Cabinet Resolution No. (28) of 2023 on the Executive Regulations of Federal Decree-Law No. (46) of 2021 on Electronic Transactions and Trust Services
As per source link
The Cabinet, having reviewed:
- The Constitution;
- Federal Decree-Law No. (1) of 1972, on the Competences of Ministries and the Powers of Ministers, as amended;
- Federal Decree-Law No. (14) of 2021, Establishing the Federal Authority for Identity, Citizenship, Customs and Port Security;
- Federal Decree-Law No. (45) of 2021, on the Protection of Personal Data;
- Federal Decree-Law No. (46) of 2021, on Electronic Transactions and Trust Services;
- Federal Decree-Law No. (42) of 2022, Enacting the Civil Procedure Code; and
- Based on the Proposal submitted by the Board Chairman of the Telecommunications and Digital Government Regulatory Authority, and the Cabinet approval thereof,
Hereby resolves as follows:
Article (1) Definitions
The definitions set forth in Federal Decree-Law No. (46) of 2021, referred to hereinabove, shall be applied to this Resolution; otherwise, the following words and expressions shall bear the meanings assigned thereto respectively, unless the context requires otherwise:
Word or Expression | Definition |
---|---|
Decree-Law | Federal Decree-Law No. (46) of 2021, on Electronic Transactions and Trust Services. |
Competent Authority | The authority that issues the Trade License. |
Termination Plan | A document that sets out the procedures related to the Licensee’s plan and preparedness to terminate the services outlined in the License, pursuant to the Decree-Law and this Resolution and the resolutions issued by the TDRA in implementation of both of which, and the requirements of the Competent Authorities. |
Service Practice Statement | A statement of practices used by the Trust Service Provider and the Qualified Trust Service Provider in the management and operation of services. |
Service Policy | A specific set of rules setting out policies, procedures, technical data, roles and responsibilities related to the management and operation of Trust Services and Qualified Trust Services. |
Subscriber | A Person that enters into a contract with the Trust Service Provider or with the Qualified Trust Service Provider to benefit from Trust Services or Qualified Trust Services provided by such provider. |
Status of Qualified Service Provider | The status granted or withdrawn by the TDRA, as per the term of qualification and as listed in the UAE Trust List, which confirms that the Qualified Trust Service Provider that provides such service is qualified for providing the same. |
Encryption | A process intended to protect the confidentiality of data and information by converting data from a readable and understandable format into a non-understandable format in the form of codes, characters and figures. |
Article (2) License Application
- The TDRA shall publish necessary information on all procedures, application forms and information required for the License purposes, on the website of the TDRA or by any means it deems appropriate.
- The License application shall include all information required by the TDRA, and such information shall be provided by methods and means determined by the TDRA.
- The License applicant shall abide by all procedures and shall use application forms determined by the TDRA.
- The TDRA shall determine documents and data to be included in the License application, including the following documents and data:
- a. A copy of the License issued by the Competent Authority or other documents that authorize the Licensee to carry out the business activities in the State;
- b. Description of commercial activities unrelated to Trust Services and Qualified Trust Services authorized to be practiced by the License applicant;
- c. Details of the License applicant’s business office in the State;
- d. A copy of the License applicant’s action plan showing the nature and strategy of business, objectives, marketing plans and the service provision plan;
- e. Type of the trade license and partners’ equity interests, if any, and the License applicant’s organizational structure;
- f. Details of institutional and operational capacities of the License applicant;
- g. A report on the Compliance Assessment for a period not exceeding one month;
- h. A copy of the documents submitted during the process of the Compliance Assessment referred to in Subclause (g) above;
- i. A service Termination Plan, pursuant to the provisions of Article (18) hereunder;
- j. A financial report for the last fiscal year to be drawn up by an auditor accredited in the State, confirming the availability of financial resources equivalent to (AED 5,000,000) five million dirhams;
- k. Providing a bank guarantee or security as identified by the TDRA, and which shall be automatically renewed upon the license renewal; and
- l. A proof of payment of the License application fees, as per the means set by the TDRA.
Article (3) License Application Examination Procedures
- The TDRA shall complete and examine the License application and shall verify the information and documents submitted, within a month following the completion date of the application. In cases that require more time for review and verification, the License applicant shall be notified of the further updated period.
- In the event of any justifiable alterations of the data or documents submitted in the License application, or where the License applicant desires to cancel the License application, the latter shall so notify the TDRA and shall bear the relevant fees and costs.
- The TDRA may relieve the License applicant from certain licensing requirements set out in this Resolution and the resolutions issued by the TDRA.
Article (4) TDRA Decision After the License Application Examination
- The TDRA shall issue its decision after reviewing and examining the License application as follows:
- a. Approving the License application for providing Trust Services or specific Qualified Trust Services if the TDRA is convinced that the License applicant has fulfilled the requirements set forth in the Decree-Law and this Resolution and the resolutions issued by the TDRA in implementation of both of which, and the requirements of the Competent Authorities.
- b. Rejecting the License application for providing Trust Services or specific Qualified Trust Services if the TDRA is convinced that the License applicant has not fulfilled the requirements set forth in the Decree-Law and this Resolution and the resolutions issued by the TDRA in implementation of both of which, and the requirements of the Competent Authorities.
- Where the TDRA approves the License application for providing Trust Services or Qualified Trust Services set out in the application:
- a. The TDRA shall issue a License authorizing the applicant to provide the approved Trust Services or Qualified Trust Services subject to payment of the License issuance fees; and
- b. The TDRA shall update the UAE Trust List according to the License decision on the basis of each Trust Service or Qualified Trust Service set out in the License.
- If the License application for providing Qualified Trust Services set out in the application is approved, the TDRA shall grant the License applicant a License authorizing the same to provide such services, shall grant the License applicant the Status of Qualified Service Provider, and shall update the UAE Trust List accordingly on the basis of each Qualified Trust Service set out in the License.
Article (5) Power to Issue License
The TDRA shall issue the License decision following the approval of the Chairman or his delegate.
Article (6) Term of License
The term of the License shall be two years, commencing from the date of issuing the License.
Article (7) License Renewal Application
- At least (3) months prior to the expiry of the License term, the Licensee shall fulfill all requirements for the License renewal, subject to the following:
- a. The License renewal application shall include all details and documents mentioned in Clause (4) of Article (2) above, along with any other details or documents identified by the TDRA.
- b. The License renewal application shall include a proof of payment of the License renewal application fees, as per the method and means determined by the TDRA.
Article (8) Failure to Timely Renew the License
A Licensee, whose License term expires without getting the License renewed (30) thirty days prior to the License expiry date, shall be deemed in breach, and shall be sanctioned according to the administrative sanctions applicable in that respect.
Article (9) License Renewal Application Examination Procedures
The TDRA shall review and verify the data and documents submitted within the License renewal application, as per the procedures set out in Article (3) above.
Article (10) Decision on License Renewal
The TDRA shall issue its decision after reviewing and examining the License renewal application as follows:
- Approving the License renewal application if the TDRA is convinced that the License renewal applicant has fulfilled the requirements set forth in the Decree-Law and this Resolution and the resolutions issued by the TDRA in implementation of both of which, and the requirements of the Competent Authorities, and, accordingly, the TDRA shall:
- a. Issue a License authorizing the applicant to provide the approved Trust Services or Qualified Trust Services after paying the License issuance fees; and
- b. Update the UAE Trust List according to the License decision on the basis of each Trust Service or Qualified Trust Service set out in the License application.
- Rejecting the License renewal application where the TDRA is convinced that the License renewal applicant has not fulfilled the requirements set forth in the Decree-Law and this Resolution and the resolutions issued by the TDRA in implementation of both of which, and the requirements of the Competent Authorities, as the case may be. In this case, TDRA may take any of the following actions:
- a. To set a time limit to address the non-compliance, then the rejection decision shall be reconsidered or finally approved; or
- b. To apply the administrative sanctions applicable in this regard.
Article (11) Grievance Against TDRA’s Decision
The License applicant or the License renewal applicant whose application is rejected may submit a new application, as per the procedures applicable thereto, or file a grievance within (14) days against the TDRA’s rejection decision.
Article (12) Suspension or Revocation of the License
- If the License of Trust Service Providers or Qualified Trust Service Providers is suspended, the Licensee shall promptly cease to list any new Subscribers to services set out in the License, and shall keep providing the services to Subscribers existing before the effective date of the suspension decision.
- If the License of Trust Service Providers or Qualified Trust Service Providers is revoked, such provider shall be served with a notice to activate the Termination Plan for all or any of the services set out in the License, along with adjusting the UAE Trust List when completing the implementation of the Termination Plan.
- If a Qualified Service Provider’s License is revoked, the Status of Qualified Service Provider for delicensed services shall be withdrawn.
- In all cases, upon the expiry or revocation of the License term, the Licensee may directly suspend Trust Services or Qualified Trust Services only according to the procedures set by the TDRA, and the Licensee shall be exempted from the obligations set out in the Decree-Law and this Resolution and the resolutions issued by the TDRA in implementation of both of which, and the requirements of the Competent Authorities, as the case may be, only after obtaining the prior approval of the TDRA.
- The application of the procedures set out in this Article shall not preclude the application of the administrative sanctions or the penalties set forth in the Decree-Law.
Article (13) Cases of Amendment to the License
- The Licensee shall notify the TDRA within one week in case of any amendments to or changes in the information submitted in the License or renewal application or the documents submitted for obtaining the compliance report.
- The Licensee shall be required to obtain the prior approval of the TDRA in cases of adjustment or change of data and information that had been provided to TDRA, as determined by the TDRA, including the following data and information:
- a. Details of the establishment and ownership and the business office of the Licensee in the State;
- b. Technical, administrative and financial capacity for the management and operation of the services set out in the License;
- c. Any change in the procedures of verifying the identity of Trust Services or Qualified Trust Services applicants and Subscribers;
- d. Any change to information systems of Trust Services or Qualified Trust Services; and
- e. Any amendments to the Termination Plan.
- Changes introduced to the License, Trust Services, Qualified Trust Services or the Status of Qualified Service Provider shall be listed in the UAE Trust List on a regular basis if the same is required by the change, at the discretion of the TDRA.
- The TDRA shall identify means for submitting and processing amendment applications under resolutions issued by the TDRA.
Article (14) Costs of License Suspension or Revocation
The License renewal applicant or the Licensee, whose Status of Qualified Service Provider is withdrawn or whose License is suspended or revoked, shall bear all expenses related to the Compliance Assessment reports.
Article (15) Obligations of the Licensee
The Licensee shall satisfy the following requirements:
- Details and documents submitted by the Licensee to the TDRA must be up-to-date and accurate throughout the License period.
- Acting in a fair and impartial way in respect of all its activities, transactions and service offer and marketing, without causing monopoly or an impact on the sector competitiveness or Subscribers, including the Licensee’s obligation not to publish incorrect or inaccurate information or preclude the mechanisms of executing the Decree-Law, the present Resolution, resolutions issued by the TDRA in pursuance of the Decree-Law and the present Resolution and the requirements of the Competent Authorities.
- Assuming the liability for damage deliberately or negligently afflicting any Person due to the Licensee’s failure to fulfil the obligations prescribed under the Decree-Law and this Resolution and the resolutions issued by the TDRA in implementation of both of which and the requirements of the Competent Authorities.
- Informing Subscribers of Trust Services or Qualified Trust Services provided by the Licensee of any restrictions on the use of such services before such services are provided to Subscribers, and that the Licensee will not assume any liability for damage caused by using such services should such restrictions be bypassed.
- Adopting adequate policies relied on the assessment of risks threatening the services provided by the Licensee, along with taking adequate necessary technical and organizational measures for the management of legal, administrative, security and operational risks and other direct and indirect risks, without being prejudicial to security and reliability levels and to the extent of being adequate to the degree of severity. In particular, due diligence and necessary measures shall be taken for:
- a. Procedures of registration and verification of Subscribers and activation of services to them;
- b. Procedural and sanction controls;
- c. Management and implementation of services;
- d. Preventing and minimizing the impact of security incidents and informing the Competent Authorities, as the case may be, Subscribers and qualified entities of the negative impacts of any of such incidents if occurred; and
- e. Ensuring the protection of cybersecurity of information systems of the Licensee, as per the approved cybersecurity policies.
- Taking all necessary technical and organizational measures to comply with the federal laws and regulations governing the protection of data or personal data, so as to ensure the protection and preservation of the Subscriber’s personal data and prevent any accessibility to and disclosure of such data without obtaining the Subscriber’s consent and within the limits necessary to provide the service to the same.
- Promptly notifying the TDRA and the Subscribers in the following cases:
- a. Exposure of the Licensee’s information systems to any risk affecting the integrity and safety of the services provided;
- b. Exposure of information or documents of the Subscribers to unauthorized disclosure; or
- c. Hacking the security of retained personal or non-personal information or data or lacking the validity and integrity thereof, in a manner affecting the services provided.
- Informing the Subscribers and the Relying Parties in a clear and accessible way before starting to provide Trust Services or Qualified Trust Services of all terms and conditions related to the use of such services, including any restrictions on such use, obligations and responsibilities to be assumed by the Subscribers and the Relying Parties when using such services, as well as seeking the consent of the Subscribers and the Relying Parties before starting to provide the services to them.
- Notifying the party relying on Trust Services or Qualified Trust Services of levels of security and trust of the used Digital Identity as part of the service provision.
- Ensuring the compliance with the requirements, standards and controls of the security and trust level technology defined in the Electronic Identification System approved by the TDRA.
- Preparing a constantly-updated Termination Plan to ensure a continuous service, pursuant to the Decree-Law, the present Resolution and the resolutions issued by the TDRA in pursuance to the Decree-Law and the present Resolution, and the requirements of the Competent Authorities. The Termination Plan shall show the following:
- a. Means for notifying the Subscribers upon the termination or discontinuation of services;
- b. Mechanism for ensuring the safety and reliability of the Subscribers’ records;
- c. Methods for the Subscribers affected by the termination or discontinuation of services to access to their records; and
- d. Methods to ensure unaffected transactions and records made and created by the Subscribers throughout the period of providing Trust Services by the Licensee.
- Recording and maintaining information related to data issued and received by the Licensee, particularly data used to provide proofs for any legal proceedings or to ensure the continuity of service for a period not less than (15) fifteen years from the date of creating the master register, other than identification proofs used to issue the authentication certificate, which shall be recorded and maintained for a period not less than (10) ten years from the certificate expiry date, along with giving access to such information.
- Developing adequate mechanisms to receive and handle complaints, as per the requirements identified by the TDRA.
- Drawing up the service policy document and the practice statement, as per the standards and controls issued by the TDRA.
- Fulfilling the standards and requirements issued by the TDRA when identifying service procedures, as listed in the service policy document and the practice statement document.
- Publishing the service policy and the practice statement, as amended, to the public in Arabic and English, in an electronic format accessible 24/7.
- Publishing the service policy disclosure document provided, which briefly shows key points of the policy of providing the service to the Subscribers and the Relying Parties.
Article (16) Obligations of the Qualified Trust Service Provider
In addition to the obligations set forth in Article (15) above, the Qualified Trust Service Providers shall comply with the following controls and procedures:
- Fair, honest and professional business conduct in the course of all their activities and operations.
- Appointing personnel with specialized expertise, as per the competence and the required and reliable practical and scientific expertise, from among those who hold adequate certifications and trainings on the rules of information security and personal data protection, and of those who are familiar with the relevant national and international standards.
- Securing adequate financial resources for the management and operation of Qualified Trust Services.
- Using reliable and secure systems to store, process and protect data in such a manner that such data can be:
- a. Retrieved, subject to the prior consent of the data subject;
- b. Entered, processed and changed only by authorized Persons; and
- c. Validated.
- Taking all actions necessary for preventing data falsification, theft and unauthorized use.
- Using reliable and secure systems and technologies protected from hacking and unauthorized modification and change, including techno-security and security of procedures and transactions supported by the same.
Article (17) Discontinuation of Services
- The Licensee may not discontinue any of its activities or services without the prior approval of the TDRA.
- The application for discontinuation of Trust Services or Qualified Trust Services shall be made according to the means identified by the TDRA.
- The TDRA shall reply to the application for discontinuation of Trust Services or Qualified Trust Services within one month from the date of submitting the application. In cases where more time is required for review and examination, the Licensee shall be notified of the updated period.
- The Licensee shall notify the TDRA of its desire to discontinue providing any Trust Services or Qualified Trust Services, in whole or in part, at least (3) three months prior to the scheduled termination date.
- The Licensee shall inform the public, including the Subscribers and the Relying Parties, of its desire to discontinue providing any of its services, in whole or in part, at least (2) months before the scheduled termination date and after obtaining the TDRA’s approval.
- The Licensee shall help and enable the Subscribers to transfer to another Licensee providing services similar to the serviced intended to be terminated, as the case may be, as per the controls and instructions set by the TDRA.
- The Licensee shall take necessary measures to ensure that the discontinuation of any of its services or part thereof will not disrupt the verification of validity and reliability of the service outcomes that would have arisen before the actual termination thereof.
Article (18) Licensee’s Obligations to Activate the Termination Plan
The Licensee shall activate its service Terminal Plan and shall take the following actions:
- Revoking all certificates of authentication or data of Subscribers’ accounts issued by the Licensee pertaining to the services intended to be terminated, which had not been revoked or which will not expire before the Licensee terminates its services, whether the Subscribers request to terminate the same or not;
- Revoking all other relevant certificates;
- Destroying, suspending or preventing the use of all data of creation of Electronic Signature/Seal of the Licensee or Subscribers, including backups, so that the data of Electronic Signature/Seal creation cannot be restored; and
- The Licensee shall keep providing its services to the Subscribers within the term of the Termination Plan approved by the TDRA, and it may not provide its services to any new Subscriber from the date of activating the Termination Plan.
Article (19) Reliable Electronic Signatures and Seals
- A Reliable Electronic Signature/Seal shall fulfill the specifications and standards of Encryption, the mechanism and requirements for an Electronic Signature/Seal creation, information security controls and additional requirements under the resolutions issued by the TDRA.
- A Reliable Electronic Signature/Seal shall be created according to one or more of the templates and formats identified under the resolutions issued by the TDRA.
Article (20) Qualified Electronic Signatures and Seals
A Qualified Electronic Signature/Seal shall fulfill the following requirements:
- Fulfilling the conditions under the resolutions issued by the TDRA, as set forth in Article (19) above at the time of signature;
- Not to compromise the integrity of data signed;
- The device used to create a Qualified Electronic Signature/Seal shall fulfill the requirements set out in Article (26) hereunder; and
- Any additional requirements set by the TDRA under the resolutions issued by the TDRA in implementation of the Decree-Law and this Resolution, and the Competent Authorities’ requirements.
Article (21) Requirements for Qualified Electronic Signature/Seal
Authentication Certificate
- A Qualified Electronic Signature/Seal Authentication Certificate shall include the following:
- a. Wording or reference, in at least automatable format, stating that the certificate has been issued as a Qualified Electronic Signature/Seal Authentication Certificate.
- b. A set of data that unequivocally identify the Qualified Trust Service Provider that issues Qualified Electronic Signature/Seal Authentication Certificates, including a reference to the United Arab Emirates being the State where the provider provides such service. Such data shall include name and ID number of the Qualified Trust Service Provider, as mentioned in official registers.
- c. A set of data that unequivocally represents the signature/seal issuer’s identity, including the following data:
- Full name of the Signatory, and where applicable, the identification number as mentioned in official registers; and
- A pseudonym, and if used, it shall be clearly referenced.
- d. Signature/seal verification data corresponding to data of the Electronic Signature/Seal creation data.
- e. Details of the Qualified Electronic Signature/Seal Authentication Certificate validity period (start and end).
- f. Identification code of the Qualified Electronic Signature/Seal Authentication Certificate, which must be unique for the Qualified Trust Service Provider.
- g. The Qualified Electronic Signature/Seal issued by the Qualified Trust Service Provider that issued the Qualified Electronic Signature/Seal Authentication Certificate.
- h. A free link to download the Qualified Electronic Signature/Seal Authentication Certificate.
- i. The website of accessible services to check the validity of the Qualified Electronic Signature/Seal Authentication Certificate.
- Where the data of Electronic Signature/Seal creation of the verification of Electronic Signature is found in a device for creating a Qualified Electronic Signature, a reference thereto shall be made in the Qualified Electronic Signature/Seal Authentication Certificate in an automatable format.
- A Qualified Electronic Signature/Seal Authentication Certificate may include specific non-compulsory additional features, so that it will not affect the interoperability and the recognition of the Qualified Electronic Signature/Seal.
- TDRA may add any other requirements in the Qualified Electronic Signature/Seal Authentication Certificate under the resolutions issued by the TDRA in implementation of the Decree-Law and this Resolution and the Competent Authorities’ requirements.
Article (22) Revocation of Authentication Certificates
Where a Qualified Electronic Signature/Seal Authentication Certificate is revoked after being issued, it shall become invalid once revoked. In no event may such certificate be reactivated.
Article (23) Prohibition of Temporary Suspension of Authentication Certificates
It is prohibited for the Licensee to temporarily suspend a Qualified Electronic Signature/Seal Authentication Certificate, or temporarily suspend its validity period after being activated.
Article (24) Issuance of the Qualified Electronic Signature/Seal Authentication Certificate
- The Qualified Electronic Signature/Seal Authentication Certificates may be provided as a Qualified Trust Service only through a Qualified Trust Service Provider.
- The Qualified Trust Service Providers may use a Qualified Electronic Signature/Seal Authentication Certificate issued by another Qualified Trust Service Provider accompanied by a valid Qualified Electronic Signature/Seal to authenticate the Person requesting a Qualified Electronic Signature/Seal Authentication Certificate.
- Where the Qualified Trust Service Provider uses a procedure equivalent to the appearance in person to verify the identity and capacity of the Person to whom a Qualified Electronic Signature/Seal Authentication Certificate will issue, pursuant to Clause (4) of Article (34) of the Decree-Law, the TDRA may, in addition to the Compliance Assessment report, ascertain that such procedures is equivalent to the appearance in person, pursuant to the controls issued by the TDRA in this regard.
- The Qualified Trust Service Provider that issues a Qualified Electronic Signature/Seal Authentication Certificate as a Qualified Trust Service shall create and update a database for the certificates.
- The Qualified Trust Service Provider shall identify a set of adequate policies and practices to provide the Qualified Electronic Signature/Seal Authentication Certificate as a Qualified Trust Service under the policy of providing the Qualified Electronic Signature/Seal Authentication Certificate service as a Qualified Trust Service and the practice statement of such service.
- The service policy and the practice statement shall be governed by the technical requirements and specifications of the content and structure of policies defined under the resolutions issued by the TDRA.
- The Qualified Trust Service provider shall be responsible for providing the Qualified Trust Service according to the procedures set forth in the service practice statement and the service policy. Where the Trust Service or part thereof is provided by third parties, the Qualified Trust Service Provider shall identify the responsibility of such parties and ensure that they will comply with any controls required by the Qualified Trust Service Provider.
Article (25) Revocation of Qualified Electronic Signature/Seal Authentication Certificate
- If the Qualified Trust Service Provider that issued a Qualified Electronic Signature/Seal Authentication Certificate decides to revoke the certificate, at the request of its holder or for the reasons identified by the service provider, they shall record the revocation in their certificate database and publish the certificate revocation case status on the service of verifying the validity of certificates, within a period not exceeding (24) twenty four hours from the date of receiving the certificate holder’s request. The revocation shall take effect once published.
- The Qualified Trust Service Provider shall provide any Relying Party with any information related to the validity or revocation of authentication certificates issued by the same, even following the expiry of the Qualified Electronic Signature/Seal Authentication Certificate and for at least (15) fifteen years from the expiry thereof; provided that such information is free and automatically accessible at all times.
Article (26) Issuing the Qualified Electronic Signature/Seal Device
- A Qualified Electronic Signature/Seal creation device may be issued to Signatories as a Qualified Trust Service only through a Qualified Trust Service Provider fulfilling the technological, procedural security and regulatory specifications and standards to be identified under a resolution by the TDRA.
- The Qualified Trust Service Provider shall identify a set of adequate policies and practices to provide devices for creating the Qualified Electronic Signature/Seal as a Qualified Trust Service. In all cases, such policies and practices shall fulfill the technical requirements and specifications of content and structure identified under a resolution by the TDRA.
- A Qualified Electronic Signature/Seal creation device must fulfill the requirements of Article (21) of the Decree-Law, and the Qualified Electronic Signature/Seal creation device must be approved by entities issuing qualification certificates for such devices, whether public or private entities; provided that such entities are approved by the TDRA.
- The Qualified Trust Service Provider shall comply with the standards and requirements of security assessment of IT technologies, products and services issued by the TDRA for approving the Qualified Electronic Signature/Seal creation devices.
- Entities granting qualification certificates for the Qualified Electronic Signature/Seal creation devices shall comply with the list of standards and requirements issued by the TDRA. Any qualification granted to any of such entities or any devices approved by the same shall be revoked if it is established that it has violated such standards and requirements.
- The Electronic Signature creation data may be managed, created and copied on behalf of the Signatory only through a Qualified Trust Service Provider that provides a Qualified Trust Service for managing a Qualified Electronic Signature creation device remotely.
- The Qualified Trust Service Provider shall use only Qualified Electronic Signature/Seal creation devices approved by the TDRA.
- The TDRA shall create, publish and manage a list of entities that issue qualification certificates of the Qualified Electronic Signature/Seal creation devices and tools approved by the same, in addition to a dated record showing the status of such entities and the status of approvals of qualification of devices.
- The Qualified Trust Service Provider shall follow the conditions and procedures issued by the TDRA to apply for using Qualified Electronic Signature/Seal creation devices, in order to be listed in the list referred to in Clause (8) above.
- An applicant for a Qualified Electronic Signature/Seal creation device or the Licensee if the qualification certificate granted to the device by the entities issuing qualification certificates for Qualified Electronic Signature/Seal creation devices, shall so notify the TDRA within two weeks from the date of revocation. In this case, TDRA may make or may ask the Qualified Trust Service Provider to make an assessment on the impact on the licensed services and to take any appropriate actions based on the assessment findings.
Article (27) Remote Management of the Qualified Electronic Signature/Seal Device
- The Qualified Electronic Signature/Seal creation devices shall be managed remotely as a Trust Service qualified by the Qualified Trust Service Provider that shall:
- a. Create and manage the Qualified Electronic Signature/Seal creation data on behalf of the Signatory; and
- b. Copy the Qualified Electronic Signature/Seal creation data only for backup purposes, subject to the following:
- The level of security of copied datasets must be at the same level of security of original datasets; and
- The number of copied datasets must not exceed the minimum required to ensure the continuity of service.
- c. To ensure remote conformity with any requirements set out in the qualification certificate of the Qualified Electronic Signature/Seal creation device, issued pursuant to Article (26) above.
- The TDRA shall issue the resolutions pertaining to technological standards and specifications related to Clause (1) above.
- The Trust Service Provider shall identify a set of adequate policies and practices for providing the service of remote management of the Qualified Electronic Signature/Seal creation devices as a Qualified Trust Service. In all cases, such policies and practices shall fulfill the technical requirements and specifications of content and structure, as identified by a resolution issued by the TDRA.
- The Qualified Trust Service Provider shall be responsible for providing the Qualified Trust Service according to the procedures set forth in the service practice statement and the service policy. Where the Trust Service or part thereof is provided by third parties, the Qualified Trust Service Provider shall identify the responsibility of such parties and ensure their compliance with any controls required by the Qualified Trust Service Provider.
Article (28) Data Retention of the Qualified Electronic Signature/Seal
- The Qualified Electronic Signature/Seal data retention service may be provided only by a Qualified Trust Service Provider that uses the procedures and technologies capable of extending the Trust Qualified Electronic Signature/Seal authenticity period beyond the technological validity period identified by a resolution by the TDRA. Such procedures and technologies shall have no impact on the reliability of the Qualified Electronic Signature/Seal.
- The Qualified Trust Service Provider shall retain the authenticity of the Trust Qualified Electronic Signature/Seal for a period not less than (15) fifteen years from the retention request date.
- The Qualified Trust Service Provider shall retain all information necessary for verifying the validity of the Qualified Trust Service Provider up to the end of the retention period.
- The Qualified Trust Service Provider shall ensure the safety, quality and clarity of the Qualified Electronic Signature/Seal data retained by the same, and shall allow to be properly used by the Subscribers or another Qualified Trust Service Provider providing a Qualified Trust Service, subject to the Subscribers’ express consent.
- A signature or seal affixed to a retention manual issued by the Qualified Trust Service Provider must be made by using a Reliable Electronic Signature/Seal issued by the provider.
- The Qualified Trust Service Provider shall identify a set of adequate policies and practices to provide the service of the Qualified Electronic Signature/Seal data retention as a Qualified Trust Service. In all cases, such policies and practices shall fulfil the technical requirements and specifications of content and structure identified by a resolution issued by the TDRA.
- The Qualified Trust Service provider shall be responsible for providing the Qualified Trust Service according to the procedures set forth in the service practice statement and the service policy. Where the Trust Service or part thereof is provided by third parties, the Qualified Trust Service Provider shall identify the responsibility of such parties and ensure that they will comply with any controls required by the Qualified Trust Service Provider.
Article (29) Archiving Digital Documents
When government authorities archive electronic documents signed by a Reliable/Qualified Electronic Signature/Seal, they shall ensure the following:
- To preserve the Electronic Signature/Seal from change.
- To preserve the Electronic Signature/Seal from deletion.
- To ensure that the Electronic Signature/Seal is recreated on a new document should any authorized change is introduced to the Electronic Document.
Article (30) Validation of the Qualified Electronic Signature/Seal
- The Qualified Electronic Signature/Seal validation service may only be provided by a Qualified Trust Service Provider that fulfills the provisions of Article (20) of the Decree-Law, and pursuant to the resolutions issued by the TDRA in this regard.
- The Qualified Electronic Signature/Seal data validation service provider shall identify adequate policies and practices to verify the validity of the Qualified Electronic Signatures/Seals.
- Time information added to the result of the Qualified Electronic Signature/Seal validation shall be created by using a qualified Time Stamp.
- The Qualified Trust Service provider shall be responsible for providing the Qualified Trust Service according to the procedures set forth in the service practice statement and the service policy. Where the Trust Service or part thereof is provided by third parties, the Qualified Trust Service Provider shall identify the responsibility of such parties and ensure that they will comply with any controls required by the Qualified Trust Service Provider.
- The TDRA shall issue the resolutions pertaining to technological standards and specifications to be adhered by the qualified service provider, including:
- a. Operational and security controls, service management mechanism, physical security requirements, requirements for technical and security inspections testing of the service before provided to the Subscribers and technical and security inspection reports.
- b. Requirements for listing the Qualified Electronic Signature/Seal validation service as a Qualified Trust Service in the UAE Trust List.
Article (31) Qualified Electronic Time Stamp Creation Service
- The Qualified Electronic Time Stamp creation service may be provided only by a Qualified Trust Service Provider that fulfills the provisions of Article (23) of the Decree-Law, and pursuant to the resolutions issued by the TDRA in this regard.
- The Qualified Trust Service Provider that provides the Qualified Electronic Time Stamp creation service shall identify a set of adequate policies and practices to create the Qualified Electronic Time Stamp. In all cases, such policies and practices shall fulfil the technical requirements and specifications of content and structure identified by a resolution issued by the TDRA.
- The Qualified Trust Service provider that provides the Qualified Electronic Time Stamp service shall be responsible for providing such service according to the procedures set forth in the service practice statement and the service policy. Where the Trust Service or part thereof is provided by third parties, the Qualified Trust Service Provider shall identify the responsibility of such parties and shall ensure that they will comply with any controls required by the Qualified Trust Service Provider.
- The TDRA shall issue the resolutions pertaining to technological standards and specifications to be complied with by the Qualified Service Provider, including:
- a. The service policy and the practices statement, as mentioned in Article (15) above; and
- b. Requirements for listing the service in the UAE Trust List.
Article (32) Qualified Electronic Delivery Service
- The Qualified Electronic Delivery Service may be provided only by a Qualified Trust Service Provider that fulfills the provisions of Article (24) of the Decree-Law, and pursuant to the resolutions issued by the TDRA in this regard.
- The Qualified Electronic Delivery Service Provider shall identify the sender and the Addressee at a high level of security and trust and at a high degree of trust and acceptance, so as to eliminate any risks and prevent manipulation of the identity of the sender and the Addressee.
- The Qualified Electronic Delivery Service Provider shall identify a set of adequate policies and practices to provide the Qualified Electronic Delivery Service. In all cases, such policies and practices shall fulfil the technical requirements and specifications of content and structure identified by a resolution issued by the TDRA.
- The Qualified Electronic Delivery Service Provider shall be responsible for providing such service according to the procedures set forth in the service practice statement and the service policy. Where the Trust Service or part thereof is provided by third parties, the Qualified Electronic Delivery Service Provider shall identify the responsibility of such parties and shall ensure that they will comply with any controls required by the Qualified Electronic Delivery Service Provider.
- TDRA shall issue the resolutions pertaining to technological standards and specifications to be complied with by the Qualified Electronic Delivery Service Provider, including:
- a. The service policy and the practice statement set forth in Article (15) above;
- b. Requirements for listing the Qualified Electronic Delivery Service and user manuals; and
- c. Requirements for listing the service in the UAE Trust List.
- Data sent and received via the Qualified Electronic Delivery Service shall constitute evidence of the integrity of data sent and being sent by an identified sender and received by an identified Addressee, in addition to an accurate sending and receiving date as referred to by the Qualified Electronic Delivery Service.
Article (33) Compliance Assessment
- Any entity not approved or authorized by the TDRA may not carry out a compliance assessment for the purpose of implementing the Decree-Law and this Resolution and the resolutions issued by the TDRA in implementation of both of which, and the Competent Authorities’ requirements.
- An entity assessing the compliance must be approved by and registered with the TDRA.
- The Compliance Assessment entity shall draw up a report on the conformity of the License applicant or the Licensee and services provided or to be provided with the requirements set forth in the Decree-Law and this Resolution and the resolutions issued by the TDRA in implementation of both of which, and the Competent Authorities’ requirements.
- The Compliance Assessment reports shall be issued according to the specifications and procedures identified by the TDRA.
- The Compliance Assessment entity shall avoid any conflict of interest, whether actual or potential conflict of interest, for carrying out the Compliance Assessment of the License applicant or the Licensee. The TDRA shall identify the necessary standards and controls in this regard.
- The TDRA shall issue the resolutions related to technological standards and specifications to be complied with by the Compliance Assessment entities, including:
- a. Mechanisms for accrediting assessment entities; and
- b. Rules of scrutiny to be complied with by the Compliance Assessment entities while assessing the compliance of Trust Service Providers or Qualified Trust Service Providers and services provided by them.
Article (34) UAE Trust List
- The TDRA shall create a list to be called “the UAE Trust List” according to the specifications set by the TDRA, and shall publish the same on its website. Such list shall include the following:
- a. Information on Trust Service Providers, Trust Services provided by the same and indication of the License status; and
- b. Information on Qualified Trust Service Providers, Qualified Trust Services provided by the same and indication of the License status and the Status of Qualified Service Provider.
- The information referred to in Clause (1) above shall be provided by Trust Service Providers or Qualified Trust Service Providers in such a confirmed and reliable manner through their compliance reports issued by the Compliance Assessment entity or the TDRA.
- The TDRA shall issue the resolutions related to technological standards and specifications and the UAE Trust List procedures, such as the UAE Trust List form, content, publication mechanism, maintenance, adjustment, reading mechanism and use by Qualified Parties.
- TDRA shall list the Licensee in the UAE Trust List on the basis of services set out in the License.
- When the TDRA lists the Licensee in the UAE Trust List, it shall link each service set out in the License with a Digital Identifier that allows to uniquely and clearly identify the service according to the technical specifications and resolutions issued by the TDRA in this regard.
Article (35) Qualified Trust Mark
- The TDRA shall identify, publish and manage the standards related to the form, content and presentation of the Qualified Trust Mark of the Qualified Trust Services.
- The Qualified Trust Service Provider may use the provided Qualified Trust Mark; provided that a reference is made to the Status of Qualified Service Provider in the UAE Trust List, as follows:
- a. Fulfilling the Status of Qualified Service Provider and the licenses necessary for a Qualified Trust Service Provider, pursuant to the Decree-Law and this Resolution and the resolutions issued by the TDRA in implementation of both of which, and the Competent Authorities’ requirements;
- b. A reference must be made in a clear and non-misleading way to the Qualified Trust Services, the Status of Qualified Service Provider and the effective license of the Qualified Trust Service; and
- c. Providing an active link for the Qualified Trust Mark refers to the Status of Qualified Service Provider and the Qualified Trust Services in the UAE Trust List, as per the requirements and resolutions issued by the TDRA.
Article (36) Repeals
Any provision contrary to or in conflict with the provisions of this Resolution shall hereby be Repealed.
Article (37) Publication and Entry into Force of the Resolution
This Resolution shall be published in the Official Gazette, and shall enter into force (90) days following the publication date.