The National Security Authority (hereinafter referred to as “the NSA“), as the central body of the state administration for the electronic signature in accordance with Article 24 (8) of the Act No. 215/2002 Coll. on Electronic signature and on the amendment and supplementing of certain acts as amended (hereinafter referred to as “the Act”), assesses and verifies the conformity of the Electronic Registry (hereinafter referred to as “e-Registry”) with requirements laid down by the legal rules. Security and functional requirements for e-Registry come out from the Act and from the NSA Regulation No. 136/2009 Coll. on the method and procedure of using the electronic signature in business and administrative relations (hereinafter referred to as “the Regulation”).
The main objective of the present document is to define a methodical procedure in the assessment of e-Registry as a technical device (a file of hardware and software elements) in automatic mode which in required configuration with organizational measures is able to receive, send and confirm the receipt of electronic documents, electronic documents signed by the electronic signature and electronic documents signed by the qualified electronic signature.
Definition and abbreviations
Electronic Registry (e-Registry) - is a technical device (a file of hardware and software elements) in automatic mode, which operates in required configuration with organisational measures as defined in the Regulation, particularly, it receives, sends and confirms the receipt of electronic documents, electronic documents signed by the electronic signature and electronic documents signed by the qualified electronic signature.
The applicant for the conformity assessment can be the e-Registry producer, creator or operator. The applicant must fulfil the following conditions for the conformity assessment:
- to submit the request for the conformity assessment in the following form (in Slovak version), published on the NSA web page,
- to deliver the accompanying technical documentation,
- to deliver a SW resolution of e-Registry.
The NSA performs the conformity assessment of e-Registry with requirements laid down by the legal rules pursuant to the NSA methodology published as “Conformity Assessment Methods of the Electronic Registry in administrative relations“ (Slovak version) (pdf, 75.2 kB).
1. Submitting the request
The NSA performs the conformity assessment of e-Registry with requirements laid down by the legal rules on the basis of the request for the conformity assessment of the electronic registry (Slovak version) (rtf, 142.5 kB).
Request for the conformity assessment must contain:
1. applicant personal data,
2. statement from companies registry (it can not be older than three months) or trade licence,
3. e-Registry name,
4. e-Registry version,
5. e-Registry identification,
6. producer name of e-Registry,
7. technical documentation of e-Registry,
- operating instruction,
- e-Registry description,
- e-Registry functionality description,
- e-Registry character description,
- operating platforms of a e-Registry,
- supported standards and protocols,
- list, parameters of cryptographic functions,
8. secure certificates of e-Registry, certificates of e-Registry compatibility, final statement of secure audit (if it is created).
- Producer Statement about conformity according to legislative requirements established by the legal regulations,
Recommended content of individual annexes of the request for the conformity assessment of e-Registry is described in the following comment (Slovak version) (pdf, 25.7 kB).
Annexes of the request can be delivered in paper or electronic form. If the annexes are delivered in electronic form, then files must be in approved formats (e. g. .pdf, .rtf) and accompanied by a signed covering letter with hash imprints (SHA 1 or higher hash algorithms) of individual files. All documentations must be in the Slovak language or the officially verified translation into the Slovak language must be enclosed with the request (with the exception of the documentation in the Czech language).
The existence of e-Registry’s secure certificates from tested laboratories that are accredited by the National Accreditation Institution recognised by the NSA or certificates of e-Registry compatibility, possibly the audit final statement can be taken into consideration and can compress all the process.
2. Loan of a device
The product of e-Registry itself (SW resolution) with the supportive SW is required to be attached to the request. The product must be in the form which is ready for installation with enclosed hash imprints of individual modules. (If it is not possible to loan the product for installation and testing at the NSA, the verification of functionality of the e-Registry product at the applicant must be the part of the assessment process.)
3. Fees
Submitting the request for the conformity assessment of e-Registry is liable to a charge (fees) pursuant to Article 24 (15) of the Act. The amount of payment is determined by the Act of the National Council of the Slovak Republic No. 145/1995 Coll. on Administrative fees as amended. The fee in fixed amount is necessary to be paid when submitting the request.
4. Assessment of the request
The NSA controls a delivered request according to part (1). If the request contains necessary requirements, then the NSA confirms receiving of the request and delivers it to the Department of Information Security and Electronic Signature. The Department of Information Security and Electronic Signature performs an assessment process of the conformity.
The Department of Information Security and Electronic Signature controls a content of the request and its comparison with requested product. It determines a plan and decides about beginning the assessment process of the conformity. The request is considered to be complete if it contains all requisites required by law pursuant to Article 24 (11). If the request is not complete, the applicant is asked to complete it by 15 workdays. If the request is not completed by that time, the NSA, pursuant to the law, shall stop the proceedings.
5. Request replenishment
If the request does not contain all requirements according to part (2), if the request has whatever lack or if it is necessary to add some data, then the NSA asks an applicant for adding of necessary data or eliminating of lacks by 15 workdays. If the request is not completed by that time, the NSA, pursuant to the law, shall stop the proceedings.
6. Request revocation
The request for the conformity assessment will be revoked if any of the reasons to stop the proceeding, which are listed taxatively in Article 30 of the Act 71/1967 Coll. on Administrative proceeding (Administrative Code) as amended, have arisen.
To re-submit the request for the conformity assessment the applicant is obliged to fulfil all requisites and procedures concerning the process of the conformity assessment.
7. The process of the assessment conformity
The conformity assessment of e-Registry with the requirements laid down by the legal rules follows these steps:
- assessment of the accompanying technical documentation,
- assessment of e-Registry functionality,
- assessment of certificates of products for QES used in e-Registry modules,
- assessment of conditions that are necessary to fulfil in e-Registry operation,
- assessment of the e-Registry conformity with the requirements laid down by the legal rules pursuant to the NSA methodology published as “Conformity Assessment Methods of the Electronic Registry in administrative relations“ (Slovak version) (pdf, 75.2 kB).
8. Decision issuing
As soon as the complete request for the conformity assessment of the Electronic Registry is submitted, the NSA shall make a decision by 90 days on conformity approval or disapproval of e-Registry with the requirements laid down by the legal rules.
8.1. If the product fulfils all the requirements according to part (7) in all assessment process, the NSA will issue a certificate to the applicant about the conformity of the product with the requirements laid down by the legal rules. The certificate validity is limited to the period of five years as a maximum. The assessed e-Registry will be automatically added to the list of e-Registries assessed on conformity which is published on the NSA web page.
8.2. If e-Registry does not fulfil the requirements defined in part (7), the NSA will issue a decision to the applicant on the fact that e-Registry does not fulfil the requirements laid down by the legal rules.
8.3. A device (the product of e-Registry) loaned for the process of the conformity assessment is returned to the applicant.
9. E-Registry establishment and putting into operation
Pursuant to Article 29 (1) of the Act No.215/2002 Coll. on Electronic signature and on the amendment and supplementing of certain acts as amended public bodies are obliged to notify the NSA of the electronic address of the Electronic Registry on which they receive submissions in the form of electronic documents signed by the electronic signature or electronic documents signed by the qualified electronic signature.
Public bodies which already run e-Registry must fulfil this obligation within six months from the day of entering the Act into force (to 30 June 2009).
The list of electronic addresses is published by the NSA on its web page.