THE ISSUANCE OF QUALIFIED CERTIFICATE AND PROVISION OF TRUST SERVICES FOR FOREIGNERS IN POLAND

POLISH NATIONAL CERTIFICATION CENTRE

The Polish National Certification Centre is an organisation which runs a list of trust services providers and qualified electronic signatures accepted in Poland. The legal frames of this institution functioning is provided by the Act of 5 September 2016 on Trust Services and Electronic Identification.

In the article 2 of this Act we can read that:

Art. 2. [Tasks of the minister]

The Polish minister responsible for the informatization ensures the functioning of the national trust infrastructure, which includes:

1) a register of trust service providers, hereinafter referred to as the “register”;

2) trusted list;

3) a national certification center.[1]

The Polish National Certification Centre tasks are included in Article 10 and this article is crucial for the trust services providers, because the National Certification Centre tasks include:

1. The creation and issuing to qualified trust service providers the certificates for the verification of qualified electronic signatures and electronic seals;
2. The publication of the certificates;
3. The publication of revoked certificates lists.

Currently the National Certification Centre’s tasks are taken over by the National Polish Bank (article 11 of this Act). And on the National Polish Bank website we can find a link to the National Certification Centre: https://www.nccert.pl/.

A BRIEF GUIDE TO THE POLISH NATIONAL CERTIFICATION CENTRE WEBSITE

• The homepage

The homepage of the Polish National Certification Centre includes information about the main tasks and duties of the National Certification Centre with reference to the legal acts (especially the abovementioned Act). The latter include: abbreviations for validation data; presentations certificates of the National Certification Centre and the list of trust services qualified providers with links to their websites.

• Electronic signatures (certificates) accepted in Poland

The full list of certificated trust services providers can be found in the Certificates tab. There are 2 lists:

1. The list of certificates of trust services providers issued by the “NCCert2016” authority (with 22 entities) and
2. The list of certificates of trust services providers issued by the “NCCert2009” authority (with 46 entities).

The full lists can be found under this link: https://www.nccert.pl/zaswiadczenia.htm.

• The Qualified Trust Services Register

The National Certification Centre website presents a Register of Qualified Trust Services with the list of 28 entities registered in the said Register run by the National Polish Bank since October 2005. The chart in the Register contains the provider’s name, trust service’s type and registration date.

For instance:

There is also a Trust Services list tab available to visit and check under this link: https://www.nccert.pl/tsl.htm.

CONSTRUCTION OF THE ELECTRONIC SIGNATURE

An asymmetric key (the so-called public-private key pair) is often used in an electronic signature. The private key is known only to the user and its confidentiality is one of the most important elements of signature security. The public key is open and an electronic signature is created with its use. In asymmetric encryption methods, both the sender and receiver have a separate pair of keys. The sender uses the recipient’s public key to encrypt the message. The addressee can read it using his secret private key. The asymmetry results from the fact that data encrypted with the mentioned pair of the public keys can only be decrypted using the private key of the pair. When a user wants to receive confidential messages in encrypted form via e-mail, he creates a key pair with special software. Then it reveals the public key or sends it to people who intend to send it encrypted messages. The other activities are performed by the sender and the recipient as described below.[2]

TRUST SERVICE AGREEMENT – HOW TO OBTAIN AND USE A QUALIFIED ELECTRONIC SIGNATURE – CASE STUDY

Basic elements of the contract

In the case of trust services provision agreement the elements of the contract are:

• Contract’s type: A subscriber agreement for providing qualified trust services
• Place of conclusion and date of conclusion
• Designation of parties.

Agreement entered into between Parties:

XYZ Limited Liability Company, with its registered office at ABC,

entered into the register of qualified trust service providers, XXX Joint Stock Company represented in accordance with the rules for representation by an authorized representative: John Smith, etc.

• Main agreement definitions (in accordance to the matter of agreement) such as:

1. Certificate Policy and Certification Practice Statement – the document describing in detail the public key certification process, its parties, and defining the scope of issued certificates.
2. eIDAS Regulation – Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (Official Journal of the EU, L No 257, p. 73).
3. Certificate – an electronic certificate that binds electronic signature verification data with a person who uses the electronic signature and allows to identify such person.
4. Subscriber – natural person who receives certification services, to whom the public key is assigned.

• Subject of the agreement.

In this case the subject of the agreement may be boiled down to:

1. The issuance of qualified certificate and provision of trust services related to maintenance of the qualified certificate in accordance with the Agreement.
2. The agreement’s conclusion for a definite period (e.g. from the date of conclusion until the end of the validity period of the certificate issued on its basis).
3. The revocation of the certificate and the termination of the agreement related to this revocation (a loss of validity of certificate).

The Provider and Subscriber obligations

• Trust Services Provider obligations:

1. The issuance of the certificate to Subscriber (within some number of working days);
2. The provision of trust services to the Subscriber in accordance with the conditions set out in the Statement (the Statement definition should be issued in the article including definitions of the agreement);
3. Revocation or suspension of the certificate upon the occurrence of any of the justifying circumstances;
4. Publication of the revoked or suspended certificate;
5. Subscriber notification about forthcoming validity period expiry.

• Subscriber Obligations:

1. Storage of the issued certificates during the validity period;
2. A validation of the data contained in the issued certificates;
3. A request to revoke the certificate, if some of the settled situations occur.

Reservations, statements and payments terms

In such agreements there are also such elements as:

1. Reservations including the responsibility modification and restrictions
2. Statements of the parties related, inter alia, to the liability for the damages, submitting only correct and true information given voluntarily with consent to process personal data

Trust Services Provider guarantees

The Trust Services Provider may make guarantees such as:

1. Guaranteeing that activity and services covered by the provider are provided with adequate care and in accordance with provision of the agreement
2. The warranty period for certification services
3. The payment of compensation in the case of termination or cessation of certification services

INTERNATIONAL LEGAL EFFECTS OF ELECTRONIC SIGNATURE

The qualified electronic signature based on the qualified certificate issued in one of the Member States will be effective in other European member state in accordance to eIDAS Regulation:

Article 25

Legal effects of electronic signatures

• A qualified electronic signature based on a qualified certificate issued in one Member State shall be recognised as a qualified electronic signature in all other Member States.[3]

It is at the same time recommended to obtain a qualified electronic signature including authorization key based on the Polish Personal Identification Number (PESEL) which provides the highest level of electronic reliability. Thereby before the conclusion of the trust services provision agreement the foreigner should first put forward a motion to the proper authority for the issuance the Personal Identification Number and then conclude the agreement. After doing that the electronic certificate will contain the reliable authorization key and the electronic signature itself may be used in every EU member state.

Sources:

1. https://www.nccert.pl/ (information and photo sources)
2. https://sip.lex.pl/#/act/18344658/2870950/uslugi-zaufania-oraz-identyfikacja-elektroniczna?keyword=ustawa%20o%20elektronicznej%20identyfikacji&cm=SFIRST
3. https://oia.waw.pl/podpis-elektroniczny-szczegoly-rodzaje-i-zastosowanie/

---

[1] https://sip.lex.pl/#/act/18344658/2870950/uslugi-zaufania-oraz-identyfikacja-elektroniczna?keyword=ustawa%20o%20elektronicznej%20identyfikacji&cm=SFIRST, (access date: 12^th August, 2021). 

[2] https://oia.waw.pl/podpis-elektroniczny-szczegoly-rodzaje-i-zastosowanie/,  (access date: 12^th August, 2021).

[3] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R0910&from=EN, (access date: 12^th August, 2021).