Trust services
E-signature and e-seal
- Introduction to electronic identification and trust services
Electronic communication is ubiquitous today, so the question arises as to how to ensure the authenticity of such communication. Building trust in the online environment is crucial for economic and social development. Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 (hereinafter: eIDAS Regulation) aims to increase trust in electronic transactions in the internal market by providing a common basis for secure electronic interaction between citizens, businesses and public authorities. The Regulation establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificate services for website authentication.
- Why are trust services important?
Businesses and individuals involved in various electronic transactions want to be sure that the documents they send electronically are not altered and that the sender can be easily identified. Trust is the foundation of every business and commercial activity, and can be increased by the application of electronic signatures and other trust services. Electronic signatures and trust services can prove the source of communication and whether the message has been changed in the process of sending and receiving.
- What is electronic identification and why is it important?
The very concept of electronic identification means the process of using personal identification data in electronic form which unambiguously represent a natural or legal person, or a natural person representing a legal person.
For more information on the Croatian National Identification and Authentication System and e-Citizens, see: https://nias.gov.hr/
- How to get an e-signature?
In order to use an e-signature, you need a certificate, an electronic signature creation device, and a suitable computer application.
In the Republic of Croatia, authorised issuers of certificates are: the Financial Agency (FINA), which issues certificates to legal and natural persons, the Agency for Commercial Activities (AKD), which also issues certificates to legal and natural persons and whose certificates are embedded in newer generation electronic ID cards, and Zagrebačka banka (ZABA), which issues certificates for its clients.
Qualified certificates issued by certification service providers based in the European Union are equally valid as qualified certificates issued in the Republic of Croatia.
Trust services provided by trust service providers established in a third country shall be recognised as legally equivalent to qualified trust services provided by qualified trust service providers established in the Union when the third country trust services are recognised under an agreement concluded between the Union and the third country concerned or an international organisation in accordance with Article 218 TFEU.
In particular, such agreements shall ensure that:
- trust service providers in a third country or international organisations with which an agreement has been concluded and the trust services they provide comply with the requirements applicable to qualified trust service providers established in the Union and to the qualified trust services they provide;
- qualified trust services provided by qualified trust service providers established in the Union are recognised as legally equivalent to trust services provided by trust service providers in a third country or by international organisations with which an agreement has been concluded;
- interoperability.
A trusted list is a publicly available list of supervised or voluntarily accredited qualified certificate service providers, together with basic information about them. A trusted signature should be published in a machine-readable format (XML) and may also be published in a human-readable format (pdf). The European Union Trusted Lists (EUTL) is a public list collected and published by the European Commission, which includes all trust service providers in the EU and other countries that voluntarily commit to the provisions of the eIDAS Regulation. More information can be found on the following links:
- Scheme information English
- Scheme information Croatian
- Trusted list of the Republic of Croatia - November 2024
- Trusted list of the Republic of Croatia
- EU Trusted Lists
- Electronic signature
An electronic signature is a generic term that implies a whole range of different types of digitally displayed data by means of which a user is identified and a signed electronic document is authenticated. It is a set of data which makes it possible to identify i.e. establish the signatory of a document and, consequently, to establish the authenticity of that document.
- Advanced electronic signature
The use of an advanced electronic signature ensures, in addition to authenticity and integrity, non-repudiation (the signatory cannot deny having signed the document).
An advanced electronic signature
- is uniquely linked to the signatory
- is capable of identifying the signatory
- is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
- is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
- Qualified electronic signature
A qualified electronic signature is an advanced electronic signature that is created by a qualified electronic signature creation device and is based on a qualified certificate for electronic signatures, and in addition has the equivalent legal effect of a handwritten signature.
Its use ensures:
- authentication - linking the identity of the signatory to the information
- integrity - immutability of data (allows easier identification of any change in data)
- non-repudiation - legal certainty of the origin of the electronic signature
- Other trust services
Electronic time stamp
An electronic time stamp means data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time. Therefore, if a real-time mark is required on an electronic document and you want to be sure that no one has changed the document after it was created, then a time stamp is required. It provides a reliable means to verify that specific data, electronic record, electronic document, etc. existed before the moment in time indicated on the time stamp. Any subsequent change in the document and the embedded timestamp can be easily detected. For e-invoices, for example, a time stamp is mandatory. The timestamp is used with e-signature (Art. 42, eIDAS Regulation).
Electronic seal
The eIDAS Regulation introduces a digital/electronic seal as a tool for legal entities, such as privately and publicly owned companies, state and public authorities, health institutions, etc.
An electronic seal is used to authenticate electronic documents that do not require an electronic signature (where a natural person's handwritten signature is required on a paper document), but the authenticity and integrity of the document should nevertheless be ensured.
An electronic seal means data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity.
Intended use:
- notifications, confirmations
- invoices (ordinary or e.g. as part of international e-Invoicing projects)
- payment slips/receipts
- e-Tendering and online or electronic offers
- business correspondence
- non-critical medical documentation
- bank statements
- tax cards
- civil registry documents etc.
In case of an electronic document in the form of a decision, judgment or similar acts preceded by a general administrative, judicial or other special procedure that is assumed to be conducted by an authorised official, who must identify themselves and sign the document by hand (as prescribed by the General Administrative Procedure Act, the General Tax Act, the Courts Act, etc.), then such an electronic decision should be signed using a qualified electronic signature and the associated qualified certificate. If the document is signed with a qualified electronic signature, no authentication with an electronic seal is required.
Electronic registered delivery
Electronic registered delivery is a service that makes it possible to transmit data between third parties by electronic means and provides evidence relating to the handling of the transmitted data, including proof of sending and receiving the data, and that protects transmitted data against the risk of loss, theft, damage or any unauthorised alterations.
- Supervision
Competent authority for the implementation of Regulation (EU) No 910/2014 and the Act concerning the provisions governing trust services from Articles 13 to 45 of Regulation (EU) No 910/2014 is the central state administration body responsible for economic affairs.
The central state administration body performs the following tasks:
- supervision of trust service providers, granting and withdrawing qualified status, analysis of conformity assessment reports, auditing, requiring trust service providers to remedy any non-compliance with the provisions of Regulation (EU) No 910/2014;
- establishing, maintaining and publishing trusted lists of providers and qualified trust service providers;
- cooperation with supervisory authorities in other Member States of the European Union (providing mutual assistance, exchange of good practices);
- informing other authorities and the public about security breaches;
- periodic annual reporting to the European Commission on its main activities (by 31 March for the previous calendar year).
The head of the central state administration body responsible for economic affairs shall prescribe in an ordinance other methods of identification which, in terms of reliability, provide security equivalent to physical presence, and by which the trust service provider verifies the identity and specific characteristics of the natural or legal person to whom a qualified certificate is issued.
- Regulations and useful links