All the software targeted at electronic commerce enterprises, both in Europe and elsewhere, will have to take into account local and unionwide laws and regulations regarding electronic document formats, signatures, authentication, and validation.
This white paper suggests ways to make your enterprise IT infrastructure based on Microsoft BizTalk Server compliant with laws of European Union. Here we give snapshots of unionwide legislation, and, as an example, national French, German, and Spanish laws related to electronic signatures and e-commerce.
In recent years we saw a significant increase in volume of electronic commerce. Security of transactions becomes more and more important. Information resistance to tempering, transactors' authentication, and signature non-repudiability is a must.
European Union as a whole, and its Member States have well developed regulations regarding legal treatment of electronic signatures, scope and applicability of them to contracts and other transactions, as well as different technical regulations and specifications.
Software products for e-signing currently available on the markets of European countries differ in scope and use of technology. While many of them comply with national laws and standards, an enterprise working internationally will have difficulty integrating them in a single software architecture, synchronizing and harmonizing their work.
Professionals are interested in provisioning the most complete compliance with exising standards in their Microsoft BizTalk Server environment. By analyzing e-commerce laws of several European nations, they make a conclusion that a universal pan-EU solution to applying electronic signatures to documents may be created on a basis of specialized commercial XML Processor for Microsoft BizTalk Server.
The European Council issues recommendations to Member Sates through Directives. The main document dealing with electronic signatures is Directive 1999/93/EC adopted on 1 September 1999. In brief, it assesses necessity of legal recognition of electronic signatures, and the direction towards making them secure and non-repudiable. Seven years after Directive acceptance, on 15 March 2006 the European Council issued document COM(2006)-120 analyzing the acceptance of the Directive by the Member States. It reports major compliance of Member States legislative systems with the Directive. In addition, the Commission issued a list of generally recognized standards in accordance with the Directive (CWA 14167-1,2, and CWA 14169). Below, we briefly describe the legal framework regulating e-signatures in three Member States, namely France, Germany, and Spain.
French Law of 13 March 2000 adapts the Civil Code of the Republic, thus making electronic signatures legally acceptable (Loi n°2000-230 portant adaptation du droit de la preuve aux technologies de l'information et relative à la signature électronique, complimented by Décret (Decree) n°2001-272 of 30 March 2001). This implementation of the Directive 1999/93/EC gives legal value to electronic signature and makes documents signed hereby legally admissible.
German Law of Basic Conditions for Electronic Signatures (BGBl. I S. 876, also known as Signaturgesetz, or SigG, with amendments introduced in BGBl. I S. 179) was adopted on 16 May 2001. It follows Directive 1999/93/EC, and repeals the older Digital Signature Act – part of Federal law on Information and Communication Services of 1 August 1997. The law prescribes necessary security infrastructure to make electronic signatures accepted at par with their handwritten counterparts. An Ordinance on Electronic Signatures, adopted on 16 November 2001 further elaborates on standard minimum technical requirements for technology of digital signing and verification.
The Electronic signature Law of 19 December 2003 (Ley 59/2003 de firma electrónica) repeals Royal Decree of the same name issued in 1999, thus harmonizing Spanish law with requirements of the Directive. The main impact of the law on the Spanish society is through establishment of legal basis for nationwide use of national electronic ID card. Royal Decree of 23 December 2005 amends national legislation towards acceptance of electronic signature by private parties and corporate entities. Recently, Spain has adopted detailed specification of electronic invoices (Order PRE/2971/2007) specifically stating their XML Schema Definition (XSD). What is particularly important, the Law of Public Sector Contracts of 30 October 2007 (Ley 30/2007 de Contratos del Sector Público) mandates use of electronic invoice in transactions between public businesses. All the invoices should be protected by application of electronic signature.
This snapshot of legislative body of selected Member States shows that electronic signing of documents is not only a desirable addition to an enterprise infrastructure, it is legally mandated. Non-compliance with the regulations may result in inconveniences, business slow down, and even fiscal sanctions.
The software, developed by local firms and aimed at providing of compliant e-signature functionalities is neither standardized nor synchronized among Member States. Moreover, the application provided do not allow easy integration with existing enterprises' IT infrastructures.
Up until recent time, Microsoft did not develop corresponding processors for BiztTalk Server capable of applying electronic signatures according to European standards. In order to make your infrastructure compliant, and documents that it generates acceptable, you need either to develop these functionalities in house, thus making large investments or benefit from XML Processor for Microsoft BizTalk Server based on long established SecureBlacbox technology suite.
BizCrypto version 7.0 for Microsoft BizTalk Server enhances your environment with cryptographic operations, such as encryption, digital signing with optional timestamping, decryption and signature verification of the XML documents. Moreover, you will benefit from embedded XML Advanced Electronic Signature (XadES) support. This means timestamping of signed documents in full compliance with the Directive and national laws cited above.
World Wide Web Consortium (W3C) developing XadES standard defines it as extention of "the IETF/W3CXML-Signature Syntax and Processing specification [XMLDSIG] into the domain of non-repudiation by defining XML formats for advanced electronic signatures that remain valid over long periods". Definitely, XadES standard is compliant with the Directive discussed above.
BizCrypto XML Processor gives you an implementation of two important standards on electronic signatures and encryption promoted by W3C: XMLEnc and XMLDSig. XMLEnc deals with the process of encrypting data and their representation as XML. XMLDSig specifies format for digital signature syntax, rules, and processing of XML documents and their parts.
Meeting broader requirements and offering full spectrum of electronic signatures with BizCrypto XML Processor, your BizTalk Server environment will provide detached, enveloping, enveloped signature types with suppport of signing and Hash-Message Authentication Code (HMAC). In addition to the above, you will benefit from an ability to sign and encrypt your documents with OpenPGP keys, certificates, or RSA keys.
Timestamping is a vital part of digital signing procedure that allows to set and verify the time when the signature was made. Mechanism of electronic timestamping always guarantees you that electronically signed document has been changed no later than the specified date. An electronic timestamp is applied and validated by an independent organization: Timestemping Authority (TSA). Your BizTalk Server equipped with SecureBlackbox XML Processor will have the full timestamping capability in accordance with XadES standard.
Documents prepared or converted into XML format by third-party applcations are not necessary adequate to the purpose of signing and further distribution. The preparatory steps of bringing them up to these operations, such as XML canonicalization, are often needed. BizTalk users get capabilities of simple, inclusive, and exclusive canonicalization with or without comments, as well as Base64, C14N (canonicalization), enveloped signature, and XPath transforms. Some of these manipulations may be required as a preparatory steps preceeding document signing.
The latest version functionality of BizCrypto XML Processor also makes possible handling of SmartCards, thus bringing to your enterprise compliance with national laws and specifications, such as legislation for Spanish or Belgian eID cards. These cards are officially recognized form of identification that, in addition to regular information identifying the person, store a unique electronic signature assigned to him/her. As mentioned above, they can be used to sign any electronic document with signature, which is a legal equivalent of handwritten one, and bears the same legal consequenses. Since such cards bearing an electronic signature are accepted at many points of business-customer interaction, your enterprize will undoubtedly benefit from providing the customers with such service.
The compliance with electronic commerce laws of the European Union is a must for any national enterprise. Awareness of these regulations is very important to foreign business entities doing or planning to do business with EU countries. Integration of the e-commerce requirements, standards and specifications into your enterprise IT infrastructure requires systematic and coordinated approach. EldoS Corporation provides convenient processors for integration of electronic signature functionality into existing Microsoft BizTalk Server environments.