Approval of requirements in the area of electronic trust services and the Procedure for assessing compliance with the legislation in the area of electronic trust services
{With changes made pursuant to the Resolution of the Cabinet of Ministers
Nš 1068 dated 11.12.2019}
Pursuant to Articles 13
requirements in the area of electronic trust services;
The Procedure for assessing compliance with the legislation in the area of electronic trust services.
2. To establish that for the provision of qualified electronic trust services reliable electronic digital signatures can be used that have received positive expert assessment after state inspections in the area of cryptographic protection of information issued before the entry into force of the Law of Ukraine "On electronic trust services” as long as the expert assessments remain valid.
3. Declare invalid the resolutions of the Cabinet of Ministers of Ukraine pursuant to the attached list.
4. This Resolution shall enter into force on the date of its publication, except for paragraphs 68-72 of the list of standards applied by qualified providers of electronic trust services in the provision of qualified electronic trust services, which is attached to the requirements approved by this resolution in the area of electronic trust services. These points come into force on 1 January, 2019.
REQUIREMENTS
in the area of electronic trust services
1. These requirements determine the organizational, methodological, technical and technological conditions that must be met by qualified providers of electronic trust services (hereinafter-the provider) and their separate registration points when providing qualified electronic trust services to their users.
2. The Central Certification Authority provides qualified electronic trust services in accordance with these requirements, taking into account the features provided by the Law of Ukraine "On Electronic Trust Services".
3. These requirements do not apply to the provision of qualified electronic trust services in the banking system of Ukraine and during the transfer of funds.
4. In these requirements, terms are used in the following meaning:
website owner - a user of a qualified electronic trust service for the creation, verification and validation of a qualified certificate of authentication for the website;
hash values - a fixed volume of electronic data generated by converting electronic data using a cryptographic algorithm;
hashing - the conversion of electronic data of any volume into electronic data of fixed volume by applying a cryptographic algorithm;
applicant - a natural person or a representative of a legal entity who has applied to the provider for qualified electronic trust services;
information and telecommunications system - a set of information and telecommunications systems of the provider or the central certification authority, which when processing information act as a whole and unite the software and hardware used in the provision of qualified electronic trust services (hereinafter-software and hardware), the physical environment, information processed in these systems, as well as the employees of the provider or the central certification authority who are directly involved in the provision of qualified electronic trust services or service software and hardware (hereinafter - employees);
qualified electronic trust service - an electronic trust service provided by the provider or the central certification authority, in particular by means of a qualified electronic signature or seal, and which is based on a qualified public key certificate;
user - a person who on the basis of a contract or other document receives a qualified electronic trust service from a provider;
object identifier - a unique alphanumeric or numeric identifier registered in the corresponding standard of the International Organization for Standardization for specific objects or for a specific class of objects;
online operation - any action the technological scheme of which provides for the presence of continuous telecommunications in real time when it is being conducted;
certificate policy - a list of all rules applied by a provider when providing qualified electronic trust services for the maintenance of qualified public key certificates, including the provisions of these requirements;
provisions of certification practices - a list of all practical actions and procedures used to implement the provider's certificate policy;
publication of a qualified public key certificate - providing a qualified public key certificate to users and, if they consent, to other persons by placing it on the official website of a provider;
work regulations - a document of a provider or the central certification authority that determines the organizational, methodological, technical and technological conditions of the provider or central certification authority when providing qualified electronic trust services, including certificate policies and the provisions of certification practices;
dissemination of information on the status of a qualified public key certificate - providing free access to information on the status of a qualified public key certificate;
list of revoked certificates - a list of qualified public key certificates created and published by the provider, the status of which has been changed to blocked, renewed or revoked;
the status of a qualified public key certificate - the status of a qualified public key certificate (valid, blocked, revoked) at a certain point in time;
certificate status management - changes in the status of a qualified public key certificate by a provider.
5. Other terms are used in the meaning given in the Laws of Ukraine “On Electronic Trust Services”, “On Electronic Documents and Electronic Document Management”, “On Telecommunications”, “On Information Protection in Information and Telecommunication Systems”, “On Basic Principles of Cyber Security of Ukraine”..
6. Employees of the provider whose job responsibilities are directly related to the provision of qualified electronic trust services are:
1) registration administrator;
2) certification administrator;
3) security and audit administrator;
It is prohibited to combine the duties of a security administrator and an auditor with other duties directly related to the provision of qualified electronic trust services.
7. Employees must have the necessary knowledge, experience and qualifications to provide qualified electronic trust services.
A certification administrator, security and audit administrator or system administrator may be a person who has a higher education in the area of information technology, information security or cybersecurity, as well as at least three years of professional experience in these areas.
8. The organizational and legal status of the manager and employees of the provider, their tasks and functions, rights and responsibilities, responsibilities, as well as professional knowledge, experience and qualifications are defined in job descriptions.
Job descriptions should contain information security requirements and methods of provision.
9. The manager and employees of the provider must be familiar with the provisions of their job descriptions and act in accordance with their job tasks and functions.
10. The registration administrator is responsible for verifying the documents submitted by applicants and their applications for the creation, blocking, renewal and revocation of qualified public key certificates.
11. The main responsibilities of the registration administrator are:
1) identification and authentication of applicants;
2) verification of applications for the creation, blocking, renewal and revocation of qualified public key certificates;
3) establishing the ownership of public keys and the corresponding private keys to applicants;
12. The certification administrator is responsible for generating qualified public key certificates, maintaining an electronic register of valid, blocked and revoked public key certificates, storing and using the provider's private keys, and creating backups.
13. The main responsibilities of the certification administrator are:
1) participation in the generation of the provider’s key pairs and the creation of backup copies of the provider’s personal keys;
2) storage of provider’s personal keys and backup copies;
3) ensuring the use of the provider’s personal keys during the creation and maintenance of qualified certificates of public keys of the provider and users;
4) verification of applications for the creation of qualified certificates of public keys of the provider for compliance with the requirements of the provider’s regulations;
5) participation in the destruction of the provider’s personal keys;
6) ensuring the maintenance, archiving and recovery of databases of users’ qualified public key certificates;
7) ensuring the publication of users’ qualified public key certificates and lists of revoked certificates on the official website of the provider;
8) creation of backup copies of qualified certificates of users‘ public keys;
9) storage of qualified certificates of users’ public keys, backup copies, lists of revoked certificates and other important resources of the provider’s information and telecommunications system.
14. The security and audit administrator is responsible for the proper functioning of a comprehensive information security system or information security management system.
15. The main responsibilities of the security and audit administrator are:
1) participation in the generation of the provider’s key pairs and the creation of backup copies of the provider’s personal keys;
2) monitoring the creation, maintenance and creation of backup copies of the provider’s and users’ qualified public keys and lists of revoked certificates;
3) monitoring of the storage of the provider’s personal keys and backup copies and administrators’ personal keys;
4) participation in the destruction of the provider’s personal keys of the provider and monitoring of the correct and timely destruction by administrators of their personal keys;
5) organizing delimitation of access to the resources of the information and telecommunications system of the provider;
6) ensuring the monitoring of the functioning of a comprehensive information security system or information security management system (registration of events in the information and telecommunications system of the provider, event monitoring, etc.);
7) ensuring the organization and implementation of measures to modernize, test and quickly restore the functioning of a comprehensive information security system or information security management system after interruptions, failures or accidents affecting the provider’s information and telecommunications system;
8) ensuring access to the provider’s premises where the information and telecommunications system of the provider is located;
9) keeping security administrator and audit logs, defined by the documentation on the integrated system of information protection or reporting provided by the information security management system;
10) inspecting event audit logs that monitor the provider’s information and telecommunications system equipment;
11) inspections of compliance with the provisions of the internal organizational and administrative documentation of the provider and documentation on the integrated information security system or information security management system;
12) monitoring observance by employees of the provisions of the provider's internal organizational and administrative documentation and documentation on the integrated information protection system or information security management system;
13) monitoring maintenance of the provider’s databases;
14) monitoring maintenance of the provider's archive.
16. The Security and Audit Administrator is responsible for inspecting employees' compliance with the provisions of the provider's internal organizational and administrative documentation and documentation on the integrated information security system or information security management system. The provider shall establish the frequency (in days, weeks or months) of internal inspections, but at least once a year.
17. The system administrator is responsible for the operation of the devices and equipment of the software and hardware (hereinafter - equipment) of the provider’s information and telecommunications system.
18. The main responsibilities of the system administrator are:
1) operation and maintenance of the information and telecommunications system of the provider and administration of its equipment;
2) the functioning of the official website of the provider;
3) participation in the implementation and operation of the integrated information security system or information security management system;
4) keeping logs of events registered by the provider’s information and telecommunications system equipment;
5) installation, adjustment and maintenance of the system-wide and special software of the provider’s information and telecommunications system;
6) installation and adjustment of the regular database backup subsystem of the provider’s information and telecommunications system;
7) ensuring the updating of databases created and processed in the provider’s information and telecommunications system after disruptions.
19. Employees must be notified of changes to the provider's processes relating to their job responsibilities.
20. The provider’s manager is obliged to ensure the creation of conditions for continuing personal education and continuous training of employees in the areas of information technology, information security or cybersecurity and personal data protection.
21. The provider's manager should establish a clear system of disciplinary sanctions for employees for non-compliance with their duties, the regulations in the area of electronic trust services and the requirements of internal organizational and administrative documentation and documentation on the integrated information security system or information security management system.
22. Employees of separate registration offices who are responsible for user registration should be subject to the same requirements as registration administrators.
23. The provider’s key pair is generated by the certification administrator under the supervision of the security and audit administrator.
The provider's key pair is generated exclusively by means of a qualified electronic signature or seal, which is a hardware-software or hardware device.
24. All events related to the generation, use and destruction of the provider's key pair must be logged.
25. The personal keys of the provider must be placed in a qualified electronic signature or seal method that is the hardware-software or hardware device that was used to generate a pair of keys.
The technology for storing the provider’s private keys should prevent access to them from the outside. The provider’s personal keys must be stored in a qualified electronic signature or seal method that is a hardware-software or hardware device.
26. In the case of backup, the provider’s personal keys must be transferred to an external qualified electronic signature or seal method that is a hardware-software or hardware device in a secure form that ensures integrity and confidentiality.
Backup and recovery of the provider's private keys are performed by the certification administrator under the supervision of the security and audit administrator.
27. The conditions for ensuring the protection of backup copies of the provider’s private keys in storage should not be worse than the conditions for ensuring the protection of the private keys used.
28. The provider's private keys may be used only for the creation of qualified public key certificates (application of a qualified electronic signature or seal to a qualified public key certificate) and information on the status of a qualified public key certificate.
29. The provider’s private keys may be used only in qualified electronic signature or seal method that is a hardware-software or hardware device located in a separate, specially designed room.
30. Upon expiry of the provider’s qualified public key, the provider’s private key and all its backups are destroyed in a way that does not allow them to be restored.
31. The providers conduct their activity on the condition that they have deposited funds to a specialized current account at a bank (account at a body providing treasury services for budget funds) or have civil liability insurance to ensure compensation for damages that may be caused to users or third parties if the provider does not perform its obligations properly.
32. The amount held in a specialized current account at a bank (account at a body providing treasury services for budget funds) or the sum insured is determined by part three of Article 16 of the Law of Ukraine "On Electronic Trust Services".
33. The provider is obliged to maintain the amount in a specialized current account at a bank (account at a body providing treasury services for budget funds) or the sum insured at a level in accordance with the minimum wage established by the Law on the State Budget of Ukraine for the relevant year.
34. If a provider is compensating for damages caused to users or third parties as a result of improper performance of its obligations, the provider shall take comprehensive measures within three months to restore the amount in the specialized current account contribution at the bank or the sum insured.
35. A provider provides qualified electronic trust services in accordance with the legislation in the area of electronic trust services and the provider’s regulations.
36. The provider’s regulations are developed and approved before the provider starts operating.
37. The provider’s regulations contain:
1) general information about the provider (name or surname, name, patronymic of the provider; code according to the Unified State Register of Enterprises and Organizations of Ukraine; location, telephone numbers, website address);
2) a list of the qualified electronic trust services provided by the provider;
3) a list of roles of employees whose responsibilities are directly related to the provision of qualified electronic trust services, and the functions of the employees;
4) certificate policy and provisions of certification practices;
5) a description of the procedures and processes that are performed when providing qualified electronic trust services that do not involve the creation and maintenance of qualified public key certificates.
38. The certificate policy defines each qualified electronic trust service that provides for the creation and maintenance by the provider of qualified public key certificates, individually or in combination.
The provisions of certification practices define the practical and procedural principles for the implementation of all certificate policies together.
39. The certificate policy defines:
1) a list of areas in which the use of qualified public key certificates generated by the provider is permitted;
2) restrictions on the use of qualified public key certificates generated by the provider;
3) a list of information posted by the provider on its official website;
4) the time and procedure for the publication of qualified public key certificates and lists of revoked certificates;
5) the mechanism for confirming an applicant's possession of the private key according to which the public key is provided for the creation of a qualified public key certificate;
6) conditions for identifying an applicant (information provided by the applicant during the identification of the person, types of documents on the basis of which the applicant is identified, requirements for personal presence);
7) the mechanism for authenticating users who have a valid qualified public key certificate created by the provider;
8) mechanism authenticating users for blocking, revocation or renewal of qualified public key certificates;
9) description of the physical environment (description of the provider's premises in which the provider's information and telecommunications system is located, mechanisms for controlling access to them);
10) procedure supervision (system of disciplinary sanctions for non-compliance by employees of the provider with their duties, the regulations in the area of electronic trust services and the provider’s internal organizational and administrative documentation and documentation on integrated information security systems or information security management systems within the organization, taking into account the mode of operation of the provider);
11) the procedure for keeping event audit logs (indicating the types of events, frequency of review, retention periods of event audit logs, protection and backup of event logs, the list of employees who can review event audit logs);
12) the procedure for maintaining the provider’s archives (indicating the types of documents and data to be archived, the terms of storage of archives, the mechanism and procedure for storage and protection of archives);
13) the process, procedure and conditions for generating key pairs for the provider and users;
14) procedures for obtaining a private key by the user as a result of a provider providing a qualified electronic trust service;
15) the mechanism for providing the user's public key to the provider to generate a qualified public key certificate;
16) the procedure for protection of and access to the personal key of the provider;
17) the procedure and conditions for backup of the personal key of the provider, storage, access and use of the backup.
40. The provisions of certification practices state:
1) the process of submitting a request for the creation of a qualified public key certificate (list of entities authorized to make a request for the creation of a qualified public key certificate, the procedure for submitting and processing a request, terms of processing the request to create a qualified public key certificate);
2) the procedure for providing a generated qualified public key certificate to the user;
3) the procedure for publishing a generated qualified user's public key certificate on the official website of the provider;
4) conditions of use of a user’s qualified public key certificate and their private key (warning about possible consequences of incorrect use of a qualified certificate of a public key and private key);
5) the procedure for submitting a request for the creation of a qualified public key certificate for users who have a valid qualified public key certificate generated by the provider;
6) circumstances for revocation (blocking, renewal) of a qualified public key certificate; a list of entities authorized to make a request for revocation (blocking and renewal) of a qualified public key certificate; the procedure for submitting a request for revocation (blocking, renewal) of a qualified public key certificate; time of processing the request for revocation (blocking, renewal) of a qualified public key certificate; frequency of compiling the list of revoked certificates and its term of validity; possibility and conditions of providing information on the status of a qualified public key certificate in real time);
7) the expiry date of the qualified public key certificate of the user.
41. Draft regulations of a provider shall be subject to a mandatory approval process by the State Special Communications Administration, the term of which may not exceed 30 calendar days from the date of receipt of the specified project for approval.
Grounds for refusal to approve draft regulations of the provider are:
submission of draft regulations in violation of the provisions of paragraphs 36-40 of these requirements;
detection of inaccurate information, corrections or additions in the draft regulations.
The procedure for approving a provider’s draft regulations is carried out by the State Special Communications Administration free of charge.
After approval by the State Special Communications Administration, the provider’s regulations are approved by its head in two copies.
One copy of the provider’s regulations approved by the State Special Communications Administration and approved by the head of the provider shall be submitted to the Administration of the State Special Communications.
42. Approval and confirmation of changes to a provider’s regulations are carried out in accordance with the requirements for approval and confirmation of regulations.
The text of significant changes and a comparative table are provided to the State Special Communications Administration for approval of changes to the provider’s regulations.
43. A provider independently determines the scope of the provisions of its regulations and other documents to be posted on its official website for review.
44. To acquire the status of a provider, a legal entity or an individual entrepreneur who intends to provide qualified electronic trust services shall submit to the central certification authority an application for inclusion of information about them in the Trust List and other documents specified in part two of Article 30 of the Law of Ukraine “On Electronic Trust Services”.
The format of an application for information on a legal entity or an individual entrepreneur to be entered into the Trust List shall be established in the regulations of the central certification authority.
45. An application for information on a legal entity or an individual entrepreneur to be entered into the Trust List and the documents attached to it may be submitted in electronic form by a representative of a legal entity or an individual entrepreneur who intends to provide qualified electronic trust services through the Unified State Portal of Administrative Services, including through the information system of the central certification authority integrated with it.
Ensuring the integrity and confidentiality of information, including personal data, when submitting an application and the documents attached to it is carried out in compliance with the legislation in the area of information protection using a qualified electronic signature of a legal entity or individual entrepreneur and using encryption that has a positive expert opinion from the results of a state assessment in the area of cryptographic protection of information.
If an application to enter information about a legal entity or an individual entrepreneur into the Trust List and documents attached to it is submitted in electronic form, copies of documents that exist exclusively in paper form are attached to the application in PDF format.
The conformity of these copies of documents to the originals is certified by affixing a qualified electronic signature of the head of a legal entity or an individual entrepreneur who intends to provide qualified electronic trust services.
A representative of a legal entity or individual entrepreneur who intends to provide qualified electronic trust services is responsible for the accuracy of the information specified in the documents attached to the application to enter information about the legal entity or individual entrepreneur into the Trust List.
If an application enter information about a legal entity or an individual entrepreneur into the Trust List and the documents attached to it are submitted in electronic form, paper documents shall not be submitted.
The authorized person of the central certification authority checks for the receipt of electronic documents at least twice a day (in the first and second half of the working day).
Documents for entering information about a legal entity or an individual entrepreneur into the Trust List submitted in electronic form are registered in the information system of the central certification authority after their receipt, and the legal entity of individual entrepreneur who intends to provide qualified electronic trust services is informed through their personal account with the Unified State Portal of Administrative Services.
46. After taking comprehensive measures to ensure the identification and verification of the legal capacity of a representative of a legal entity or individual entrepreneur who intends to provide qualified electronic trust services, the central certification authority shall consider applications for information on a legal entity or individual entrepreneur to be entered into the Trust List and the documents attached to it, and based on the results of their consideration, makes decisions in the manner and within the time limits established by the Law of Ukraine "On Electronic Trust Services".
47. Based on the decision made by the central certification authority to add them to the Trust List, a legal entity or individual entrepreneur who intends to provide qualified electronic trust services certifies the validity of one or more of their public keys (separately for each qualified electronic trust service) with the central certification authority in accordance with the central certification authority regulations.
Certification of the public key of a legal entity or an individual entrepreneur is a condition for entering information into the Trust List about qualified electronic trust services that the legal entity or individual entrepreneur intends to provide.
To certify the validity of a public key, a legal entity or individual entrepreneur submits to the central certification authority:
an application for the creation of a qualified public key certificate and a corresponding electronic request, which is created after the generation of a key pair;
a signed copy of the agreement on the provision by the central certification authority of a qualified electronic trust service for the creation, verification and confirmation of the validity of a qualified electronic signature or seal certificate.
48. A legal entity or an individual entrepreneur who intends to provide qualified electronic trust services acquires the status of a provider from the date of information about it being entered into the Trust List.
49. The Central Certifying Authority shall publish the decision to enter information about a legal entity or individual entrepreneur into the Trust List on its official website, as well as notify the representative of the legal entity or individual entrepreneur who intends to provide qualified electronic trust services by sending a letter by mail or electronically through a personal account on the Unified State Portal of Administrative Services.
50. Changing information about a provider contained in the Trust List is the basis for making changes to the Trust List, which is carried out in the manner and within the time limits established by the Law of Ukraine "On Electronic Trust Services".
If information entered into the Trust List changes, the provider is obliged within five working days from the date of such changes to submit to the central certification authority an application for changes to the Trust List together with documents confirming the changes.
51. The provider shall cease providing qualified electronic trust services on the grounds and in accordance with the procedure specified in Article 31 of the Law of Ukraine “On Electronic Trust Services”.
52. If it ceases providing qualified electronic trust services, a provider is obliged to provide the central certification authority with documented information (documents on the basis of which users were provided with qualified electronic trust services and qualified public key certificates were created, blocked, renewed, revoked, all qualified public key certificates that were created, as well as registers of generated qualified public key certificates) in the manner prescribed by the Cabinet of Ministers of Ukraine.
53. Documented information is transferred by a provider no later than the day specified by them as the date of cessation of the provision of qualified electronic trust services, or the date of entry into force of a corresponding court decision.
54. The Central Certification Authority shall revoke the qualified public key certificate of a provider issued by it on the day determined by the provider as the date of cessation of the provision of qualified electronic trust services, or on the day of entry into force of a corresponding court decision.
General requirements for a provider when providing qualified electronic trust services
55. Qualified electronic trust services are provided to users exclusively by providers.
56. A Provider may provide, individually or in combination, a qualified electronic trust service for the:
1) creation, verification and confirmation of a qualified electronic signature or seal;
2) creation, verification and validation of a qualified electronic signature or seal certificate;
3) creation, verification and validation of a qualified certificate of authentication of a website;
4) creation, verification and confirmation of a qualified electronic timestamp;
5) registered electronic delivery;
6) storage of qualified electronic signatures, seals, electronic timestamps and corresponding certificates.
57. A provider provides free access to its premises where users are served, including the creation of appropriate conditions for access to the premises of persons with disabilities.
Information on the accessibility of premises for people with disabilities is placed in a place visually accessible to users.
58. In order to provide a qualified electronic trust service, a provider identifies an applicant by verifying the identification data of the person from the documents provided by the applicant and the data obtained from the information systems of public authorities.
59. Identification of an applicant and verification of the scope of their legal capacity is carried out in accordance with the requirements of Article 22 of the Law of Ukraine "On Electronic Trust Services".
60. Identity data provided by an applicant to obtain a qualified electronic trust service must be verified by a provider:
1) in the presence of the applicant;
2) by using the identification data of an applicant from a valid qualified public key certificate generated by the same provider.
61. An applicant must provide the contact information specified by the provider’s regulations that allows them to be contacted.
62. Registration of users can be carried out through separate registration points that perform their functions in accordance with the regulations of the provider.
63. The Central Certifying Authority shall provide qualified electronic trust services to providers in accordance with the regulations of the Central Certifying Authority in compliance with these requirements.
64. A provider must ensure that applicants are provided with information on the conditions for obtaining a qualified electronic trust service.
65. The information that a provider must provide free access to includes:
1) information about the provider;
2) data on entering information about the provider into the Trust List;
3) the provider’s qualified public key certificates;
4) a list of qualified electronic trust services provided by the provider;
5) data on the qualified electronic signature or seal methods used in the provision of qualified electronic trust services;
6) formats of documents on the basis of which qualified electronic trust services are provided;
7) a register of valid, blocked and revoked public key certificates;
8) information on restrictions on the use of qualified public key certificates by users;
9) data on the procedure for validating a qualified public key certificate, including the conditions for verifying the status of a qualified public key certificate;
10) list of legislative acts in the area of electronic trust services.
A provider provides information to users on the conditions for obtaining qualified electronic trust services, in particular by posting relevant information on its official website.
The information on the provider's official website should be accessible to people with disabilities.
66. Qualified electronic trust services are provided on the basis of an agreement concluded between the provider and the applicant on the provision of qualified electronic trust services.
The basis for the provision of qualified electronic trust services to public authorities, local governments or other legal entities under public law can be an appropriate decision.
67. A provider records and stores during the period specified by law in the area of archives, contracts for the provision of qualified electronic trust services, as well as documents (duly certified copies of documents) used in identifying and verifying the legal capacity of an applicant.
68. The essential terms of a contract for the provision of qualified electronic trust services are:
1) the rights and obligations of the parties;
2) conditions for the use of a qualified electronic signature or seal method (if an qualified electronic trust service provides for the use of a qualified electronic signature or seal method);
3) conditions of use of a private key by an applicant (if the qualified electronic trust service provides for the use of a private key);
4) conditions of publication of the applicant's qualified public key certificate (if the qualified electronic trust service provides for the creation of a qualified public key certificate);
7) the procedure for amending the contract;
8) the procedure for terminating the contract.
69. A contract to provide qualified electronic trust services may be amended only by mutual consent of the parties.
70. In the event of a change in the information contained in the contract for the provision of qualified electronic trust services, the applicant shall notify the provider within three days from the date of the changes and submit documents confirming the changes.
71. Grounds for termination of a contract for the provision of qualified electronic trust services are:
1) the consent of the parties;
2) court decision on termination of the contract;
3) exclusion of the provider from the Trust List.
72. If a contract on the provision of qualified electronic trust service provides for the creation of a qualified public key certificate, termination of the agreement is grounds for revocation by the provider of a qualified public key certificate created in accordance with the agreement.
73. A provider has the right to choose which standards specified in the list attached will be applied by it when providing qualified electronic trust services.
In order to ensure interoperability and technological neutrality of national technical solutions, as well as to prevent discrimination against them, the Ministry and the State Special Communications Administration set requirements for their equipment, creation processes, use and operation as part of information and telecommunications systems when providing qualified electronic trust services.
{Paragraph 73, Point 2, as amended pursuant to the Resolution of the Cabinet of MinistersNš 1068 dated 11/12/2019}
74. Supervision of the provision of qualified electronic trust services is carried out by the State Special Communications Administration.
75. Providers are obliged to submit to the State Special Communications Administration a report on their activity for the previous year by 15 January of each year, containing information on:
1) the number of contracts concluded to provide electronic trust services (separately with natural persons and legal entities);
2) the number of generated and revoked qualified public key certificates for the reporting period, indicating the reasons for revocation (if the provider provides qualified electronic trust services that provide for the maintenance of qualified public key certificates);
3) compensation for damage to users of electronic trust services and/or third parties as a result of improper performance by the provider of its obligations (if any);
4) participation by the provider as a plaintiff, defendant or third party in court cases on the provision of electronic trust services, the subject of consideration and the decision (if any);
5) violation by the provider of the legislation in the area of information protection when providing electronic trust services, the reasons and measures taken to eliminate the violations.
Requirements for the provision of qualified electronic trust services for the creation, verification and validation of qualified electronic signatures or seals
76. A qualified electronic trust service for the creation, verification and validation of qualified electronic signatures or seals includes the actions provided for in part one of Article 18 of the Law of Ukraine "On Electronic Trust Services".
77. When providing a qualified electronic trust service for the creation, verification and validation of qualified electronic signatures or seals, a provider provides:
1) the use by a signatory or creator of an electronic seal exclusively of qualified electronic signature or seal method and a qualified electronic signature or seal certificate;
2) protection of information exchange between a signatory or creator of an electronic seal and a provider of public telecommunications networks;
3) conditions for generating a key pair of a signatory or creator of an electronic seal;
4) assistance in generating a key pair of a signatory or creator of the electronic seal in a way that does not violate the confidentiality and integrity of the private key, as well as acquaintance with the value of the parameters of the private key and copying;
5) the uniqueness of the key pair of a signatory or creator of an electronic seal;
6) storage of the personal key of a signatory or creator of an electronic seal;
7) protection against access by third parties to the parameters of the private key of a signatory or creator of an electronic seal when using a qualified electronic signature or seal.
78. If a key pair was generated by the applicant outside the provider's premises and/or in the absence of the appropriate personnel, the identification of the applicant, verification of their legal capacity and creation and issuance of a qualified public key certificate shall be performed by a provider after identity verification of an applicant which corresponds to the public key provided for the creation of a qualified public key certificate.
Verification that an applicant possess their private key is carried out without disclosing their private key.
79. Generation and/or management of a key pair on behalf of signatory or creator of an electronic seal may be performed only by the provider.
80. The provider that manages a key pair of a signatory or a creator of an electronic seal may back up the private key of the signatory or creator of an electronic seal in order to store it, provided that the following requirements are met:
1) the security level of the private key backup must correspond to the security level of the original private key;
2) the number of backups should not exceed the minimum value required to ensure the continuity of the service.
81. A qualified electronic signature or seal must meet the following requirements:
1) establish an unambiguous connection with the signatory or creator of the electronic seal;
2) allow electronic identification of the signatory or creator of the electronic seal;
3) provide sole control by the signatory or creator of the electronic seal of the corresponding private key;
4) detect any changes to related electronic data that have a qualified electronic signature or seal.
82. Verification of a qualified electronic signature or seal shall be performed by any person in order to obtain information on the validity or invalidity of a qualified electronic signature or seal.
83. In verifying a qualified electronic signature or seal, confirmation of the signatures or seals is subject to:
1) compliance with the requirements specified in part two of Article 18 of the Law of Ukraine “On Electronic Trust Services”;
2) the correct entry of the entity’s identification data to the corresponding qualified electronic signature or seal certificate of the signatory or creator of the electronic seal;
3) establishing that the signature or seal was created by using a qualified electronic signature or seal;
4) compliance with the requirements specified in point 81 of these requirements at the time of applying the signature or seal to the related electronic data.
84. The provision of a qualified electronic trust service for the creation, verification and verification of qualified electronic signatures or seals implies that the service:
1) is provided exclusively by the provider;
2) meets all the requirements for verification of qualified electronic signatures or seals specified in paragraph 83 of these requirements;
3) allows verification using a provider’s qualified electronic signature or seal in an automated manner that is reliable, efficient and secure.
Requirements for the provision of a qualified electronic trust service for the creation, verification and validation of a qualified electronic signature or seal certificate
85. A qualified electronic trust service for the creation, verification and validation of a qualified electronic signature or seal certificate includes the actions provided for in part one of Article 20 of the Law of Ukraine "On Electronic Trust Services".
86. A provider creates a qualified electronic signature or seal certificate for an applicant on the basis of the entity’s identification data obtained from the applicant during their identification and verification of their legal capacity.
87. A provider is obliged to ensure the uniqueness of the serial number of an applicant's qualified electronic signature or seal certificate in relation to other qualified electronic signature or seal certificates generated by the same provider.
88. The Provider is obliged to keep all qualified electronic signature or seal certificates, as well as backup copies.
89. When re-creating a user’s qualified electronic signature or seal certificate, a provider must check the relevance of information provided for the previous creation of an applicant’s qualified electronic signature or seal certificate.
90. A user’s qualified electronic signature or seal certificate must be available to the user for whom the a certificate was generated after the provider creates it.
91. Access by other persons to a user’s qualified electronic signature or seal certificate is provided if they consent to the publication of the certificate.
92. If information contained in the qualified electronic signature or seal certificate changes, the user notifies the provider within three days from the date of the changes and provides documents confirming the changes.
Based on the documents provided by the user confirming the changes in the information contained in the qualified electronic signature or seal certificate, the provider re-creates the a certificate and publishes it with the consent of the user.
Re-creating a user’s qualified electronic signature or seal certificate does not extend its validity.
93. A user’s qualified electronic signature or seal certificate is revoked or blocked by a provider on the grounds provided for in Article 25 of the Law of Ukraine "On Electronic Trust Services".
94. An application for revocation or blocking of a qualified electronic signature or seal certificate shall be submitted by the user to the provider in any way that provides confirmation of the user's identity.
When processing an application for revocation or blocking of a qualified electronic signature or seal certificate, a provider identifies and verifies the user’s legal capacity in compliance with the requirements for identity confirmation established in the provider’s regulations.
95. A user’s qualified electronic signature or seal certificate is considered revoked or blocked from the moment the provider changes the status of the user’s qualified electronic signature or seal certificate to revoked or blocked.
96. A user whose qualified electronic signature or seal certificate has been changed to revoked or blocked must be immediately notified of the relevant change of status.
97. A revoked qualified electronic signature or seal certificate is not renewable.
98. Information about qualified electronic signature or seal certificates generated by a provider, their status and lists of revoked certificates are contained in the register of valid, blocked and revoked public key certificates.
99. Information on the status of users’ qualified electronic signature or seal certificates is disseminated by publishing full and partial lists of revoked certificates on the provider’s official website and ensuring the ability to verify the status of qualified electronic signature or seal certificate in real time via public telecommunications networks.
The list of a provider’s revoked certificates must meet the following requirements:
each revoked certificate list shall indicate its validity term before the issuance of a new list, unless otherwise provided by the provider’s regulations;
a new revoked certificates list may be published before the expiry date and before the next list is issued;
a provider’s qualified electronic signature or seal must be applied to the list of revoked certificates.
100. Management of the status of a qualified electronic signature or seal certificate and the dissemination of significant information must be available to the user around the clock.
101. Applications to revoke or block a qualified electronic signature or seal certificate shall be recorded and kept by the provider for the period specified by the legislation in the area of archives.
102. The provider must ensure the integrity and origin of information on the status of qualified electronic signature or seal certificates.
103. The time used by the provider in the process of servicing qualified electronic signature or seal certificates of users must be synchronized with Coordinated Universal Time (UTC) to the nearest second.
Services for the supply of transmission of signals of exact time synchronized with the state standard for units of time and frequency are provided by the central certification authority.
104. The creation of a qualified electronic signature or seal certificate is carried out by the provider at the request of the user.
105. Providers receive qualified electronic trust services for the creation, verification and validation of qualified electronic signature or seal certificates from the central certification authority.
Requirements for the provision of qualified electronic trust services for the creation, verification and validation of qualified website authentication certificates
106. Qualified electronic trust services for the creation, verification and validation of qualified website authentication certificates includes the actions provided for in part one of Article 21 of the Law of Ukraine "On Electronic Trust Services".
107. The creation of a qualified website authentication certificate is carried out by the provider at the request of the user.
108. A qualified website authentication certificate provides:
1) authentication of a website owner;
encryption of information exchanged via the Internet by the participant of an online transaction and a website;
the appropriate level of trust in a website owner for protection against fraud on the Internet;
the protection of personal information and personal data of participants of online transactions during these transactions.
109. A qualified website authentication certificate can be verified by anyone to obtain information about a website owner and the validity of a qualified website authentication certificate.
110. When verifying a qualified website authentication certificate, the verifier performs the following actions:
1) receives from the qualified website authentication certificate information containing identification data of the person which allows to establish unambiguously the owner of the website and the provider;
2) verifies the qualified electronic signature or seal affixed to the qualified website authentication certificate using the current (at the time of creation of the qualified website authentication certificate) qualified certificate of the provider’s public key.
111. A qualified website authentication certificate is considered valid if it meets the requirements established by part one of Article 24 of the Law of Ukraine “On Electronic Trust Services”.
112. Providers receive a qualified electronic trust service for the creation, verification and validation of a qualified website authentication certificate from the central certification authority.
The requirement to provide a qualified electronic trust service for the creation, verification and validation of a qualified electronic timestamp
113. Qualified electronic trust services for the creation, verification and validation of a qualified electronic time stamp includes the actions provided for in part one of Article 26 of the Law of Ukraine "On Electronic Trust Services".
114. The creation of a qualified electronic timestamp is carried out by the provider at the request of the user.
115. During the creation of a qualified electronic timestamp, the user and the provider by means of a qualified electronic signature or seal perform the following actions:
1) the user calculates the hash values of the electronic data for which it is necessary to generate a qualified electronic timestamp;
2) the user generates a request for the creation of a qualified electronic timestamp, which contains:
object identifier of the timestamp policy (optional);
the identifier of the hashing algorithm used;
unique query identifier (optional);
3) the user transmits the request to the provider;
4) the provider checks that the request format is correct and processes it, creates a qualified electronic timestamp and a response containing a qualified electronic timestamp, or a response with information about a refusal to create a qualified electronic timestamp;
5) the provider sends the user a response containing a qualified electronic timestamp, which contains the following data:
object identifier of the policy for creating qualified electronic timestamps that was used;
hash values of electronic data for which a qualified electronic timestamp has been generated;
serial number of the qualified electronic time stamp;
the time of creation of the qualified electronic timestamp;
additional information about the qualified electronic timestamp;
qualified electronic signature or seal of the provider, affixed to the qualified electronic timestamp;
6) after receiving a response from the provider, the user performs the following actions:
checks the result of request processing;
verifies the name or title of the entity who has placed a qualified electronic signature or seal on the qualified electronic timestamp and the name or title of the provider;
verifies the assignment of the provider’s qualified public key certificate (for the creation of the time stamp);
verifies the validity of the provider's qualified public key certificate;
verifies the qualified electronic signature or seal that has been affixed to the qualified electronic timestamp;
checks that the electronic data and the data for which a qualified electronic timestamp has been generated correspond (by comparing the calculated hash value of the electronic data and the hash value recorded in the qualified electronic timestamp);
adds the qualified electronic timestamp to the electronic data.
116. A qualified electronic timestamp must provide:
1) a link between the date and time with the electronic data in such a way that completely eliminates the possibility of invisible changes in the electronic data;
2) accurate in the software and hardware of the provider that is synchronized with Coordinated Universal Time (UTC) to the nearest second.
117. Any entity may verify a qualified electronic timestamp in order to obtain information on the validity of a qualified electronic timestamp.
118. During the verification and validation of a qualified electronic timestamp, the entity conducting the verification shall perform the following actions:
1) receives from a qualified electronic time stamp identity information that allows to unambiguously identify the provider;
2) verifies the qualified electronic signature or seal affixed to the qualified electronic timestamp using a valid (at the time of creation of the qualified electronic timestamp) qualified public key certificate of the provider;
3) verifies the qualified electronic timestamp and the electronic data to which it is added (by comparing the calculated hash value of electronic data and the hash value recorded in the qualified electronic timestamp).
119. A qualified electronic timestamp is considered invalid if:
1) it does not comply with the requirement for accurate time in the provider’s software and hardware;
2) a provider’s revoked or blocked qualified public key certificate is used at the time of creation of a qualified electronic timestamp.
120. The correct implementation of cryptographic algorithms for creating qualified electronic timestamps and the accuracy of the time in qualified electronic signature or seal methods provides a time record.
121. Providers receive qualified electronic trust services for the creation, verification and validation of qualified electronic timestamps from the central certification authority.
122. The mechanism of synchronizing time with Coordinated Universal Time (UTC) in a provider’s software and hardware and the equipment used in the time synchronization process (its general description) is established by the Procedure of Time Synchronization with Coordinated Universal Time (UTC).
A procedure for synchronizing time with Coordinated Universal Time (UTC) is developed by a provider and agreed with the central certification authority.
Requirements for the provision of qualified electronic trust services for registered electronic delivery
123. Qualified electronic trust services for registered electronic delivery must meet the requirements of part one of Article 27 of the Law of Ukraine "On Electronic Trust Services", and include the following actions:
1) sending electronic data with proof of sending;
2) obtaining electronic data with proof of receipt.
124. Registered electronic delivery is carried out by a provider at the request of a user (sender and/or recipient of electronic data).
125. Registered electronic delivery must provide:
1) transfer of electronic data between users (senders and recipients of electronic data);
2) authentication of senders and recipients of electronic data;
3) confidentiality of electronic data delivered and personal data of senders and recipients of electronic data;
4) protection of the integrity of the electronic data delivered;
5) accuracy of the date and time of sending and receiving of electronic data;
6) a method of confirming that electronic data has been sent and received.
126. The recipient of electronic data verifies the electronic data transmitted by registered electronic delivery.
Requirements for the provision of qualified electronic trust services for the storage of qualified electronic signatures, seals, electronic timestamps and corresponding certificates
127. Qualified electronic trust services for the storage of qualified electronic signatures, seals, electronic timestamps and corresponding certificates includes the following actions:
1) transfer of qualified electronic signatures or seals, timestamps and corresponding certificates;
2) storage of qualified electronic signatures or seals, timestamps and corresponding certificates.
128. The storage of qualified electronic signatures, seals, electronic timestamps and corresponding certificates is carried out by a provider at the request of a user.
129. When providing qualified electronic trust services for the storage of qualified electronic signatures, seals, electronic timestamps and corresponding certificates, the following shall be ensured:
1) the integrity of all stored data objects;
2) logging of events for the purpose of changing, deleting or adding data objects;
3) assigning responsibility for retention to one or more specific officials;
4) conducting inspections of compliance with these requirements.
Requirements for qualified electronic signature or seal methods
130. Qualified electronic signature or seal methods used in the provision of qualified electronic trust services must meet the requirements established by parts one and two of Article 19 of the Law of Ukraine “On Electronic Trust Services”.
131. To provide qualified electronic trust services, qualified electronic signatures or seals are used that must have documents of compliance or a positive expert opinion based on the results of a state assessment in the area of cryptographic protection of information.
132. The provision of qualified electronic trust services by a provider without valid documents confirming its ownership and/or the right to use qualified electronic signatures or seals used to provide qualified electronic trust services is prohibited.
133. Monitoring of compliance with the requirements for the qualified electronic signature or seal methods is carried out by the State Special Communications Administration.
Requirements for qualified public key certificates
134. Qualified public key certificates generated by providers or the central certification authority when providing qualified electronic trust services must meet the requirements established by parts one, two and three of Article 23 of the Law of Ukraine “On Electronic Trust Services”.
135. A provider or central certification authority that issued a qualified public key certificate shall provide access to information on the date and time of any change of the status of a qualified public key certificate.
136. Monitoring of compliance with the requirements for qualified public key certificates is carried out by the State Special Communications Administration.
LIST OF STANDARDS,
used by qualified providers of electronic trust services in the provision of qualified electronic trust services
Standards defining general requirements for a qualified provider of electronic trust services when providing qualified electronic trust services
1. DSTU ETSI TR 119 400:2017 (ETSI TR 119 400:2016, IDT) “Electronic signatures and infrastructures (ESI). Guidelines for the use of standards by trust service providers that support digital signatures and related services", approved by the resolution of the state enterprise "Ukrainian Research and Training Centre for Standardization, Certification and Quality”, dated 4 August, 2017. Nš 207.
2. DSTU ETSI EN 319 401:2016 (ETSI EN 319 401:2016, IDT) “Electronic signatures and infrastructures (ESI). General Policy Requirements for Trust Service Providers”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 21 June, 2016. Nš 183.
3. DSTU ETSI EN 319 403:2016 (ETSI EN 319 403:2015, IDT) “Electronic signatures and infrastructures (ESI). Compliance assessment of trust service providers. Requirements for compliance assessment bodies that assess trust service providers”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” of 27 December, 2016. Nš 451.
Standards defining the requirements for the Trust List
4. DSTU ETSI TR 119 600:2016 (ETSI TR 119 600:2016, IDT) “Electronic signatures and infrastructures (ESI). Guidelines for the application of standards for providers of lists of trusted services", approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 27 December, 2016. Nš 451.
5. DSTU ETSI TS 119 612:2016 (ETSI TS 119 612:2016, IDT) “Electronic signatures and infrastructures. Trust lists”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 23 September, 2016. Nš 279.
Standards defining requirements for the provision of qualified electronic trust services related to the creation, verification and verification of electronic signatures and seals, as well as the storage of qualified electronic signatures, seals, electronic timestamps and related public key certificates
6. DSTU ETSI TR 119 000:2017 (ETSI TR 119 000:2016, IDT) “Electronic signatures and infrastructures (ESI). Signature standardization model. Review”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 4 August, 2017. Nš 207.
7. DSTU ETSI TR 119 001:2017 (ETSI TR 119 001:2016, IDT) “Electronic signatures and infrastructures (ESI). Signature standardization model. Definitions and abbreviations”, approved by the resolution of the state enterprise ”Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 4 August, 2017. Nš 206.
8. DSTU ETSI TR 119 100:2017 (ETSI TR 119 100:2016, IDT) “Electronic signatures and infrastructures (ESI). Guidelines for the use of standards for the creation and validation of signatures", approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 4 August, 2017. Nš 206.
9. DSTU ETSI TS 119 101:2016 (ETSI TS 119 101:2016, IDT) “Electronic signatures and infrastructures. Requirements and security policies for applications for the creation and verification of signatures", approved by the resolution of the state enterprise "Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 23 September, 2016. Nš 279.
10. DSTU ETSI EN 319 102-1:2016 (ETSI EN 319 102-1:2016, IDT) “Electronic signatures and infrastructures (ESI). Procedures for creating and verifying ADES digital signatures. Part 1. Creation and Verification”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 21 June, 2016. Nš 183.
11. DSTU ETSI EN 319 122-1:2016 (ETSI EN 319 122-1:2016, IDT) “Electronic signatures and infrastructures (ESI). CAdES digital signatures. Part 1. Structural blocks and basic signatures of CAdES”, approved by the resolution of the state enterprise“ Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 21 June, 2016. Nš 183.
12. DSTU ETSI EN 319 122-2:2016 (ETSI EN 319 122-2:2016, IDT) “Electronic signatures and infrastructures (ESI). CAdES digital signatures. Part 2. Extended CAdES signatures”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 21 June, 2016. Nš 183.
13. DSTU ETSI EN 319 132-1:2016 (ETSI EN 319 132-1:2016, IDT) “Electronic signatures and infrastructures (ESI). XAdES digital signatures. Part 1. Structural blocks and basic XAdES signatures”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 21 June, 2016. Nš 183.
14. DSTU ETSI EN 319 132-2:2016 (ETSI EN 319 132-2:2016, IDT) “Electronic signatures and infrastructures (ESI). XAdES digital signatures. Part 2. Extended XAdES signatures”, approved by the resolution of the state enterprise “Ukrainian Research and Training centre for Standardization, Certification and Quality” dated 21 June, 2016. Nš 183.
15. DSTU ETSI EN 319 142-1:2016 (ETSI EN 319 142-1:2016, IDT) “Electronic signatures and infrastructures. PAdES digital signatures. Part 1. Structural elements and basic PAdES signatures ”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated September 23, 2016. Nš 279.
16. DSTU ETSI EN 319 142-2:2016 (ETSI EN 319 142-2:2016, IDT) “Electronic signatures and infrastructures. PAdES digital signatures. Part 2. Additional profiles of PAdES signatures”, approved by the resolution of the state enterprise“ Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 23 September, 2016. Nš 279.
17. DSTU ETSI EN 319 162-1:2016 (ETSI EN 319 162-1:2016, IDT) “Electronic signatures and infrastructures (ESI). Associated Signature containers (ASiC). Part 1. ASiC structural blocks and baseline containers”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 21 June, 2016. Nš 183.
18. DSTU ETSI EN 319 162-2:2016 (ETSI EN 319 162-2:2016, IDT) “Electronic signatures and infrastructures (ESI). Associated Signature containers (ASiC). Part 2. Additional containers ASiC”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 21 June, 2016. Nš 183.
19. DSTU ETSI TS102 778-1:2015 (ETSI TS102 778-1:2009, IDT) “Electronic signatures and infrastructure (ESI). PDF Advanced electronic signature profiles. Part 1. Review of the PAdES series - basic PAdES principles”, approved by the resolution of the state enterprise “Ukrainian Research and Training centre for Standardization, Certification and Quality” dated 18 December, 2015. Nš 193.
20. DSTU ETSI TS102 778-2:2015 (ETSI TS102 778-2:2009, IDT) “Electronic signatures and infrastructure (ESI). PDF Advanced electronic signature profiles. Part 2. Baseline PAdES - profiles based on ISO 32000-1", approved by the resolution of the state enterprise " Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 18 December, 2015. Nš 193.
21. DSTU ETSI TS102 778-3:2015 (ETSI TS102 778-3:2010, IDT) “Electronic signatures and infrastructure (ESI). PDF Advanced electronic signature profiles. Part 3. Enhanced PAdES - PAdES-BES and PadES-EPES Profiles", approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 18 December, 2015. Nš 193.
22. DSTU ETSI TS102 778-4:2015 (ETSI TS102 778-4:2009, IDT) “Electronic signatures and infrastructure (ESI). PDF Advanced electronic signature profiles. Part 4. Long Term Validation PAdES - PAdES LTV profile", approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 18 December, 2015. Nš 193.
23. DSTU ETSI TS102 778-5:2015 (ETSI TS102 778-5:2009, IDT) “Electronic signatures and infrastructure (ESI). PDF Advanced electronic signature profiles. Part 5. PAdES for XML content - XAdES signature profiles", approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 18 December, 2015. Nš 193.
Standards defining the requirements for the provision of qualified electronic trust services related to the creation, verification and validation of qualified electronic signature, seal, website authentication certificates
24. DSTU ETSI EN 319 411-1:2016 (ETSI EN 319 411-1:2016, IDT) “Electronic signatures and infrastructures (ESI). Policy and security requirements for trust service providers that issue certificates. Part 1. General requirements”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 21 June, 2016. Nš 183.
25. DSTU ETSI EN 319 411-2:2016 (ETSI EN 319 411-2:2016, IDT) “Electronic signatures and infrastructures (ESI). Policy and security requirements for trust service providers that issue certificates. Part 2. Requirements for trust service providers that issue qualified EU certificates, approved by the resolution of the state enterprise "Ukrainian Research and Training Centre for Standardization, Certification and Quality" dated 21 June, 2016. Nš 183.
Standards defining the requirements for the provision of qualified electronic trust services for the creation, verification and validation of qualified electronic timestamps
26. DSTU ETSI EN 319 421:2016 (ETSI EN 319 421:2016, IDT) “Electronic signatures and infrastructures (ESI). Security policy and requirements for trust service providers that issue time stamps", approved by the resolution of the state enterprise "Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 21 June, 2016. Nš 183.
27. DSTU ETSI EN 319 422:2016 (ETSI EN 319 422:2016, IDT) “Electronic signatures and infrastructures. Timestamp protocol and timestamp token profiles”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 23 September, 2016. Nš 279.
Standards defining the requirements for qualified electronic signatures or seals
28. DSTU EN 419211-1:2016 (EN 419211-1:2014, IDT) “Security profiles for secure signature creation devices. Part 1. Review”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 23 September, 2016. Nš 279.
29. DSTU EN 419211-2:2016 (EN 419211-2:2013, IDT) “Security profiles for secure signature creation devices. Part 2. Device with key generation”, approved by the resolution of the state enterprise "Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 23 September, 2016. Nš 279.
30. DSTU EN 419211-3:2016 (EN 419211-3:2013, IDT) “Security profiles for secure signature creation devices. Part 3. Device with key import”, approved by the resolution of the state enterprise "Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 23 September, 2016. Nš 279.
31. DSTU EN 419211-4:2016 (EN 419211-4:2013, IDT) “Security profiles for secure signature creation devices. Part 4. Extension for devices with key generation and a trusted channel for the application of certificate generation", approved by the resolution of the state enterprise "Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 23 September, 2016. Nš 279.
32. DSTU EN 419211-5:2016 (EN 419211-5:2013, IDT) “Security profiles for secure signature creation devices. Part 5. Extensions for devices with key generation and a trusted channel for the application of signature creation", approved by the resolution of the state enterprise "Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 23 September, 2016. Nš 279.
33. DSTU EN 419211-6:2016 (EN 419211-6:2014, IDT) “Security profiles for secure signature creation devices. Part 6. Extension for devices with key imports and a trusted channel for the application of signature creation", approved by the resolution of the state enterprise "Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 23 September, 2016. Nš 279.
34. DSTU ISO/IEC 19790:2015 (ISO/IEC 19790:2012, IDT) “Information technologies. Protection methods. Security requirements for cryptographic modules”, approved by the resolution of the state enterprise "Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 18 December, 2015. Nš 193.
Standards that define the requirements for qualified public key certificates
35. DSTU ISO/IEC 9594-8:2014 (ISO/IEC 9594-8:2014, IDT) “Information technologies. Interconnection of open systems. Catalogue. Part 8. Basic provisions on certification of public keys and attributes”, approved by the resolution of the Ministry of Economic Development dated 30 December, 2014. Nš 1493.
36. DSTU ETSI EN 319 412-1:2016 (ETSI EN 319 412-1:2016, IDT) “Electronic signatures and infrastructures (ESI). Certificate profiles. Part 1. Review and standard data structures”, approved by the resolution of the state enterprise "Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 21 June, 2016. Nš 183.
37. DSTU ETSI EN 319 412-2:2016 (ETSI EN 319 412-2:2016, IDT) “Electronic signatures and infrastructures. Certificate profiles. Part 2. Profiles of certificates issued for individuals”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 23 September, 2016. Nš 279.
38. DSTU ETSI EN 319 412-3:2016 (ETSI EN 319 412-3:2016, IDT) “Electronic signatures and infrastructures (ESI). Certificate profiles. Part 3. Profile of a legal entity certificate”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 27 December, 2016. Nš 451.
39. DSTU ETSI EN 319 412-4:2016 (ETSI EN 319 412-4:2016, IDT) “Electronic signatures and infrastructures (ESI). Certificate profiles. Part 4. Certificate Profile for Website Certificates”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 21 June, 2016. Nš 183.
40. DSTU ETSI EN 319 412-5:2016 (ETSI EN 319 412-5:2016, IDT) “Electronic signatures and infrastructures. Certificate profiles. Part 5. Quality Control Systems”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 23 September, 2016. Nš 279.
Standards defining the requirements for the provision of qualified electronic trust services for registered electronic delivery
41. DSTU ETSI EN 319 522-1:2018 (ETSI EN 319 522-1:2018, IDT) “Electronic signatures and infrastructures (ESI). Registered electronic delivery services. Part 1. Model and Architecture”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 24 September, 2018. Nš 337.
42. DSTU ETSI EN 319 522-2:2018 (ETSI EN 319 522-2:2018, IDT) “Electronic signatures and infrastructures (ESI). Registered electronic delivery services. Part 2. Content Semantics”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 24 September, 2018. Nš 337.
43. DSTU ETSI EN 319 522-3:2018 (ETSI EN 319 522-3:2018, IDT) “Electronic signatures and infrastructures (ESI). Registered electronic delivery services. Part 3. Formats”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 24 September, 2018. Nš 337.
44. DSTU ETSI EN 319 522-4-1:2018 (ETSI EN 319 522-4-1:2018, IDT) “Electronic signatures and infrastructures (ESI). Registered electronic delivery services. Part 4. Bindings. Section 1. Message delivery bindings”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 24 September, 2018. Nš 337.
45. DSTU ETSI EN 319 522-4-2:2018 (ETSI EN 319 522-4-2:2018, IDT) “Electronic signatures and infrastructures (ESI). Registered electronic delivery services. Part 4. Bindings. Section 2. Evidence and identification bindings”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 24 September, 2018. Nš 337.
46. DSTU ETSI EN 319 522-4-3:2018 (ETSI EN 319 522-4-3:2018, IDT) “Electronic signatures and infrastructures (ESI). Registered electronic delivery services. Part 4. Bindings. Section 3. Capability/requirements bindings”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 24 September, 2018. Nš 337.
47. DSTU ETSI EN 319 532-1:2018 (ETSI EN 319 532-1:2018, IDT) “Electronic signatures and infrastructures (ESI). Registered Email Services (REM). Part 1. Model and Architecture”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 24 September, 2018. Nš 337.
48. DSTU ETSI EN 319 532-2:2018 (ETSI EN 319 532-2:2018, IDT) “Electronic signatures and infrastructures (ESI). Registered Email Services (REM). Part 2. Content Semantics”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 24 September, 2018. Nš 337
49. DSTU ETSI EN 319 532-3:2018 (ETSI EN 319 532-3:2018, IDT) “Electronic signatures and infrastructures (ESI). Registered Email Services (REM). Part 3. Formats”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 24 September, 2018. Nš 337
50. DSTU ETSI EN 319 532-4:2018 (ETSI EN 319 532-4:2018, IDT) “Electronic signatures and infrastructures (ESI). Registered Email Services (REM). Part 4. Interoperability profiles” dated September 24, 2018. Nš 337
Standards that define the requirements for cryptographic protection of information
51. DSTU4145-2002 “Information technologies. Cryptographic information protection. Digital signature based on elliptical curves. Creation and inspection”, approved by the order of the State Committee for Technical Regulation and Consumer Policy dated 28 December, 2002. Nš 31.
52. DSTU 7564:2014 “Information technologies. Cryptographic information protection. Hashing function”, approved by the resolution of the Ministry of Economic Development dated 2 December, 2014. Nš 1431.
53. DSTU 7624:2014 “Information technologies. Cryptographic information protection. Symmetric block cipher algorithm”, approved by the order of the Ministry of Economic Development dated 29 December, 2014. Nš 1484.
54. DSTU ETSI TR 119 300:2016 (ETSI TR 119 300:2016, IDT) “Electronic signatures and infrastructures (ESI). Guidelines for the application of standards for cryptographic kits", approved by the resolution of the state enterprise “Ukrainian Research and Training centre for Standardization, Certification and Quality” dated 27 December, 2016. Nš 451.
55. DSTU ETSI TS 119 312:2015 (ETSI TS 119 312:2014, IDT) “Electronic signatures and infrastructures (ESI). Cryptographic kits”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 5 November, 2015. Nš 145.
56. DSTU ISO/IEC 14888-1:2015 (ISO/IEC 14888-1:2008, IDT) “Information technologies. Protection methods. Digital signatures with extensions. Part 1. General Provisions”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 18 December, 2015. Nš 193.
57. DSTU ISO/IEC 14888-2:2015 (ISO/IEC 14888-2:2008, IDT) “Information technologies. Protection methods. Digital signatures with extensions. Part 2. Integer factorization based mechanisms”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 18 December, 2015. Nš 193.
58. DSTU ISO/IEC 14888-3:2015 (ISO/IEC 4888-3:2006; Cor 1:2007; Cor 2:2009; Amd 1:2010; Amd 2:2012, IDT) “Information technologies. Protection methods. Digital signatures with extensions. Part 3. Mechanisms based on discrete logarithmization”, approved by the resolution of the state enterprise“ Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 18 December, 2015. Nš 193.
Standards defining information security requirements
59. DSTU ISO/IEC 18045:2015 (ISO/IEC 18045:2008, IDT) “Information technologies. Protection methods. IT Security Assessment Methodology”, approved by the resolution of the state enterprise” Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 18 December, 2015. Nš 193.
60. DSTU ISO/IEC 15408-1:2017 (ISO/IEC 15408-1:2009, IDT) “Information technologies. Protection methods. Evaluation criteria. Part 1. Introduction and General Model”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 4 August, 2017. Nš 207.
61. DSTU ISO/IEC 15408-2:2017 (ISO/IEC 15408-2:2008, IDT) “Information technologies. Protection methods. Evaluation criteria. Part 2. Functional requirements”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 4 August, 2017. Nš 207.
62. DSTU ISO/IEC 15408-3:2017 (ISO/IEC 15408-3:2008, IDT) “Information technologies. Protection methods. Evaluation criteria. Part 3. Safety Guarantee Requirements”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 4 August, 2017. Nš 207.
63. DSTU ISO/IEC 27001:2015 (ISO/IEC 27001:2013; Cor 1:2014, IDT) “Information technologies. Protection methods. Information security management systems. Requirements”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 18 December, 2015. Nš 193.
64. DSTU ISO/IEC 27002:2015 (ISO/IEC 27002:2013; Cor 1:2014, IDT) “Information technologies. Protection methods. Code of Practice on Information Security Measures”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 18 December, 2015. Nš 193.
65. DSTU ISO/IEC 27005:2015 (ISO/IEC 27005:2011, IDT) “Information technologies. Protection methods. Information Security Risk Management”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 18 December, 2015. Nš 193.
Interoperability testing standards
66. DSTU ETSI SR003 186:2017 (ETSI SR003 186:2016, IDT) “Electronic signatures and infrastructures (ESI). Interoperability testing and measures necessary for the implementation and promotion of a digital signature model", approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 4 August, 2017. Nš 206.
67. DSTU ETSI TS 119 124-4:2017 (ETSI TS 119 124-4:2016, IDT) “Electronic signatures and infrastructures (ESI). CAdES digital signatures. Conformity and interoperability testing. Part 4. Testing for compliance with CAdES baseline signatures”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 4 August, 2017. Nš 207.
68. DSTU ETSI TR 119 134-1:2017 (ETSI TR 119 134-1:2016, IDT) “Electronic signatures and infrastructures (ESI). XAdES digital signatures. Compliance and interoperability testing. Part 1. Review”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 30 November, 2017. Nš 392.
69. DSTU ETSI TR 119 134-2:2017 (ETSI TR 119 134-2:2016, IDT) “Electronic signatures and infrastructures (ESI). XAdES digital signatures. Compliance and interoperability testing. Part 2. Test kits for testing the interoperability of XAdES baseline signatures", approved by the resolution of the state enterprise “Ukrainian Research and Training centre for Standardization, Certification and Quality” dated 30 November, 2017. Nš 392.
70. DSTU ETSI TR 119 134-3:2017 (ETSI TR 119 134-3:2016, IDT) “Electronic signatures and infrastructures (ESI). XAdES digital signatures. Compliance and interoperability testing. Part 3. Kits for testing the interoperability of enhanced XAdES signatures, approved by the resolution of the state enterprise “Ukrainian Research and Training centre for Standardization, Certification and Quality” dated 30 November, 2017. Nš 392.
71. DSTU ETSI TR 119 134-4:2017 (ETSI TR 119 134-4:2016, IDT) “Electronic signatures and infrastructures (ESI). XAdES digital signatures. Compliance and interoperability testing. Part 4. Testing for compliance with XAdES baseline signatures", approved by the resolution of the state enterprise “Ukrainian Research and Training centre for Standardization, Certification and Quality” dated 30 November, 2017. Nš 392.
72. DSTU ETSI TR 119 134-5:2017 (ETSI TR 119 134-5:2016, IDT) “Electronic signatures and infrastructures (ESI). XAdES digital signatures. Compliance and interoperability testing. Part 5. Testing for compliance of enhanced XAdES signatures”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 30 November, 2017. Nš 392.
73. DSTU ETSI TR 119 144-1:2017 (ETSI TR 119 144-1:2016, IDT) “Electronic signatures and infrastructures (ESI). PAdES digital signatures. Compliance and interoperability testing. Part 1. Review”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 4 August, 2017. Nš 207
74. DSTU ETSI TS 119 144-2:2017 (ETSI TS 119 144-2:2016, IDT) “Electronic signatures and infrastructures (ESI). PAdES digital signatures. Compliance and interoperability testing. Part 2. Test kits for testing the interoperability PAdES baseline signatures", approved by the resolution of the state enterprise “Ukrainian Research and Training centre for Standardization, Certification and Quality” dated 4 August, 2017. Nš 207
75. DSTU ETSI TS 119 144-3:2017 (ETSI TS 119 144-3:2016, IDT) “Electronic signatures and infrastructures (ESI). PAdES digital signatures. Compliance and interoperability testing. Part 3. Test kits for testing the interoperability of additional PAdES signatures”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 4 August, 2017. Nš 207
76. DSTU ETSI TS 119 144-4:2017 (ETSI TS 119 144-4:2016, IDT) “Electronic signatures and infrastructures (ESI). PAdES digital signatures. Compliance and interoperability testing. Part 4. Testing the compliance of PAdES baseline signatures”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 4 August, 2017. Nš 207
77. DSTU ETSI TS 119 144-5:2017 (ETSI TS 119 144-5:2016, IDT) “Electronic signatures and infrastructures (ESI). PAdES digital signatures. Compliance and interoperability testing. Part 5. Testing the compliance of additional PAdES signatures”, approved by the resolution of the state enterprise “Ukrainian Research and Training Centre for Standardization, Certification and Quality” dated 4 August, 2017. Nš 207
PROCEDURE
checking compliance with the legislation in the area of electronic trust services
1. This Procedure determines the mechanism for the State Special Communications Administration to implement state supervision (monitoring) measures over compliance with the legislation in the area of electronic trust services, including mandatory conditions to be met by qualified providers of electronic trust services and their separate registration points (hereinafter - providers), the central certification authority and certification centres when providing qualified electronic trust services.
This Procedure does not apply to relations related to the implementation of state supervision (monitoring) over compliance with the legislation in the area of electronic trust services by providers who are business entities, except for the provisions of points 4-10 and 45-56 of this Procedure.
2. In this Procedure, the terms are used in the following meaning:
information and telecommunications system - a set of information and telecommunications systems of a provider, the central certification authority or a certification centre, which in the process of information processing acts as a whole and unites the software and hardware used in the provision of qualified electronic trust services (hereinafter - software and hardware), the physical environment, information processed in these systems, as well as employees of a provider, the central certification authority or a certification centre whose responsibilities are directly related to the provision of qualified electronic trust services or maintenance of software and hardware (further - employees);
a qualified electronic trust service - an electronic trust service provided by a provider, a certification authority or the central certification authority, in particular using a qualified electronic signature or seal and which is based on a qualified public key certificate;
inspection - on-site scheduled or unscheduled measure of state supervision (monitoring) of compliance with the legislation in the area of electronic trust services, carried out by officials of the State Special Communications Administration in accordance with their functional responsibilities at the location of a provider, the central certification authority or a certification centre;
regulations - a document of a provider, the central certification authority or a certification centre that determines the organizational, methodological, technical and technological conditions of a provider, the central certification authority or a certification centre when providing qualified electronic trust services, including certificate policy and certification practices;
special premises - non-residential premises used by a provider, the central certification authority or a certification centre to accommodate all components of their software and hardware.
3. Other terms are used in the meaning given in the Laws of Ukraine “On Electronic Trust Services”, “On Electronic Documents and Electronic Document Management”, “On Basic Principles of State Supervision (Monitoring) in the Area of Economic Activity”, “On Telecommunications”, “On Information Protection in Information and Telecommunications Systems”.
4. Measures of state supervision (monitoring) of compliance with the legislation in the area of electronic trust services are carried out by the State Special Communications Administration by conducting scheduled and unscheduled inspections of providers, the central certification authority, certification centres or upon submission by an entity to the compliance assessment body of a request for an inspection of the provider and the services provided by them in accordance with the requirements of Article 32 of the Law of Ukraine "On Electronic Trust Services".
5. Analysis of compliance with the procedure for the use of electronic trust services in public authorities, local governments and enterprises, institutions and organizations of state ownership is conducted by the State Special Communications Administration within the framework of state supervision (monitoring) of compliance with legislation in the area of cryptographic and technical protection information.
6. The State Special Communications Administration carries out on-site measures of state supervision (monitoring) of compliance with the legislation in the area of electronic trust services by analyzing:
1) the status of the official website of a provider, the central certification authority or a certification centre;
2) the content of the official website of a provider, the central certification authority or a certification centre or whether users of electronic trust services are being properly informed about the provision of electronic trust services;
3) the list of electronic trust services, procedure for providing them and their content through the official website of a provider, the central certification authority or a certification centre;
4) a report on the provider’s activities provided by them in accordance with the requirements of paragraph 75 of the requirements in the area of electronic trust services, approved by the resolution of the Cabinet of Ministers of Ukraine dated 7 November, 2018, Nš 992 “Approval of Requirements in the Area of Electronic Trust Services and the Procedure for Verifying Compliance with the Legislation in the Area of Electronic Trust Services”;
5) documents on compliance based on the results of a compliance assessment procedure of the provider and the services provided by it;
6) other information on the operation, organization and provision of electronic trust services by the provider, the central certification authority or the certification centre.
7. Scheduled inspections of the central certification authority, certification centres and providers that are public authorities, local governments and other legal entities under public law are conducted annually by the State Special Communications Administration.
8. Grounds for a scheduled inspection are the annual plan for the implementation of state supervision (monitoring) measures approved by the State Special Communications Administration.
9. Grounds for conducting an unscheduled inspection are:
1) submission by a provider of an application for verification of compliance with the legislation in the area of electronic trust services;
2) detection and confirmation of inaccuracy of data in the documents submitted by the provider;
3) non-compliance with the requirements of the State Special Communications Administration within the period specified in an order to eliminate violations of the legislation issued as a result of a planned measure of state supervision (monitoring) of compliance with the legislation in the area of electronic trust services;
4) receiving information or notification of a violations by a provider of the legislation in the area of electronic trust services.
10. The aim of an inspection of a provider, the central certification authority or a certification centre is to assess the state of compliance with the legislation in the area of electronic trust services, including their regulations.
11. To conduct a scheduled or unscheduled inspection, the State Special Communications Administration makes a decision to conduct an inspection.
The decision to conduct an inspection shall be signed by the head of the State Special Communications Service or his deputy in accordance with the division of functional responsibilities.
12. A decision to conduct an inspection must contain:
1) the name of the State Special Communications Administration;
2) name (surname, name, patronymic) of the provider, the central certification authority or the certification centre;
3) location or residence of the provider, the central certification authority or the certification centre;
4) the grounds for the inspection;
5) the subject of the inspection;
6) start and end dates of the inspection;
7) the roles and individuals in the inspection commission.
13. Notice of a decision to conduct an inspection is sent (delivered) to a provider, the central certification authority or a certification centre no later than 10 working days before the inspection by registered mail and/or by e-mail or delivered personally to and signed for by the head of the provider, the central certification authority or the certification centre.
14. For providers who are not business entities, a scheduled or unscheduled inspection may not last more than ten working days.
15. Scheduled and unscheduled inspections are carried out during the working hours of the provider, the central certification authority or the certification centre as established by its internal regulations.
16. A provider, the central certification authority or a certification centre has the right not to allow officials of the State Special Communications Administration to conduct a scheduled or unscheduled inspection if they have not received within the period specified in paragraph 13 of this Procedure notice of the decision to conduct an inspection.
17. The inspection commission is formed of the chairman and members of the inspection commission.
Representatives of the central certification authority may be involved in the inspection commission (by agreement).
18. On the basis of a decision to conduct an inspection, a certificate of inspection is issued, which is signed by the head of the State Special Service or their deputy in accordance with the division of functional responsibilities and certified by a seal.
The format of the inspection certificate shall be established by the State Special Communications Administration.
19. The certificate of inspection shall indicate:
1) the name of the State Special Communications Administration;
2) name (surname, name, patronymic) of the provider, the central certification authority or the certification centre;
3) location or residence of the provider, the central certification authority or the certification centre;
4) details of the decision to conduct an inspection;
5) the roles and individuals in the inspection commission;
6) start date and end date of the inspection;
7) type of inspection (scheduled or unscheduled);
9) a list of issues to be checked;
10) information on the preliminary inspection (type of inspection and term of its implementation).
20. The certificate of inspection is valid only for the period specified in it.
21. Members of the inspection commission are obliged to:
1) objectively and impartially conduct the inspection;
2) comply with the legislation in the areas of electronic trust services, information protection and personal data protection;
3) honestly, in good time and efficiently perform their duties and their instructions of the chairman of the inspection commission;
4) adhere to business ethics in relations with the manager and employees of the provider, the central certification authority or the certification centre;
5) to acquaint the head of the provider, the central certification authority or the certification centre or a representative authorized by them with the results of the inspection;
6) provide the provider, the central certification authority or the certification centre with advice on the inspection;
7) not disclose trade secrets and confidential information that became known to them in connection with the performance of their official duties.
22. When performing their official duties during the inspection, members of the inspection commission have the right to:
1) access special premises and all documents and information of the provider, the central certification authority or the certification centre related to the provision of qualified electronic trust services;
2) study the operation of the information and telecommunications system, as well as other equipment used by the provider, the central certification authority or the certification centre to provide qualified electronic trust services;
3) receive from employees of the provider, the central certification authority or the certification centre information and explanations (including written) on their activities related to the provision of qualified electronic trust services as necessary for the inspection;
4) receive from the provider, the central certification authority or the certification centre copies of documents, including scanned or photocopied, which may indicate violations of legislation in the area of electronic trust services and attach them to the inspection documents.
23. The head of the provider, the central certification authority or the certification centre is obliged to create the necessary conditions for the inspection, namely:
1) for the period of the inspection, provide the chairman and members of the inspection commission entrance to and exit from the special premises of the provider, the central certification authority or the certification centre;
2) provide the chairman and members of the inspection commission on the day of it starts work with office space (a separate workspace) that is equipped with the necessary furniture, computer and documents storage;
3) organize a meeting of the chairman and members of the inspection commission with the employees of the provider, the central certification authority or the certification centre whose responsibilities are directly related to the provision of qualified electronic trust services;
4) ensure access by the chairman and members of the inspection commission to all documents and information on the activities of the provider, the central certification authority or the certification centre that are provided for in point 28 of this Procedure;
5) ensure the provision of certified copies of documents and information on the activities of a provider, the central certification authority or a certification centre (oral and written explanations by the head and employees of a provider, the central certification authority or a certification centre);
6) ensure the correct behavior of employees of the provider, the central certification authority or the certification centre during the inspection.
24. Unauthorized persons are not allowed to enter the office space equipped for the work of the inspection commission without the permission of the chairman of the inspection commission.
25. The head of a provider, the central certification authority or a certification centre or their authorized representative during the inspection has the right to:
1) require the chairman and members of the commission to verify compliance with the law;
2) check the availability of the chairman and members of the commission for the verification of service certificates and receive a copy of the inspection certificate;
3) not to allow the chairman and members of the inspection commission to conduct the inspection if:
there are violations of the requirements for the periodicity of inspections provided by law;
the chairman and members of the commission to not present for inspection service certificates and certificates for conducting the inspection executed in accordance with the legislation;
4) be present during the inspection;
5) require compliance with the requirements for non-disclosure of trade secrets and confidential information of the provider, the central certification authority or the certification centre;
6) receive and acquaint themselves with the inspection report;
7) provide in writing their explanations, comments or objections to the inspection report;
8) receive from the chairman of the inspection commission explanations of the actions of the commission related to the inspection;
9) if they disagree with the actions of the chairman and/or members of the inspection commission, to file a written complaint to the State Special Communications Administration or to contest the actions of the inspection commission in court;
10) receive advice from the chairman and members of the inspection commission in order to prevent violations when it is being conducted.
26. Before the start of the inspection, the chairman of the inspection commission shall make an entry in the relevant journal of the provider, the central certification authority or the certification centre (if any).
27. The inspection shall be carried out in the presence of the head of the provider, the central certification authority or the certification centre or a representative authorized by them.
28. Verification is carried out by examining documents, information contained in databases, within the rules of delimitation of access provided by a comprehensive information security system, interviews with the employees of the provider, the central certification authority or the certification centre, analysis of compliance with legislation in the area of electronic trust services and administrative documents related to the provision of qualified electronic trust services.
29. If there are violations of the law in the area of electronic trust services, abuses or shortcomings, the management of the provider, the central certification authority or the certification centre is obliged to take measures to eliminate the identified violations, abuses and shortcomings and prevent them in the future.
30. The inspection is carried out in the following stages:
2) recording of the inspection results.
31. Preparation for the inspection is carried out by:
1) processing preliminary inspection materials for the purpose of further assessment of those areas of work in which violations were previously identified;
2) analysis of the information specified in point 6 of this Procedure;
3) study of the regulations of the provider, the central certification authority or the certification centre.
32. The State Special Communications Administration has the right to request in writing from the provider, the central certification authority or the certification centre the materials and information necessary for the inspection.
The provider, the central certification authority or the certification centre is obliged to submit to the State Special Communications Administration all the requested information within 15 working days from the date of registration of the corresponding request.
33. When preparing for the inspection, the chairman of the inspection commission informs its members about the tasks (recommendations, instructions) of the inspection, as well as instructs on the procedure for interaction with employees of a provider, the central certification authority or a certification centre.
34. On the day the inspection starts, the chairman and members of the inspection commission are obliged to present to the head of a provider, the central certification authority or a certification centre or their authorized representative the inspection certificate and service certificates establishing the chairman and members of the inspection commission as officials of the Administration for State Special Communications, and provide a copy of the certificate for inspection.
35. The chairman and members of the inspection commission shall not have the right to conduct an inspection without presenting service certificates and a certificate to conduct it.
36. The results of the inspection of the provider are drawn up by the inspection commission by drawing up an inspection report, the format of which is approved by the State Special Communications Administration.
37. The results of the inspection of the central certification authority or a certification centre shall be drawn up by the inspection commission by drawing up an inspection report in any form which contains the following information:
1) the name of the State Special Communications Administration;
2) the individuals and roles in the inspection commission;
3) surname and initials of the head of the central certification authority or certification centre;
4) type of inspection (scheduled or unscheduled);
5) details of the certificate for the inspection;
6) start and end dates of the inspection;
7) the address of the premises of the central certification authority or certification centre related to the provision of qualified electronic trust services in which the inspection was conducted;
8) the results of the preliminary inspection;
9) the reasons for non-compliance with the established requirements (if any);
10) the name and summary of the documents provided during the inspection;
11) qualitative and quantitative indicators established during the inspection that characterize the activities of the central certification authority or certification centre related to the provision of qualified electronic trust services;
12) violations and shortcomings identified during the inspection (if any);
13) conclusions based on the results of the inspection;
14) opposition to the inspection (if any);
15) recommendations for eliminating identified violations (if any);
16) the date of the inspection report;
17) signatures of the chairman and members of the inspection commission;
18) signature of the head of the central certification authority or certification centre or their authorized representative confirming that they have acquainted themselves with the inspection report.
38. Violations specified in the inspection report must be referenced to specific provisions of regulations.
Arbitrary interpretation of the provisions of regulations is not allowed.
Reference information or information on violations and deficiencies, which may be grouped by common theme, may be set out in annexes to the inspection report.
If copies of documents are attached to the act of inspection, their titles and details shall be indicated in the act.
39. The inspection report shall be drawn up in two copies and signed no later than the last day of the inspection by the chairman and all members of the inspection commission and the head of the provider, the central certification authority or the certification centre or authorized representative.
40. A member of the inspection commission who does not agree with the conclusions of the inspection commission specified in the inspection report is obliged to sign it and express their separate opinion in writing, which is attached to the inspection report. In this case, before the inspection report is signed, it is marked "With separate opinion attached".
41. If the head of a provider, the central certification authority or a certification centre or authorized representative has comments on the facts and conclusions set out in the inspection report, it is marked "With comments attached" before signing.
Remarks on the inspection report shall be set out in a separate document and signed by the head of the provider, the central certification authority or the certification centre or authorized representative.
Remarks of the head of the provider, the central certification authority or the certification centre or the representative and the dissenting opinions of members of the inspection commission are an integral part of the inspection report.
42. If the head of a provider, the central certification authority or a certification centre or authorized representative refuses to read the inspection report or to sign it after reading it, the chairman of the inspection commission makes the appropriate mark at the space for the signature of the provider, central certification authority or certification centre or authorized person, which is certified by the signatures of the chairman and one of the members of the inspection commission.
43. One copy of the inspection report is handed over to the head or authorized person of the provider, the central certification authority, the certification centre on the last day of the inspection, and the other is kept in the State Special Communications Administration.
44. When inspecting a provider, a copy of the inspection report shall be sent to the central certification authority or certification centre within five working days after its completion.
45. Based on the results of the inspection of a provider, the central certification authority or a certification centre, the State Special Communications Administration shall take the following measures on the basis of the inspection report:
1) require elimination of violations of the legislation in the area of electronic trust services within the period established by the instruction on elimination of violations;
2) make a decision to block the qualified public key certificate of the provider, self-signed electronic seal certificate of the certification centre or self-signed electronic seal certificate of the central certification authority if the inspection revealed the compromise of personal keys;
3) sends the central certification authority a request to exclude the provider from the Trust List if grounds are detected as provided for in part five of Article 33 of the Law of Ukraine “On Electronic Trust Services”.
46. If during the inspection of a provider, the central certification authority or a certification centre violations of the legislation in the area of personal data protection are revealed, the State Special Communications Administration informs the Verkhovna Rada of Ukraine Commissioner for Human Rights.
47. An order to eliminate violations shall be drawn up by the inspection commission within five working days from the date of completion of the inspection in two copies. One copy of this instruction shall be provided to the provider, the central certification authority or the certification centre no later than five working days from the date of drafting the inspection report, and the other copy signed by the head of the provider, the central certification authority or the certification centre or authorized representative to comply with agreed deadlines in the legislation in the area of electronic trust services remains in the State Special Communications Administration.
The format of an order to eliminate violations is established by the Administration of the State Special Communications.
The order to eliminate violations shall be signed by the chairman and members of the inspection commission who conducted it.
48. If the head of a provider, the central certification authority or a certification centre or his authorized representative refuses to accept an order to eliminate violations, they shall be sent it by registered mail, and a copy of the order, which remains in the State Special Communications Administration, shall bear the appropriate source number and date of sending.
49. The head of the provider, the central certification authority or the certification centre must take measures to eliminate the deficiencies and violations specified in the order to eliminate violations within the period specified in the order.
50. The provider, the central certification authority or the certification centre is obliged to submit in writing to the State Special Communications Administration noticed of the elimination of violations together with supporting documents within the period specified in the order on elimination of violations.
51. A decision to block the qualified public key certificate of a provider, a self-signed electronic seal certificate of the certification centre, the self-signed electronic seal certificate of the central certification authority is made by the State Special Communications Administration and sent to the central certification authority on the day of its adoption.
52. A decision to block the qualified public key certificate of a provider, the self-signed electronic seal certificate of a certification centre, the self-signed electronic seal certificate of the central certification authority must contain:
1) the name of the State Special Communications Administration;
2) date of acceptance and index (serial number);
3) roles and individuals in the inspection commission;
4) name (surname, name, patronymic) of the provider, the central certification authority or the certification centre;
5) location of the provider, the central certification authority or the certification centre;
6) surname, name and patronymic of the head of the provider, the central certification authority or the certification centre;
7) the circumstances under which the violations were identified (type, term of inspection, number and date of the inspection report or reference to another source of information);
8) reasoned grounds for making a decision on blocking the qualified public key certificate of the provider, the self-signed electronic seal certificate of the certification centre, the self-signed electronic seal certificate of the central certification authority;
9) the requirement to block the qualified public key certificate of the provider, the self-signed electronic seal certificate of the certification centre, the self-signed electronic seal certificate of the central certification authority;
10) signature of the head of the State Special Communications Service or their deputy in accordance with the division of functional responsibilities.
53. Based on the decision of the State Special Communications Administration, the Central Certification Authority is obliged to change the status of the qualified provider's public key certificate, self-signed electronic seal certificate of the certification centre, self-signed electronic seal certificate of the central certification authority to blocked.
54. An application to exclude a provider from the Trust List is prepared by the State Special Communications Administration and on the day of its signing by the head of the State Special Communications or their deputy in accordance with the division of functional responsibilities is sent to the central certification authority.
55. The application to exclude a provider from the Trust List must contain:
1) the name of the State Special Communications Administration;
2) the roles and individuals in the inspection commission;
3) name (surname, name, patronymic) of the provider;
4) location or residence of the provider;
5) surname, name and patronymic of the head of the provider;
6) the circumstances under which the violations were detected (type, term of inspection, number and date of the inspection report or reference to another source of information);
7) reasoned grounds for making a decision to exclude the provider from the Trust List;
8) the requirement to exclude the provider from the Trust List;
10) signature of the head of the State Special Communications Service or their deputy in accordance with the division of functional responsibilities.
56. If violations are detected of the legislation in the area of electronic trust services established for the central certification authority, the State Special Communications Administration proposes to eliminate them to the central certification authority.
LIST
of resolutions of the Cabinet of Ministers of Ukraine that have expired
1. Resolution of the Cabinet of Ministers of Ukraine of 26 May 2004 Nš 680 “Approval of the Procedure for Certifying the Availability of an Electronic Document (Electronic Data) at a Certain Point in Time” (Official Gazette of Ukraine, 2004, Nš 21, Art. 1428).
2. Point 31 of the amendments to the acts of the Cabinet of Ministers of Ukraine approved by the resolution of the Cabinet of Ministers of Ukraine dated 8 December, 2006 Nš 1700 (Official Gazette of Ukraine, 2006, Nš 50, Art. 3324).
3. Resolution of the Cabinet of Ministers of Ukraine dated 27 May 2013 Nš 371 “On Amendments to the Procedure for Certifying the Existence of an Electronic Document (Electronic Data) at a Specific Time” (Official Gazette of Ukraine, 2013, Nš 41, Art. 1468).
4. Point 2 of the amendments to the resolutions of the Cabinet of Ministers of Ukraine approved by the resolution of the Cabinet of Ministers of Ukraine of 17 January, 2018 Nš 55 “Some Issues of Documenting Management Activities” (Official Gazette of Ukraine, 2018, Nš 23, Art. 770).