Cross-border digital signature in company registration portal

Acronym of the case:

CrossBorderDS

Web address of the case:

https://ettevotjaportaal.rik.ee

Country of the case:

Belgium , Estonia , Finland , Lithuania , Portugal , Pan european

Posting Date:

1 October 2009

Last Edited Date:

04 October 2011

Author:

Ingmar Vali (Centre of Registers and Information Systems)

PoSC | eID | cross-border

Type of initiative

Project or service
Strategic initiative

Case Abstract

Establishing a company in a foreign country usually proves to be a very difficult and cumbersome process (especially for SMEs). In order to overcome at least some of the obstacles on the way â€“ Portugal and Estonia started an innovative co-operation process in order to allow online cross-border establishment of companies in either Portugal or Estonia by using qualified electronic signatures of both countries. Both countries have established electronic company registration â€“ â€˜Portal da Empresaâ€˜ and â€˜EttevÃµtjaportaalâ€™ (CReP) are equally recognized as best-practice all over Europe. Also secure authentication using eID has been established in Estonia as well as in Portugal. Today, we have come to the point that it is now possible for the holders of Estonian electronic signature to start a business in Portugal and vice versa without leaving their homes â€“ i.e. one does not need to travel to the other country any more. All one needs is a computer, ID-card and valid PIN passwords that come with the ID-card to sign the application digitally. The whole project has been carried out in very business friendly solution in two languages (Estonian , English; Portuguese, English).

The result of Cross-border digital signature project is: The Company Registration Portal in Estonia accepts Portuguese, Finnish, Belgian and Lithuanian citizen and entrepreneurs e-applications to start a private limited company and later send annual reports. In May 2009 we had our first cross-border establishment of a Private limited company with Finnish digital signatures. All the applications are signed with qualified digital signature by using national ID-cards.

Company registration portal in Estonia become operational in 2007. In the first year 20% of new private limited companies were registered with Estonian digital signature. In 2008 the growth was 100% and the electronic application count was approx. 4000 applications (40% of all). Effectiveness has improved through the automation of processes, thereby saving citizens a trip to registrars (or notaries) office and reducing the number of errors. All the process can be done online from home despite of the geographical location of nationality (at the moment Finnish, Portuguese, Belgian, Lithuanian).

Thus access to public administrationsâ€™ electronic procedures often implies the need for the individuals involved to identify themselves (i.e. allowing the administration to make sure that the persons are who they claim to be by checking their personal credentials1) and the need to provide an electronic signature allowing the administration to identify the signatory as well as to make sure that the data submitted has not been altered during transmission). The main barrier is the lack of interoperability, be it legal, technical or organisational.

This project is a good example how digital signatures across border can be used. It is possible to accept digital signatures from other EU member state when public PKI systems and qualified digital signatures are in place! In Estonia implementation to other internet portals has begun.

Cross-border digital signature service is an expansion to Company Registration Portal: http://epractice.eu/en/cases/crep

Description of the case

Domain

eGovernment

Topic

Sector

Communication (infrastructure) | Crime, Justice and Law | Internal market

Date

October 2007 to October 2008

Date operational

November 2008

Target Users

Administrative | Business (self-employed) | Business (industry) | Business (SME) | Citizen

Target Users Description

The company registration portal(CReP) in Estonia can be used by citizens and entrepreneurs. In Estonia there are over 1 million ID-card users (about 90% of population) who can use CReP by authenticating and digital signing with national ID-card (certificates). In addition, thanks to cross-border digital signature validation service, the portal accepts Finnish, Belgian and Portuguese ID-card users (8 million possible users). Also Lithuanian Mobile-ID users are accepted. The list of countries which national ID-cards are accepted is not complete. Soon more countries (CA) will be added to the validated CA list.

Scope

Cross-border | International

Status

Operation

Language(s)

English | Estonian

Policy Context and Legal Framework

In the framework of the Lisbon Strategy, the EU has committed itself to improving the legal and administrative environment to unlock business potential. Bringing public administrations on line, and enabling enterprises and individuals to communicate electronically with public administrations across borders, contributes to creating an environment that favours entrepreneurship and facilitates citizenâ€™s contact with public authorities.

Electronic communications are becoming increasingly important in many aspects of economic and public life. Public authorities across Europe have started to offer electronic access to government services. In doing so they have been focusing mostly on national needs and means, which has led to a complex system with different solutions. This situation carries the risk of creating new barriers to cross-border markets and of hampering the functioning of the single market for enterprises and citizens.

The current European Union framework offers horizontal and sectoral instruments to facilitate and enhance the use of e-signatures and e-identification. The e-Signatures Directive establishes the legal recognition of electronic signatures and a legal framework to promote their interoperability. A number of practical, technical and organisational requirements need to be met to establish such interoperability.

Furthermore, effective interoperability is also required if Member States are to comply with their legal obligations under other EU legislation, in particular under specific internal market instruments. Several internal market initiatives foresee that businesses should be able to use electronic means to communicate with public bodies, exercise their rights and do business across borders.

This Action Plan* aims to assist Member States in implementing mutually recognised and interoperable electronic signatures and e-identification solutions, in order to facilitate the provision of cross-border public services in an electronic environment. Although the Action Plan focuses mainly on e-government applications, the suggested actions will also benefit businessesâ€™ applications insofar as the means to be put in place can also be used in Business to Business (B2B) and Business to Consumers (B2C) transactions.

At the Spring European Council of March 2008, Heads of State or Government declared that it is crucial to put in place cross-border interoperable solutions for electronic signatures and e-authentication to improve the functioning of the â€˜e-Single Marketâ€™.

* http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2008:0798:FIN:EN:PDF

Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market. Article 8 - Procedures by electronic means: Member States shall ensure that all procedures and formalities relating to access to a service activity and to the exercise thereof may be easily completed, at a distance and by electronic means, through the relevant point of single contact (PoSC) and with the relevant competent authorities. This implies, amongst other things, the possibility for cross-border identification of service providers and authentication of the data submitted.

The project is in harmony with Estonian eGov strategyâ€™s: http://www.riso.ee/et/koosvoime/raamistik

Project Size and Implementation

Type of initiative

Inclusive services of general interest

Overall Implementation approach

Partnerships between administration and/or private sector and/or non-profit sector

Technology choice

Standards-based technology

Funding source

Public funding national

Project size

Implementation: €49-299,000

Yearly cost:

€49-299,000

Implementation and Management Approach

During the 4th Ministerial eGovernment Conference, it was decided by the Estonian Minister of Justice Mr Rein Lang and Portuguese Minister of Justice Mr Alberto Costa that two countries should learn from each otherâ€™s experience and try to develop some added value to the existing solutions. Consequently the project on mutual recognition of digital signatures within the process of online company registration took off.

The project had a great interest of both countries political leaders and also chancellors as seen in presentation video: http://www.youtube.com/watch?v=4hNg5i4i3oU&feature=channel_page

The Cross-border digital signature project in Estonia is managed in Ministry of Justice. Ministry of Economy and Communications is also a member of the working group and soon the project will be implemented to all the internet portals in Estonia (those that need to authenticate foreign ID-card users) including private sector (for example internet banks).

The project is operational and wider implementation is in planning phase. The initiative is the result of good cooperation between private and public sector from all participating countries.

The Estonian company registration and management portal can be accessed at https://ettevotjaportaal.rik.ee/. The Portuguese company registration portal can be accessed at http://www.portaldaempresa.pt

Technology solution

Major barriers to cross-border access to electronic services of public administrations are linked to the use of electronic identification and of electronic signatures. Like in the ondigital environment, certain electronic procedures may require identification and signatures.

Estonian Company Registration Portal is an Internet portal that uses common web technology. Legal certainty is guaranteed with national PKI system (www.id.ee) and qualified digital signatures that are integrated into national ID-cards smart chip. The PKI system uses X.509 standard and services like CLR, OCSP, LDAP. The IETF (Internet Engineering Task Force) Working Group PKIX, in its Reference document RFC 3647 â€œInternet X.509 Public Key Infrastructure Certificate Policy and Certifications Practices Frameworkâ€.In Estonia the documents are digitally signed with special software called Digidoc (http://www.sk.ee/pages.php/020305010101). The outcome of the signing process is file *.ddoc, similar to zip container.

Technical sketch can be seen in apendix: OCSP.pdf

To solve this cross-border interoperability problem the system lets applicants to sign documents inside our Internet portal (https://ettevotjaportaal.rik.ee/). This way the system can control the signing process with trusted digital signature creation application and this way the output format is also controlled (.ddoc). Signing process also includes time stamping (in OCSP response).

Moreover, the reason why this kind of technical solution (schema in appendix) was used, were the different document types. In Estonia a document format called *.DDOC is used. This type needs special freeware software to see the content and qualified signaure. In EU there are many different types of digital signature document types (PDF, ODF, DOC etc.). For the user the selection is puzzlement. Every type has different structure and sometimes different legal value (time stamping). CReP lets the users to sign documents inside the internet portal thus the outcome is in readable format (known format for Estonian user) DDOC.

In principal, the signing process in web application contacts Estonian CA (Certification Authority) OCSP responder service that in turn contacts foreign CA to receive the signature validation confirmation. See schema in appendix (OCSP.pdf).

In addition, one of the biggest complexities was the absence of unique personal identification code inside the certificate (Finland). To make possible cross/border digital signature use in CReP a web service between Finnish Population register and CReP had to be developed. This way it is possible identify and relate a person to entry in Estonian commercial register.

The technical interoperability issue is one of the biggest challenge. To develop systems of this complexity, high level PKI system developers are needed. During the development phase many changes were made to CA services. Direct communication between specialists is essential. The result is validation service that has both technical and juridical support.

More info about cross-border interoperability: http://ec.europa.eu/idabc/en/document/6485

Impact, innovation and results

Impact

One of the most important qualitative changes for the entrepreneurs and citizens is that they can file all the documents or register a new legal entity without leaving home or filling in paper forms. Before CReP was implemented, entrepreneurs or citizens had to wait in the long queues for the notary, many papers were to be filled in and then taken to the Registration Department. In the Registration Department only paper applications were accepted, all necessary information was inserted into the computer one by one, all documents were taken from one clerk to another on paper and finally documents were archived on paper. In case of registering a private limited company it was also necessary to visit the bank before the registration in order to open a bank account. Now, all this can be done online!

Before, in the fastest cases, the average time spent was 5 days. Now, there is no need for the public notary in the process due to the digital signature (legally equal to notaryâ€™s verification) and all bank-related transactions can be made through the portal. In the fastest cases, a new legal entity is entered into the register with 9 minutes, after the person has filed the petition application. What used to take 5 days on paper is now reduced to 9 minutes online! This means that it lessens the governmentâ€™s administrative burden significantly. The process starts from citizens desk (front office), processed in registrars desk (back office) and it ends again in citizens desk when the decision is made. All the process can be followed online and the result from registrar is also online at the same moment when decision button is pushed. Business register where all the entries are registered is online public register and open for everyone (https://ariregister.rik.ee/lihtparing.py?lang=eng). Eventually- entrepreneurs can focus on business and forget the red-tape.

The process schema can be seen in appendix: Process.pdf.

However the time is not the only benefit. Also a geographical location or nationality is not an obstacle. ID-card owners cross border can use this PoSC to start a new company in Estonia. The portal improves the quality and lessens the work of the entrepreneur as most of the application fields can be prefilled and text standardized. This way the applicant cannot make mistakes. Standardized Articles of Association makes it possible to translate the portal into any language (at the moment Estonian and English).

Since the beginning of 2007, when CReP was launched, 25% of the petition entries for registering private limited companies have been submitted through the portal, and this percent is growing every month. In 2008 40% of new companies and 20% annual reports were submitted electronically by entrepreneurs (citizens) themselves.

In the end of 2008 the portals possible user count grew to 9 million. This is the amount of ID-cards issued all together in participating countries (Estonia, Portugal, Belgium, Finland, Lithuania).

As cross-border digital signature project is new functionality (possibility) in CReP, the usability is not very remarkable (3 applications and 1 founded company with Finnish digital signature). However this project proves that all the obstacles (legal, technical, cultural) in the mutual recognition of digital signature can be overcome. The same model can be used in all countries as a good practice and in all the portals where you need digital authentication or qualified digital signature. Possible users today: - In Estonia there are 1 025 730 active national ID-cards. - In Portugal there are 200 000 ID-cards issued. - In Finland there are about 200 000 ID-cards issued. - In Belgium there are about 7 500 000 ID-cards issued.

Company Registration Portal and cross-border digital signature solution saves the time, the energy, the money, the paper and other recourses for all stakeholders cross European Union and it is a sustainable solution.

Track record of sharing

The project is presented in many conferences and meetings cross EU. The goal is to join more countries to the project and make cross-border operations efficient by using digital signatures.

The project is registered in epractice.eu portal where all information about the project is available. Nationally the information about the solution is shared with other ministries and private sector institutions in Estonia. The Cross-border project decisions and magment procedures involve all stakeholders in Estonia (Gov and private sector).

Cross-border digital signature technical solution will be implemented to all eGov applications in Estonia (where needed). Also private sector portals are interested in implementing the project. The same solution (or similar approach) and application can be used in all internet portals cross Europe.

The project team is planning an expansion project to make this technical solution better and foreign digital signature certificate validation process more efficient (includes technology development).

The promotion started on EU level and special promotional video was composed to introduce the project and its possibilities: http://www.rik.ee/38928. The video was presented together with Portugal to all Justice Ministers at the EU Justice nad Home Affairs Council in November 2008: http://epractice.eu/files/Brussels.pdf The event was covered by both Estonian and especially Portuguese press and TV.

In addition the good practice case was registered in epractice.eu portal and linked to many working groups cross EU: http://www.eid-stork.eu/index.php?option=com_content&task=view&id=150&Itemid=69

Project presentations in different national and international conferences and workshops: www.ebaltics.com, http://www.sme-conference-prague.eu/6.0.html, PoSC http://www.jamboreepsc.eu/, eJustice workgroup.

Lessons learnt

Lesson 1 - It is possible to accept digital signatures from other EU member state!

The project is an example how this can be done. The most important success factor is cooperation between IT specialists in Certification Authority and development team. Cooperation between law makers and IT-specialist is also very important. From the management level the project needs a spokesman (driving force). In our case the project leaders were ministers and chancellors of two countries (Estonia and Portugal).

In practice, the main obstacle for the cross-border use of e-signatures lies in the lack of trust in e-signatures originating from other Member States, and difficulties linked to validating these signatures. Lesson 2 is the technical solution to solve the trust issue.

Lesson2 - Of all the obstacles the technical ones where most complicated.

The EU e-Signatures Directive was adopted in 1999 to promote the legal recognition of electronic signatures and to ensure the free circulation within the single market of e-signature products, equipment and services. However, a legal and technical analysis of the practical usage of e-signatures shows that there are interoperability problems that currently limit the cross-border use of e-signatures. The analysis* highlights the need for a more effective mutual recognition approach. Fragmentation due to the lack of cross-border interoperability is likely to affect e- government services in particular, which today are the largest channel of transactions using e-signatures.

*(http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2008:0798:FIN:EN:PDF)

The PKI situation in Europe is still not consistent across all countries, however. Some countries, such as (to name few) Estonia, Portugal, Belgium and Finland have well-developed infrastructure already in place. The technical interoperability issue is one of the biggest obstacles. To develop systems of this complexity, high level PKI system developers are needed. During the development phase many changes were made to CA services. Direct communication between specialists is essential. The result is validation service that has both technical and juridical support. The institution that is responsible of validating (one time process) the certificates and issuing process in Estonia is Ministry of Economic Affairs and Communications. The technical OCSP service is supported by CA. When the process is in place the decisions about foreign certificates comes swift.

In addition, one of the biggest complexities was the absence of unique personal identification code inside the certificate (Finland) and different types of digital signature document types (DDOC, PDF, ODF, DOC etc). Every type has different structure and sometimes different legal value (time stamping).

Lesson 3 - We believe this project to be an excellent example of cooperation and willingness to improve business environment in the European Union. Also â€“ no doubt that this will be the first step to start larger wave of cross-border business start-ups. In addition the results of this project can be used in any country and in any internet portal that needs user authentication and digital signature creation. The project needs a governmental support in national level and it has to be in accordance with Gov. strategyâ€™s (Estonian Information Society Strategy 2013 etc.) and lawâ€™s (Digital Signatures Act etc.). If Digital signature law (act) is in place it may need only few changes- if any. Most of regulation is done in institutional level (example Court regulations). All higher (EU) level regulations are in place (DIRECTIVE 1999/93/EC- European electronic signature directive etc.)

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31999L0093:EN:NOT

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52008DC0798:EN:NOT