referred to in paragraph 6 of this Article shall be harmonized with the technical conditions for the trust lists referred to in Article 22 of the eIDAS Regulation.
Trust Mark for Qualified Trust Services
Article 39
The trust mark for qualified trust services (hereinafter: the Trust Mark) shall be a mark for simple, recognizable and clear marking of a qualified trust service.
Registered providers of qualified trust services shall be entitled to use the Trust Mark for the qualified trust services that they provide.
The Trust Mark referred to in paragraph 1 shall be used until the accession of the Republic of Serbia into the membership of the European Union.
The Ministry shall prescribe the appearance, composition, size and design of the Trust Mark for the qualified trust services.
Cross-Border Recognition of Qualified Trust Services
Article 40
Provision of qualified trust service provided by a foreign trust service provider shall be governed by reciprocity in relation to the provision of the same service by the domestic trust service provider in the country where the foreign service provider is from, as regulated by a ratified international treaty.
V INDIVIDUAL TYPES OF TRUST SERVICES
Article 41
The trust services shall be provided in the fields of:
1) Electronic signature and electronic seal;
2) Electronic time stamp;
3) Electronic delivery;
4) Authentication of websites;
5) Electronic storage of documents.
The qualified trust services shall be:
1) Issuing of qualified certificates for electronic signature;
2) The service of managing the qualified tool for remote electronic signature creation;
3) The qualified electronic signature validation service;
4) Issuing of qualified certificates for electronic seal;
5) The service of managing the qualified tool for remote electronic seal creation;
6) The qualified electronic seal validation service;
7) Issuing of qualified electronic time stamps;
8) The qualified electronic delivery service;
9) The service of issuing of qualified website authentication certificates;
10) The service of qualified electronic document storing.
The provider of trust services i.e. qualified trust services can provide one or several services referred to in paragraphs 1 and 2 of this Article.
1. Electronic Signature and Electronic Seal
Advanced Electronic Signature and Advanced Electronic Seal
Article 42
An advanced electronic signature i.e. an advanced electronic seal must:
1) Be linked to the signatory i.e. to the creator of the seal in a manner which is not ambivalent;
2) Enable determining the identity of the signatory i.e. of the creator of the seal;
3) Be created by using data for creation of electronic signature i.e. electronic seal that the signatory i.e. the creator of the seal can, with a high level of reliability, use under his exclusive control;
4) Be linked to the electronically signed i.e. electronically sealed data, in such a manner as to enable detecting of any subsequent modification of such data.
Contents of the Qualified Electronic Certificate
Article 43
A qualified electronic certificate must contain:
1) An indication, in the form suitable for automated processing, that the electronic certificate is used as a qualified certificate for electronic signature i.e. seal;
2) A set of data uniquely identifying the qualified trust service provider for issuing the qualified electronic certificate, including, at least, the provider's country of origin and the name of the provider;
3) A set of data uniquely identifying the signatory i.e. the creator of the seal, including at least:
(1) For the signatory:
- Name and surname or pseudonym, and where the pseudonym is used, that must be clearly indicated within the qualified electronic certificate;
- UPIN, if the signatory requested in the application for certificate issuing that the certificate contains UPIN;
(2) For the creator of the seal: name, state and registration number, i.e. a unique identification mark in compliance with the legal regulations of that state, if any;
4) Data for validation of electronic signature i.e. of electronic seal, which correspond to the data for creation of such an electronic signature i.e. electronic seal;
5) Data about the beginning and end of the validity of a qualified electronic certificate;
6) A serial number of the qualified electronic certificate, which must be unique within the issuer of the qualified electronic certificate;
7) An advanced electronic signature or advanced electronic seal of the issuer of the qualified electronic certificate;
8) The location where the certificate of advanced electronic signature i.e. advanced electronic seal referred to in item 7) of this paragraph is available free of charge;
9) The location of the service that can be used to check the validity status of the qualified electronic certificate;
10) An indication that the data for creation of electronic signature i.e. seal, which correspond to the data for validation of the electronic signature i.e. seal from the qualified electronic certificate, are located in a qualified tool for electronic signature i.e. seal creation, where such requirement is fulfilled.
In addition to the attributes referred to in paragraph 1 of this Article, the qualified electronic certificates can include additional attributes as well.
The Ministry shall prescribe in more detail the mandatory requirements for qualified electronic certificates referred to in paragraph 1 of this Article.
Revocation and Suspension of the Qualified Electronic Certificate
Article 44
An issuer of qualified certificates shall revoke the certificates issued where:
1) The revocation of a certificate is requested by the owner of the certificate or by his proxy;
2) The owner of the certificate has lost his contractual capacity, or has ceased to exist or circumstances that are significantly impacting the validity of the certificate have changed;
3) He determines that a piece of data in the certificate is incorrect;
4) He determines that the data for verification of the qualified electronic signature i.e. seal are compromised or that this is the case with the system of the qualified trust service provider, thus affecting the security and reliability of certificates;
5) He determines that the data for electronic signing i.e. sealing or the system of the certificate owner are compromised in a manner that is affecting the reliability and security of the electronic signature;
6) He winds up his operations or is banned from operating.
The qualified certificate issuer shall notify the qualified trust service user of the revocation of the certificate within 24 hours from the received notification, i.e. from the occurrence of circumstances due to which the certificate is being revoked.
The qualified trust service user shall immediately request that his qualified electronic certificate is revoked in case of a loss of or damage to the certificate creation device or data.
In case of revocation, the qualified electronic certificate shall permanently lose its validity from the moment of revocation.
In case of a suspension, the qualified electronic certificate shall lose its validity during the period of suspension.
Data on the suspension and on the period of suspension of a qualified electronic certificate shall be entered in the database of certificates issued which shall be maintained by the qualified electronic certificate issuer and they must be visible during the period of suspension as part of the services which provide information on the status of the certificate.
Storing of Documentation on Issued and Revoked Qualified Certificates
Article 45
The issuer of qualified electronic certificates shall store complete documentation on the issued and revoked qualified electronic certificates, as a tool for providing evidence and verification in administrative, court and other procedures, for a minimum of ten years following the expiry of the certificate's validity.
The data referred to in paragraph 1 of this Article can be stored in electronic format.
Qualified Devices for Creation of Electronic Signature and Seal
Article 46
A qualified device for creation of electronic signature and/or seal must ensure, by appropriate technical solutions and procedures:
1) The confidentiality of data for creation of the electronic signature, i.e. seal;
2) That the electronic signature, i.e. seal creation data occurs only once;
3) That the electronic signature, i.e. seal creation data cannot be derived outside the electronic signature, i.e. seal creation device by using available technology within reasonable time;
4) That the electronic signature, i.e. seal is reliably protected against forgery by using available technology;
5) The possibility of reliable protection of data for creation of electronic signature, i.e. seal against unauthorized use.
On the occasion of electronic signature, i.e. seal creation, the qualified electronic signature, i.e. seal creation devices shall not alter the data to be signed i.e. sealed, or prevent inspection of such data by the signatory, i.e. creator of the seal prior to the qualified electronic signature, i.e. seal creation process.
A qualified trust service user can use a qualified electronic signature, i.e. seal creation device through a service of remote management of the qualified electronic signature, i.e. seal creation device (hereinafter: a service of managing qualified device remotely), which shall also represent a qualified trust service.
Notwithstanding paragraph 1 of this Article, a qualified trust service provider referred to in paragraph 3 of this Article can produce a copy of electronic signature, i.e. seal creation data for the purpose of protection against data loss, provided that:
1) Production and storing of copies of the qualified electronic signature, i.e. seal creation data do not reduce the prescribed level of protection for such data;
2) The number of produced copies of the electronic signature, i.e. seal creation data is not bigger than what is necessary for securing the continuity of service provision.
The Ministry shall prescribe in more detail the conditions that a qualified electronic signature, i.e. seal creation device must fulfill.
Certification of Qualified Devices for Creating Electronic Signature, i.e. Seal and Entry in the Register of Qualified Devices for Creating Electronic Signatures and Electronic Seals
Article 47
In compliance with the law governing the technical requirements for products and conformity assessment, the Ministry shall designate a conformity assessment body for the qualified electronic signature, i.e. seal creation devices (hereinafter: the appointed body) which shall perform conformity assessment in accordance with the regulation referred to in Article 46 of this Law.
The regulation referred to in Article 46 shall regulate in more detail the requirements that the appointed body must be fulfilling.
The Register of Qualified Devices for Creating Electronic Signatures and Electronic Seals shall be a set of data on qualified devices for creating electronic signatures and electronic seals, maintained by the Ministry.
The application for entry into the Register referred to in paragraph 3 of this Law shall be submitted to the Ministry, based on the report received from the appointed bodies.
The appointed body shall, without delay, and within seven days from the occurrence of change at the latest, notify the Ministry of the conformity certificates issued and revoked for the electronic signature, i.e. seal creation devices.
An integral part of the Register referred to in paragraph 3 of this Article shall also be qualified devices for creating electronic signature and electronic seal from the list published by the European Commission in accordance with Article 31 of the eIDAS Regulation.
For qualified devices for creating electronic signatures and electronic seals referred to in paragraph 6 of this Article, no application shall be submitted for entry in the Register of Qualified Devices for Creating Electronic Signatures and Electronic Seals.
The Ministry shall prescribe the contents and maintenance method of the Register referred to in paragraph 3 of this Article, the method for submitting applications for entry into that register in compliance with the regulations governing the general administrative procedure, the required documentation to be enclosed with the application and the application form.
Validation Procedure for Qualified Electronic Signature and Qualified Electronic Seal
Article 48
The validation procedure shall determine that an electronic signature is a valid qualified electronic signature where:
1) It is determined that the certificate that supports the electronic signature was, at the time of signing, a qualified electronic certificate;
2) It is determined that the qualified electronic certificate was issued by a service provider issuing qualified electronic signature certificates and that it was valid at the time of signing;
3) It is determined that electronic signature validation data from the qualified electronic certificate correspond to the combination of electronic signature and data signed by the electronic signature;
4) The dataset from the qualified electronic certificate that is uniquely identifying the signatory is correctly presented to the relying party;
5) The data signed by the electronic signature are correctly presented to the relying party;
6) The use of pseudonym is clearly indicated to the relying party, in case that a pseudonym is used on the occasion of electronic signing;
7) It is determined that the electronic signature was created by using a qualified electronic signature creation device;
8) It is determined that the integrity of data signed by the electronic signature has not been compromised;
9) It is determined that the electronic signature meets the requirements for an advanced electronic signature provided for in this Law.
The system used for validating the qualified electronic signature shall provide to the relying party the correct result of the validation procedure and shall allow the relying party to detect any problem relevant for reliability.
The provisions of paragraphs 1 and 2 of this Article shall apply mutatis mutandis to the electronic seal.
The Ministry shall prescribe in more detail the requirements for the validation procedure of a qualified electronic signature and qualified electronic seal.
Service of Qualified Validation of Qualified Electronic Signatures and Qualified Electronic Seals
Article 49
A service provider of qualified validation of qualified electronic signatures i.e. seals shall provide:
1) Validation of a qualified electronic signature, i.e. seal in compliance with Article 48 of this Law;
2) That the relying party that is using the service receives the result of the validation procedure through an electronic channel in an automated manner, which is reliable and efficient;
3) That the result of the validation procedure referred to in item 2) of this paragraph bears the advanced electronic seal or the advanced electronic signature of the service provider.
The Ministry shall prescribe in more detail the requirements for the provision of the service of qualified validation of qualified electronic signatures and qualified electronic seals.
Legal Effect of Electronic Signature
Article 50
An electronic signature shall not be denied legal effect or admissibility as evidence solely on the grounds that it is in an electronic format or that it does not meet the requirements for a qualified electronic signature.
A qualified electronic signature shall have the equivalent legal effect as that of a handwritten signature.
A qualified electronic signature can replace the certification of handwritten signature, where this is prescribed by separate law.
The provisions of paragraphs 1 and 2 of this Article shall not apply to the legal transactions for which a separate law envisages that they cannot be undertaken in electronic format.
Contracts and other legal transactions for which a separate law envisages that they shall be drawn up in a form of signature certification, publicly confirmed (solemnized) document or in the form of a public notary record cannot be drawn up in compliance with paragraphs 1 and 2 of this Article, but instead in compliance with the regulations governing certification of signatures, validation and drawing up of documents on legal transactions.
Legal Effect of Electronic Seal
Article 51
An electronic seal shall not be denied legal effect or admissibility as evidence solely on the grounds that it is in an electronic format or that it does not meet the requirements for a qualified electronic seal.
A qualified electronic seal shall enjoy the legal presumption of non-compromised integrity and correctness of origin of data to which it is linked.
An act of a public governmental authority that is passed in the performance of public powers in a format of an electronic document, instead of the seal, i.e. signature of the official and seal, shall contain the qualified electronic seal of that authority or a qualified electronic signature of an authorized person of a public governmental authority.
A qualified electronic seal on a submission filed as electronic document in a procedure conducted by public governmental authorities in the performance of public powers shall have the same legal effect as that of the handwritten signature, i.e. seal.
The provisions of paragraphs 1 through 4 of this Article shall not apply to the legal transactions for which a separate law lays down that they cannot be carried out electronically.
Contracts and other legal transactions for which a separate law lays down drawing up in a form of signature certification, publicly confirmed (solemnized) document, or in the form of a public notary record cannot be drawn up in compliance with paragraphs 1 through 4 of this Article, but in compliance with the regulations governing certification of signatures, validation and drawing up of documents on legal transactions.
Requirements for Qualified Electronic Time Stamps
Article 52
A qualified electronic time stamp must:
1) Be linked to the Coordinated Universal Time (UTC) so that any possibility of change of data that is not detectable is prevented;
2) Be based on an accurate time source;
3) Be issued by a provider of the service of qualified time stamp issuing;
4) Be signed, i.e. sealed by the provider of the service of qualified time stamp issuing by means of an advanced electronic signature or advanced electronic seal.
The Ministry shall prescribe in more detail the requirements for qualified electronic time stamps.
Legal Effect of Electronic Time Stamp
Article 53
An electronic time stamp shall not be denied legal effect or admissibility as evidence solely on the grounds that it is in an electronic format or that it does not meet the requirements for a qualified time stamp.
A qualified electronic time stamp and data to which such time stamp has been bound shall enjoy the legal presumption of accuracy of the date and time indicated in the time stamp and the non-compromised integrity of such data in relation to such moment of time.
Requirements for Qualified Electronic Delivery Services
Article 54
A qualified electronic delivery service must:
1) Be provided by one or more qualified trust service providers;
2) Ensure, with a high level of confidence, the identification of the sender;
3) Ensure the identification of the recipient on the occasion of data delivery;
4) Use, in the process of sending and receiving an electronic message, the advanced electronic signature or advanced electronic seal of the qualified electronic delivery service provider for the purpose of precluding any undetected modification of data;
5) Ensure that any change of data performed for the purpose of sending or receiving the data must be clearly indicated to the sender and the recipient;
6) Ensure that the time and date of sending, receiving and any change of data must be indicated by a qualified electronic time stamp;
7) Ensure that, in the event that data are transferred between two or more qualified electronic delivery service providers, the requirements referred to in this paragraph are applied to each one of them.
Confirmation of Electronic Delivery
Article 55
A service provider shall issue two confirmations to the sender when providing the qualified electronic delivery service, namely:
1) A confirmation that he has received an electronic message from the sender and forwarded it to the recipient;
2) A confirmation that the recipient has taken over a delivered electronic message.
The confirmations referred to in paragraph 1 of this Article shall be delivered in an automated manner by the service provider in electronic format, signed by an advanced electronic seal, and upon request he can issue them electronically or in hardcopy.
The confirmation referred to in paragraph 1, items 1) and 2) of this Article shall contain:
1) The identification mark of the electronic message assigned by the service provider;
2) Data about the sender and on the recipient, which may include, of the personal data, the data referred to in Article 43, paragraph 1, item 3) of this Law, as well as the address for electronic delivery;
3) Data that link the confirmation to the contents of the electronic message;
4) Date and time of receipt and forwarding of the electronic message by the service provider, i.e. date and time of taking over of the delivered electronic message by the recipient.
The confirmation referred to in paragraph 1, item 2) of this Article shall be considered to be a delivery note in an electronic format within the meaning of the law governing administrative procedure, where the date and time of taking over referred to in paragraph 3, item 4) of this Article shall be considered to be the date and time of handing over.
The date and time of receipt of submission that a party in an administrative procedure has sent to an authority through the qualified electronic delivery shall be considered to be the date and time of taking over referred to in paragraph 3, item 4) of this Article.
In the event of any technical problems on the occasion of electronic delivery i.e. receiving of data, the provider of the qualified electronic delivery service shall notify the sender and the recipient thereof.
The Ministry shall prescribe more detailed requirements for services of qualified electronic delivery referred to in Article 54 of this Law and the contents of the confirmations referred to in paragraph 3 of this Article.
Exchange of Electronic Messages among Providers of Qualified Electronic Delivery Service
Article 56
Providers of a service of qualified electronic delivery shall, when providing a qualified electronic delivery service, enable the receipt and sending of messages even when the sender or recipient of the message is a user of another qualified electronic delivery service provider.
The exchange of electronic messages referred to in paragraph 1 of this Article shall be performed in a manner governed by the regulation referred to in Article 55 of this Law, which regulates in more detail the requirements for services of qualified electronic delivery.
Legal Effect of Electronic Delivery Service
Article 57
Data sent or received using an electronic delivery service shall not be denied legal effect and admissibility as evidence in legal transactions solely on the grounds that they are in electronic format or that they do not meet all the requirements of the qualified electronic delivery service.
Data in an electronic message sent or received using a qualified electronic delivery service shall enjoy the legal presumption of the integrity of data, the sending of data by the sender indicated, receipt by the recipient indicated, and reliability of the date and time of sending or receiving.
Qualified Certificates for Website Authentication
Article 58
Website authentication shall be used to verify the identity of a website by the user of qualified trust service, which shall guarantee its reliability for use.
A qualified certificate shall be used for authentication of a website, which shall be issued by a qualified trust service provider.
A qualified certificate for website authentication must comply with the requirements referred to in Article 59 of this Law.
Contents of Qualified Certificates for Website Authentication
Article 59
Qualified certificates for website authentication shall contain:
1) An indication, which is detectable in automated processing, that the certificate is issued as a qualified certificate for website authentication;
2) A set of data which unambiguously represent the provider of the service of issuing qualified website authentication certificates, which shall include the state where the seat of the business is situated, the business name and registration number of such service provider;
3) Name and surname or pseudonym of a natural person to whom the certificate is issued, i.e. the business name and registration number of a legal person to whom the certificate is issued;
4) The address i.e. the seat of a natural or legal person to whom the certificate is issued;
5) The name of the internet domain of the natural or legal person to whom the certificate is issued;
6) The data on the beginning and end of the certificate's period of validity;
7) The certificate identification code which must be unique for the provider of the service issuing the qualified certificates for website authentication;
8) The advanced electronic signature or advanced electronic seal of the provider of the service issuing qualified website authentication certificates;
9) The location where the certificate of advanced electronic signature certificate or advanced electronic seal referred to in item 8) of this paragraph is available free of charge;
10) The location of the service through which the validity status of the qualified electronic certificate is checked.
5. Electronic Storing of Documents
Preparation of Documents for Electronic Storing
Article 60
Preparation of documents for electronic storing shall pertain to:
1) Documents that were originally created in an electronic format that is suitable for storing;
2) The conversion of a document to another electronic format that is suitable for storing;
3) Digitalization of a document that was originally created in a format that is not an electronic into a format that is suitable for storing.
A document prepared for electronic storing can also include additional data that describe the document or that are derived from the document.
Preparation of Documents for Reliable Electronic Storing
Article 61
Preparation of a document for reliable electronic storing shall:
1) Ensure trustworthy transfer of all essential elements of the contents of the original document into a document prepared for electronic storing, by taking into account the nature and purpose of the document, i.e. that the integrity of document contents is preserved;
2) Ensure that the usability of the contents of the original document is preserved;
3) Ensure that all the elements of the contents of the original document are included that are of significance for the authenticity;
4) Ensure confirmation of identity to the original document and accuracy of additionally included data contained in the qualified electronic seal or signature with the associated time stamp;
5) Ensure the performance of control of accuracy and quality of conversion, as well as removal of errors occurred during the conversion procedure;
6) Ensure that the additions to the contents, annotations entered and data on actions taken are stored separately from the original documents;
7) Ensure that orderly records are kept about the actions taken in the procedure of preparation for electronic storing.
Where the prescribed time limit for document storing is longer than five years, the document prepared for storing should be in a format that is suitable for long-term storing.
The Government shall, at the proposal of the Ministry, regulate more detailed conditions that a reliable preparation of a document for electronic storing must meet, and the document formats that are convenient for long-term storing.
Reliable Electronic Storing of Documents
Article 62
Reliable electronic storing of documents that contain a qualified electronic signature, i.e. seal in the original format, as a confirmation of integrity and origin of these documents, shall be performed in such a manner that, during the storing thereof, procedures and technological solutions are used which ensure the possibility of verification of validity of the qualified electronic signature i.e. seal during the entire period of storing.
Reliable electronic storing of the documents prepared in compliance with Article 61 of this Law, for which identity to the original document and accuracy of the additionally included data has been confirmed by means of a qualified electronic signature i.e. seal referred to in Article 61, paragraph 1, item 4), shall be performed in such a manner that, during the storing thereof, procedures and technological solutions which ensure the possibility of verification of validity of the qualified electronic signature i.e. seal during the entire period of storing.
The Ministry shall prescribe more detailed conditions for procedures and technological solutions referred to in paragraphs 1 and 2 of this Article.
The ministry in charge of culture shall regulate more detailed conditions, tasks, operations, standards and processes for digitalization of the cultural heritage and contemporary art pertaining to the procedures and technological solutions referred to in Articles 61 and 62 of this Law.
Service of Qualified Electronic Storing of Documents
Article 63
The service of qualified electronic storing of documents shall be a qualified trust service by means of which reliable electronic storing of documents is provided in compliance with Articles 60 through 62 of this Law.
A provider of the service of qualified electronic preservation of documents can opt to limit the service of qualified electronic storing of documents only to storing of documents containing a qualified electronic signature, i.e. seal in their original format.
The document stored as a part of the service of qualified electronic storing shall enjoy a legal presumption of identity to the original document, on which the provider of the service of qualified electronic storing of documents shall issue an attestation.
Where a document is stored as a part of the service of qualified electronic storing of documents in such a manner that the storing period envisaged by such service covers the prescribed storing period for the document in question, the original document can be destroyed, unless prescribed otherwise.
Inspection Tasks in Electronic Identification and Trust Services in Electronic Business
Article 64
The inspection in charge of electronic identification and trust services in electronic business shall perform inspection supervision over the application of this Law and the operations of providers of services of electronic identification and providers of trust services (hereinafter: service providers) through the inspector for electronic identification and trust services (hereinafter: the inspector).
When performing inspection supervision of the service providers, the inspector shall determine whether the requirements prescribed by this Law and by regulations adopted for the implementation of this Law are complied with.
Article 65
In the inspection supervision procedure, the inspector shall be authorized to:
1) Order removal of determined irregularities and set a time limit for that;
2) Prohibit the use of inadequate procedures and infrastructure, and set a time limit to the service provider within which he shall be obliged to provide adequate procedures and infrastructure;
3) Temporarily ban the provision of service to the service provider until removal of inadequacies in procedures and infrastructure;
4) Order a temporary revocation of one or all certificates issued by the service provider, where there is reasonable doubt that an inadequate procedure or forgery is the case.
VII PENAL, TRANSITIONAL AND FINAL PROVISIONS
Article 66
A fine from RSD 50,000 to RSD 2,000,000 shall be imposed on a qualified trust service provider - legal person for a misdemeanor where:
1) It fails to take the necessary technical and organizational measures to manage the risks that are compromising reliable and secure provision of such trust services (Article 27, paragraph 1);
2) Without delay, and at the latest within 24 hours after having become aware of, it fails to notify the Ministry of any breach of security or loss of integrity of the service which are significantly affecting the trust service provision (Article 27, paragraph 3);
3) It fails to notify, without delay, the trust service user of the breach of security or loss of integrity of the service, where the breach of security or loss of integrity of the trust service could adversely affect the trust service users (Article 27, paragraph 4);
4) Prior to concluding the contract referred to in Article 30, paragraph 1 of this Law, it fails to inform the person which submitted the request for provision of a qualified trust service about all the important circumstances involved with the use of the service referred to in Article 30, paragraph 2, items 1) through 3) of this Law (Article 30, paragraph 2);
5) It fails to comply with the requirements referred to in Article 31 (Article 31);
6) On the occasion of issuing of a qualified certificate for trust services, it fails to verify data on the identity of the natural, i.e. legal person contained in the qualified certificate, in compliance with Article 33, paragraph 2 of the Law (Article 33, paragraphs 1 and 2);
7) It fails to carry out the conformity assessment prior to the commencement of provision of qualified trust services, i.e. at least once in 24 months (Article 34, paragraph 3);
8) It fails to carry out the order for an unscheduled conformity assessment (Article 34, paragraph 5);
9) If failed to be entered in the Register of Qualified Trust Service Providers prior to the commencement of provision of qualified trust services (Article 35, paragraph 3);
10) An issuer of qualified electronic certificates intending to windup its business activity fails to notify each qualified trust service user and the Ministry of the intention to terminate the contracts, at least three months prior to the occurrence of the intended cessation of the business activity (Article 36, paragraph 1);
11) In case of a business windup, it fails to provide continuation of service provision with another trust service provider for the qualified trust service users to whom it has issued the certificate, or it fails to revoke all the certificates issued and to immediately notify the Ministry of the measures taken (Article 36, paragraph 2);
12) It fails to deliver complete documentation relating to provision of trust services to another issuer to which it is transferring the obligations of carrying out one or several trust services, i.e. to the Ministry (Article 36, paragraphs 3 and 4);
13) The qualified electronic certificate does not contain all data referred to in Article 43, paragraph 1 of this Law (Article 43, paragraph 1);
14) The qualified certificate issuer fails to revoke the certificates issued, in cases referred to in Article 44, paragraph 1 (Article 44, paragraph 1);
15) The qualified certificate issuer fails to notify the qualified trust service user of the revocation of certificates within 24 hours from the received notification, i.e. from the occurrence of circumstances due to which the certificate is being revoked (Article 44, paragraph 2);
16) The qualified certificate issuer does not store the complete documentation on the issued and revoked qualified certificates, as a means for providing evidence and verification in administrative, court and other procedures, for a minimum of ten years following the expiry of the certificates’ validity (Article 45);
17) It fails to provide receiving and sending of messages, even when the sender or recipient of the message is user of another provider of service of qualified electronic delivery (Article 56, paragraph 1);
18) Reliable electronic storing of documents prepared in compliance with Article 61 of this Law, for which identity to the original document and accuracy of the additionally included data has been confirmed by means of the qualified electronic signature, i.e. seal referred to in Article 61, paragraph 1, item 4), is not performed in such a manner that, during storing, procedures and technological solutions enabling the possibility of proving the validity of the qualified electronic signature, i.e. seal are used during the entire period of storing (Article 62, paragraph 2).
A responsible person of the trust service provider shall also be sanctioned for the misdemeanor referred to in paragraph 1 of this Article with a fine from RSD 5,000 to RSD 100,000.
A trust service provider - natural person in the capacity of a registered entity shall be sanctioned for the misdemeanor referred to in paragraph 1 of this Article with a fine from RSD 10,000 to RSD 500,000.
Article 67
A fine from RSD 50,000 to RSD 200,000 shall be imposed on a user of qualified trust service - legal person for the misdemeanor where:
1) It fails, in case of a change of data referred to in paragraph 1, Article 33 of this Law, to notify the qualified trust service provider without delay (Article 33, paragraph 3).
A responsible person with the legal person shall also be sanctioned for the misdemeanor referred to in paragraph 1 of this Article with a fine from RSD 5,000 to RSD 50,000.
A trust service user - natural person in the capacity of a registered entity shall be sanctioned for the misdemeanor referred to in paragraph 1 of this Article with a fine from RSD 10,000 to RSD 100,000.
A trust service user - a natural person shall be sanctioned for the misdemeanor referred to in paragraph 1 of this Article with a fine from RSD 5,000 to RSD 50,000.
Article 68
A fine from RSD 50,000 to RSD 2,000,000 shall be imposed on a registered electronic identification service provider - legal person for a misdemeanor where:
1) The electronic identification scheme does not comply with the requirements referred to in Article 17 (Article 17);
2) It fails to take the necessary technical and organizational measures to manage the risks compromising reliable and secure provision of such services as referred to in Article 22, paragraph 2 of this Law (Article 22, paragraphs 1 and 2).
A responsible person with the electronic identification service provider shall also be sanctioned for the misdemeanor referred to in paragraph 1 of this Article with a fine from RSD 5,000 to RSD 100,000.
The electronic identification service provider - a natural person in the capacity of a registered entity shall be sanctioned for the misdemeanor referred to in paragraph 1 of this Article with a fine from RSD 10,000 to RSD 500,000.
Article 69
A fine from RSD 50,000 to RSD 2,000,000 shall be imposed for the misdemeanor on the service provider referred to in Article 64 of this Law if it fails to act in compliance with the order of the inspector within the set time limit referred to in Article 65, paragraph 1 of this Law.
A responsible person with the service provider shall also be sanctioned for the misdemeanor referred to in paragraph 1 of this Article with a fine from RSD 5,000 to RSD 100,000.
A service provider - natural person in the capacity of a registered entity shall be sanctioned for the misdemeanor referred to in paragraph 1 of this Article with a fine from RSD 10,000 to RSD 500,000.
Article 70
A fine from RSD 5,000 to RSD 100,000 shall be imposed for a misdemeanor on a responsible person with a state authority, as well as with an authority of the Autonomous Province or a local self-government unit where in a procedure he governs while performing public powers fails to recognize the validity, i.e. denies admissibility as evidence of an electronic document drawn up in compliance with this Law, i.e. of a digitalized act certified in compliance with Article 11 of this Law, solely on the grounds that it has been delivered in such a format (Article 7).
A fine from RSD 20,000 to RSD 150,000 shall be imposed for a misdemeanor on a responsible person with a state authority, as well as with an authority of the Autonomous Province or a local self-government unit where in a procedure he governs in carrying out his public powers, fails to recognize the validity to an electronic document, including acts of a public governmental authorities, signed with a qualified electronic signature or qualified electronic seal, where the validity of such document is subject to an obligation of handwritten signature, i.e. seal placing (Articles 50 and 51).
Article 71
A fine from RSD 50,000 to RSD 2,000,000 shall be imposed for a misdemeanor on a legal person that is a governmental authority within the meaning of this Law, except for the authorities referred to in Article 70 of this Law, if in a procedure it governs while carrying out of public powers, it fails to recognize the validity, i.e. disputes the admissibility as evidence of an electric document drawn up in compliance with this Law, i.e. of a digitalized act certified in compliance with Article 11 of this Law, on the sole grounds that it has been delivered in such a format (Article 7).
A responsible person with the legal person referred to in paragraph 1 of this Article shall also be sanctioned for the misdemeanor referred to in paragraph 1 of this Article with a fine from RSD 5,000 to RSD 100,000.
A governmental authority shall be sanctioned for the misdemeanor referred to in paragraph 1 of this Article in case where it is a natural person, with a fine from RSD 5,000 to RSD 100,000.
A legal person that is a governmental authority within the meaning of this Law, except for the authorities referred to in Article 70 of this Law, shall be sanctioned for a misdemeanor with a fine from RSD 100,000 to RSD 2,000,000 where, in a procedure it governs in carrying out of public powers, fails to recognize the validity of an electronic document, including also the acts of governmental authorities, signed by a qualified electronic signature or by a qualified electronic seal, if the obligation of handwritten signature, i.e. seal placing has been prescribed for such a document to be valid (Articles 50 and 51).
A responsible person with the legal person referred to in paragraph 4 of this Article shall also be sanctioned for the misdemeanor referred to in paragraph 4 of this Article with a fine from RSD 20,000 to RSD 150,000.
A governmental authority shall be sanctioned for the misdemeanor referred to in paragraph 4 of this Article in case where it is a natural person, with a fine from RSD 20,000 to RSD 150,000.
2. Transitional and Final Provisions
Article 72
The secondary legislation referred to in Article 18, paragraph 2, Article 19, paragraph 3, Article 31, paragraph 3, Article 35, paragraph 8, Article 46, paragraph 5, and Article 47, paragraph 7 of this Law shall be adopted within six months from the date of entry into force of this Law.
The secondary legislation referred to in Article 34, paragraph 8, Article 38, paragraph 4, Article 39, paragraph 4, Article 43, paragraph 3, Article 48, paragraph 4, Article 49, paragraph 2 and Article 52, paragraph 2 of this Law shall be adopted within 12 months from the date of entry into force of this Law.
The secondary legislation referred to in Article 55, paragraph 7, Article 61, paragraph 3, and Article 62, paragraphs 3 and 4 of this Law shall be adopted within 18 months from the date of entry into force of this Law.
Termination of Validity of Former Regulations, Continued Application of Secondary Legislation and Continuation of Operations Based on Previous Registration
Article 73
On the day of entry into force of this Law, the Law on Electronic Signature ("Official Herald of the RS", No. 135/04) and the Law on Electronic Document ("Official Herald of the RS", No. 51/09) shall be repealed.
The secondary legislation adopted on the basis of the laws referred to in paragraph 1 of this Law shall continue to be applicable even following the repealing of the said laws, all until the relevant regulations are adopted in compliance with this Law, unless where they are contrary to the provisions of this Law.
On the day of entry into force of this Law, the certification bodies tasked with issuing of qualified electronic certificates which were registered based on the Law on Electronic Signature shall continue their operations as the qualified service providers issuing qualified certificates for electronic signature.
On the day of entry into force of this Law, the issuers of a time stamp registered based on the Law on Electronic Document shall continue their operations as qualified service providers issuing qualified electronic time stamps.
The certification bodies referred to in paragraph 3 of this Article and the issuers of a time stamp referred to in paragraph 4 of this Article shall, within 12 months from the day of entry into force of this Law, bring their operations in line with the provisions of this Law and deliver to the Ministry a report on conformity assessment referred to in Article 34 of this Law.
The Ministry shall perform conformity assessment referred to in Article 34 of this Law until the first conformity assessment body has been accredited, in compliance with regulations.
Method of Conformity Assessment of Devices for Creating a Qualified Electronic Signature, i.e. Seal Remotely until the Appointment of Conformity Assessment Body
Article 73a
When performing the conformity assessment of the service of managing a qualified device remotely, the conformity assessment of the device for creating of an electronic signature, i.e. seal with the prescribed conditions shall also be performed.
The conformity assessment of the device referred to in paragraph 1 of this Article shall be performed by the Ministry, i.e. the conformity assessment body referred to in Article 34 of this Law, until the appointment of the body referred to in Article 47 of this Law.
The device referred to in paragraph 1 of this Article shall be considered to be qualified only within the assessed service of managing a qualified device for creating of an electronic signature, i.e. a seal remotely provided by the qualified trust service provider.
The device referred to in paragraph 1 of this Article shall be entered into the Register of Qualified Devices for Creating Electronic Signatures and Electronic Seals with a note that the device shall be considered to be qualified only when used within the assessed service.
Article 74
This Law shall enter into force eight days from the day of its publication in the "Official Herald of the Republic of Serbia".
Independent Articles of the Law on Amendments and Additions to the Law on Electronic Document, Electronic Identification, and Trust Services in Electronic Business
("Off. Herald of the RS", No. 52/2021)
Article 24
Regulations adopted on the basis of the Law on Electronic Document, Electronic Identification And Trust Services in Electronic Business ("Official Herald of the RS", No. 94/17), shall be harmonized with the provisions of this Law within six months from the day of entry into force of this Law.
Article 25
This Law shall enter into force on the eighth day from the day of publication in the "Official Herald of the Republic of Serbia".