New directives beef up trust in e-commerce

Ross Bentley

The European e-commerce market will not be comparable to the US until users within the EU learn to trust the security of the...

Ross Bentley

The European e-commerce market will not be comparable to the US until users within the EU learn to trust the security of the Internet, according to Erkki Liikanen, European commissioner for the Enterprise and Information Society.

Speaking at the Information Security Solutions Europe Conference in Barcelona, a fortnight ago, Liikanen said, "In the absence of an adequate degree of security in the networks and privacy protection, there will be no trust. And achieving trust is instrumental, both to the large take-up of the Internet in European homes and businesses, and to the expansion of electronic-commerce - no trust, no transaction".

Liikanen said that in the past year, the commission had delivered two directives which were aimed at stimulating the security market. The first ison electronic signatures.

Liikanen said, "It was adopted on 30 November 1999, and it must be incorporated into the national legislation of all EU Member States by 19 July 2001. The directive mainly concerns qualified certificates, which aim to provide proof of the identity of the signatory of electronic data. The legislation is mainly concerned with two things.

Firstly it establishes common rules for the legal recognition of electronic signatures in the EU. The aim is to ensure that electronic signatures and hand-written signatures have equivalent legal effects for certain legal purposes. A key issue here is that electronically signed data is recognised as proof of evidence in court.

Second, the directive ensures that member states recognise electronic signatures and certificates delivered in another member state. This means there can be no restriction on the supply of certification services originated in another EU country. Furthermore, the supply of certification services cannot be submitted to prior authorisation regimes."

The second directive is the Dual-use Regulation. It governs the trade of goods that can have both a civilian and military use, both within the internal market and with non-EU countries. This includes encryption goods. The new Dual-Use Regulation was adopted on June 22.

Liikanen said, "This piece of legislation marks a major progress. It strikes the right balance between, on the one hand, the need to control information security goods and technologies - in particular to avoid the proliferation of encryption products to certain countries and criminal organisations, and on the other, the need to protect the interests of the European security industry.

So, what changes today? Regarding the trade of information security goods within the internal market, it is fully liberalised. There is only an exception for highly-specialised products such as cryptanalysis. But even there, the rules have been simplified. Member states can issue general authorisations which can be obtained by fulfiling basic requirements.

Regarding exports to non-EU countries, rules are simplified a lot - which should substantially reduce red tape. In particular, a general export licencing scheme has been introduced, which is valid for 10 of our main trading partners. For other destinations, exporters can apply for an individual or national licence."

There was also a rallying cry from Liikanen for EU members to unite in the battle against cybercrime. But he warned, "Whatever action we undertake, the philosophy that must prevail is that the Internet is - and must remain - an area of freedom.

"Thus, the instruments that law enforcement agencies use must be carefully circumscribed, and based on very precise rules."

Read more on IT risk management