This is part four of a six part series, to read the previous insights please view the series navigation at the bottom of this page.

Regarding the issuance of the approved authentication certificate for electronic signatures and seals, Article 24 of the cabinet decision outlines the following points:

• Only approved trust service providers are allowed to offer the approved authentication certificates for electronic signatures or seals as an approved trust service.
• Approved trust service providers can use an approved authentication certificate for electronic signatures or seals issued by another approved trust service provider, supported by an approved and valid electronic signature or seal, to authenticate the person requesting the certificate.
• If an approved trust service provider uses a procedure equivalent to personal attendance to verify the identity and capacity of the person applying for an approved authentication certificate, the Authority may ensure that this procedure meets the requirements defined by the rules issued by the Authority.
• The approved trust service provider issuing the approved authentication certificate must maintain and regularly update a database of these certificates.
• The approved trust service provider should establish appropriate policies and practices for providing the approved authentication certificate, following the service policy and statement of practice for such service.
• The service policy and statement of practice must adhere to the technical conditions and specifications specified by the decisions issued by the Authority.
• The approved trust service provider is responsible for delivering the approved trust service in accordance with the procedures specified in the service's statement of practice and service policy. If any part of the trust service is provided by third parties, the approved trust service provider must define their responsibilities and ensure compliance with the rules set by the provider.

Regarding the cancellation of the approved authentication certificate for electronic signature or seal, Article 24 of the cabinet decision states the following:

• If the approved trust service provider, who issued an approved authentication certificate for the electronic signature or seal, decides to cancel the certificate either upon the request of its owner or for reasons specified by the service provider, they must record the cancellation in their certificates database.
• The approved trust service provider must also publish the status of the certificate cancellation on the certificate validation service within 24 hours from the date of receiving the certificate holder's request. The cancellation will become effective as soon as it is published.
• The approved trust service provider is required to provide any approved party with information about the validity or cancellation of the authentication certificates issued by them. This obligation extends even after the expiration of the approved authentication certificate for the electronic signature or seal and for a minimum period of 15 years from its expiry. This information should be available free of charge and accessible at all times without any hindrance.

Regarding the saving of data for approved electronic signatures and approved electronic stamps, Article 22 of the Decree-Law left this matter partially unresolved, deferring it to the issuance of the cabinet decision. After the cabinet decision was issued, Article 28 clarified the following points:

• Only an approved trust service provider, using suitable procedures and techniques capable of extending the authenticity period of approved electronic signatures or electronic stamps beyond their technical validity period, as determined by the Authority, is allowed to offer the service of saving the data. These procedures and techniques must not compromise the reliability of the approved electronic signature and seal.
• The approved trust service provider must maintain the authenticity of the approved electronic signature and seal for at least 15 years from the date of the saving request.
• All information necessary to verify the validity of the approved electronic signature or electronic seal must be kept by the approved trust service provider until the end of the saving period.
• The approved trust service provider must ensure the integrity, quality, and clarity of the saved data for approved electronic signatures and electronic seals. Subscribers and other approved trust service providers, with explicit consent from the subscribers, should be allowed to use the saved data properly.
• The saving evidence issued by the approved service provider must bear a qualified electronic signature or qualified electronic seal issued by the provider.
• The approved trust service provider is responsible for defining suitable policies and practices to provide the service of saving approved electronic signatures and electronic seals as an approved trust service. These policies and practices must adhere to the technical conditions and specifications defined by the Authority.
• The approved trust service provider is accountable for providing the approved service in line with the procedures outlined in the service policy and the statement of practice. If any part of the trust service is provided by third parties, the approved trust service provider must specify their responsibilities and ensure compliance with the required rules.

Regarding the archiving of digital documents, Article 29 of the cabinet decision outlines the requirements for government entities when preserving electronic documents that have been endorsed with a qualified or approved electronic signature or seal. The following points must be ensured:

• The integrity of the electronic signature or seal must be maintained, preventing any unauthorized alteration to it.
• The electronic signature or seal should be safeguarded from being deleted or removed.
• If any allowed changes are made to the electronic document, the electronic signature or seal must be re-created on the new version of the document.

Regarding the validation of approved electronic signatures or seals, Article 30 of the cabinet decision outlines the following points:

• Only an approved trust service provider that meets the requirements specified in Article 20 of the Decree-Law can offer the service of validating approved electronic signatures or seals. The conditions for valid electronic signatures and seals include using an approved and valid authentication certificate, proper submission of signatory identification data to the approved party, technical and security compliance, and other conditions specified in the Implementing Regulation.
• The service of proving the authenticity of the approved electronic signature and seal should be provided by the approved trust service provider in an automated and reliable manner, with the result of the validation being signed by a qualified electronic signature or stamp from an approved service provider, or by any other method specified in the Implementing Regulation.
• The service provider offering the validation service should establish appropriate policies and practices for the validation process.
• Time information added to the validation result should be established using an approved time stamp.
• The approved trust service provider is responsible for providing the validation service in line with the procedures outlined in the service policy and statement of practice. If any part of the service is provided by third parties, the approved trust service provider must define their responsibility and ensure compliance with required rules.
• The Authority will issue decisions related to technical standards and specifications that must be adhered to by approved service providers, including operational and security rules, service management mechanisms, physical security requirements, and technical and security inspection processes before offering the service to subscribers. Additionally, the requirements for inclusion of the validation service in the UAE Trust List will be specified.

Regarding the service of creating approved electronic time stamps, Article 31 of the cabinet decision states that only an approved trust service provider who complies with the provisions of Article 23 of the Decree-Law can offer this service. Article 23 specifies the conditions that must be met for an approved electronic time stamp, which are as follows:

• The date and time in the time stamp must be related to the data in a way that prevents any undetectable changes to the data.
• The time source used for the time stamp must be accurate and linked to Universal Time.
• The approved electronic time stamp should be signed or stamped using a qualified electronic signature or qualified electronic stamp by an approved trust service provider, or by any other method specified in the Implementing Regulation of this Decree-Law.

Approved Electronic Delivery Services, defined as the electronic transfer of data between individuals with protection against risks like loss, theft, damage, or unauthorized changes, are regulated by Article 32 of the cabinet decision as follows:

• Only approved trust service providers complying with Article 24 of the Decree-Law can offer approved electronic delivery services. The conditions for this service are:
  (i) Provided by one or more trusted service providers.
  (ii) Sender's identity verified with a high level of security and confidence according to the Decree-Law's Implementing Regulation.
  (iii) Recipient's identity verified before data delivery.
  (iv)Transmitted data signed or stamped using a Qualified Electronic Signature or Qualified Electronic Stamp by an Approved Trust Service Provider, or by a method specified in the Implementing Regulation.
  (v) Notifying both sender and recipient of any necessary changes in the transmitted data.
  (vi) Timestamping the time of sending, receiving, and any modifications with an Approved Electronic Time Stamp.
• The provider of the approved electronic delivery service must ensure a high level of security and trust in determining the identity of both the sender and the recipient, eliminating risks and preventing identity misuse or tampering.
• The provider of the service should establish appropriate policies and practices for the approved electronic delivery service, meeting technical conditions specified by the Authority.
• The provider is responsible for delivering the service according to the procedures mentioned in the service policy and statement of practice. If third parties are involved, their responsibilities must be defined and aligned with the approved service provider's rules.
• The Authority issues decisions on technical standards and specifications for the provider, including the service policy, statement of practice, electronic delivery service messages, guides used, and requirements for listing the service in the UAE Trust List.
• Data sent and received through the approved electronic delivery service is presumed to have integrity, originate from an identified sender, be received by an identified recipient, and have accurate sending and receiving timestamps provided by the service.
  Regarding the Compliance Rating, it is defined as an audit conducted by the Authority or any authorized entity to assess how well the license applicant or licensee adheres to the conditions, rules, and standards outlined in this Decree-Law, along with the decisions issued to implement it.

Article 33 of the cabinet decision lays down the following provisions:

• Only entities approved and accredited by the Authority can conduct compliance assessments for implementing the Decree-Law, this Decision, the Authority's implementation decisions, and requirements of relevant entities.
• The compliance assessment entity must be approved and registered with the Authority.
• The compliance assessment entity prepares a report that evaluates the extent to which the license applicant or licensee complies with the requirements of the Decree-Law, this Decision, the Authority's implementation decisions, and the requirements of relevant authorities.
• Compliance assessment reports must meet the specifications and procedures set by the Authority.
• The compliance assessment entity must avoid any actual or potential conflicts of interest when evaluating the license applicant or licensee. The Authority will define the necessary standards and rules regarding this matter.
• The Authority issues decisions concerning technical standards and specifications that compliance assessment entities must adhere to, including mechanisms for accrediting assessment authorities and audit rules to be followed during compliance assessments of trust service providers or approved trust service providers and the services they offer.

The Authority establishes a list known as the "Emirati Trust List," which identifies Trust Service Providers and Approved Trust Service Providers along with their services and related information. This list determines the status of their license and the extent of their compliance with the Decree-Law, Implementing Regulation, and decisions issued by the Authority for implementation. Article 27 of the Decree-Law outlines the contents of this list, including Licensees and their services, the Electronic Identification System, and the Approved Electronic Signature and Stamp Tools. The Authority will publish this list through various means it deems appropriate.

Furthermore, Article 34 of the cabinet decision specifies the controls and conditions for including Licensees, Approved Trust Service Providers, and their services in the UAE Trust List. Here are the key points:

• The Authority will create the "UAE Trust List" according to its determined specifications and publish it on its website. This list will contain information about trust service providers, the trust services they offer, and the status of their licenses. It will also include details about approved trust service providers, the approved trust services they provide, their license status, and approval capacity.
• Trust service providers and approved trust service providers must provide the information mentioned in point 1 in a confirmed and documented manner through compliance reports issued by the compliance assessment entity or the Authority.
• The Authority will issue decisions related to the standards, technical specifications, and procedures for the UAE Trust List. This includes determining the form, content, posting mechanism, maintenance, amendment process, and the mechanism for reading and using the list by approved parties.
• The Authority will list the Licensees in the UAE Trust List based on the services specified in their license.
• When listing the Licensees in the UAE Trust List, the Authority will assign a unique and clear digital ID to each service specified in the license, following technical specifications and decisions issued by the Authority for this purpose.

To be continued on Monday 9nd October, stay tuned.