02013D0001(01)-20221109

Language
- My EUR-Lex
- Sign in
- Register
- My recent searches (0)

This document is an excerpt from the EUR-Lex website

Search tips

Need more search options? Use the Advanced search

EUROPA
EUR-Lex home
Search results
EUR-Lex - 02013D0001(01)-20221109 - EN

Document 02013D0001(01)-20221109

1/1

Help

Consolidated text: Decision of the European Central Bank of 11 January 2013 laying down the framework for a public key infrastructure for the European System of Central Banks (ECB/2013/1) (2013/132/EU)

Access initial legal act

(

Legal status of the document In force

)

09/11/2022

ELI: http://data.europa.eu/eli/dec/2013/132/2022-11-09

HTML

PDF

02013D0001(01) — EN — 09.11.2022 — 002.001

This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document

►B	DECISION OF THE EUROPEAN CENTRAL BANK of 11 January 2013 laying down the framework for a public key infrastructure for the European System of Central Banks (ECB/2013/1) (2013/132/EU) (OJ L 074 16.3.2013, p. 30)

Amended by:

		Official Journal
		No	page	date
►M1	DECISION (EU) 2016/187 OF THE EUROPEAN CENTRAL BANK of 11 December 2015	L 37	100	12.2.2016
►M2	DECISION (EU) 2022/1982 OF THE EUROPEAN CENTRAL BANK of 10 October 2022	L 272	29	20.10.2022

▼B

DECISION OF THE EUROPEAN CENTRAL BANK

of 11 January 2013

laying down the framework for a public key infrastructure for the European System of Central Banks

(ECB/2013/1)

(2013/132/EU)

Article 1

Definitions

For the purposes of this Decision:

‘certificate’ or ‘electronic certificate’ means an electronic file, issued by a certification authority, which binds a public key with a certificate subscriber’s identity and is used for all or some of the following: (a) to verify that a public key belongs to a certificate subscriber; (b) to authenticate a certificate subscriber; (c) to check a certificate’s subscriber signature; (d) to encrypt a message addressed to a certificate subscriber; (e) to verify a certificate subscriber’s access rights to ESCB and Eurosystem electronic applications, systems, platforms and services. Any reference in this Decision to a certificate or electronic certificate includes a reference to the data carrier devices on which the certificate or electronic certificate is held;

‘ESCB and Eurosystem electronic applications, systems, platforms and services’ means the electronic applications, systems, platforms and services that the ESCB and/or the Eurosystem use when carrying out the tasks entrusted to them under the Treaty and the Statute of the ESCB;

‘public key infrastructure’ means the set of individuals, policies, procedures, and computer systems necessary to provide authentication, encryption, integrity and non-repudiation services by way of public and private key cryptography and electronic certificates;

‘user’ means either a certificate subscriber or a relying party, or both;

‘authentication’ means the process of verifying the identity of a certificate applicant or certificate subscriber;

‘ESCB central bank’ means either a Eurosystem central bank or a non-euro area NCB;

‘Eurosystem central bank’ means either an NCB of a Member State whose currency is the euro, including the providing central bank, or the ECB;

‘providing central bank’ means the NCB appointed by the Governing Council to develop the ESCB-PKI and to provide ESCB-PKI services on behalf of and for the benefit of the Eurosystem central banks;

‘non-euro area NCB’ means an NCB of a Member State whose currency is not the euro;

▼M1

10.

‘ESCB-PKI certification authority’ means the entity, trusted by users, to issue, manage, revoke and renew ESCB-PKI certificates in accordance with the ESCB/SSM certificate acceptance framework;

▼B

11.

‘ESCB-PKI validation authority’ means the entity, trusted by users, which provides information on the validity of certificates issued by the ESCB-PKI certification authority;

12.

‘certificate subscriber’ means either an individual who is the subject of an electronic certificate and has been issued an electronic certificate, or a technical component manager who has accepted an electronic certificate issued by the ESCB-PKI certification authority for a technical component, or both;

13.

‘ESCB certificate acceptance framework’ means the criteria established by the ESCB ITC to identify the certification authorities, both internal and external to the ESCB, which can be trusted in relation to ESCB and Eurosystem electronic applications, systems, platforms and services;

14.

‘registration authority’ means an entity, trusted by users, which verifies the identity of a certificate applicant before the ESCB-PKI certification authority issues a certificate;

15.

‘relying party’ means an individual or an entity other than a certificate subscriber which accepts and relies on a certificate;

16.

‘audit policy’ means the ESCB audit policy defined by the Governing Council on 7 October 1998, as published on the ECB’s website ( 1 );

17.

‘certificate applicant’ means an individual who requests the issuance of a certificate for themself or for a technical component;

18.

‘technical component’ means any software or any hardware equipment that can be identified by using electronic certificates;

▼M2

19.

‘competent authority’ means either a national competent authority or the ECB;

20.

‘national competent authority’ (NCA) means a national competent authority as defined in point (2) of Article 2 of Council Regulation (EU) No 1024/2013 ( 2 ) and, for the purposes of this Decision, also includes, in respect of the supervisory tasks assigned to them, national central banks that have been assigned certain supervisory tasks under national law and are not designated as NCAs;

21.

‘cooperating authority’ means a public authority, other than a central bank within the ESCB or a competent authority, with which the ESCB or the Single Supervisory Mechanism (SSM) cooperates in carrying out the tasks of the ESCB or of the ECB under Regulation (EU) No 1024/2013;

22.

‘participating competent authority’ means a competent authority that uses the ESCB services for the purpose of cooperating with the ESCB and with other competent authorities, in order to carry out its tasks within the Single Supervisory Mechanism (SSM), established pursuant to Regulation (EU) No 1024/2013.

▼B

Article 2

Scope

This Decision establishes the framework for the ESCB-PKI. The ESCB-PKI is the Eurosystem’s own public key infrastructure developed by the providing central bank on behalf of and for the benefit of the Eurosystem central banks, which issues, manages, revokes and renews certificates in accordance with the ESCB’s certificate acceptance framework.

As ESCB-PKI services may affect relying parties, this Decision also sets out the conditions under which such parties may rely on ESCB-PKI certificates.

Article 3

Scope and objectives of the ESCB-PKI

ESCB and Eurosystem electronic applications, systems, platforms and services with medium or above medium criticality shall only be accessed and used if a user has been authenticated by means of an electronic certificate issued and managed by a certification authority accepted by the ESCB in accordance with the ESCB certificate acceptance framework, including by the ESCB-PKI certification authority, or by certification authorities accepted by the ESCB for TARGET2 and TARGET2 Securities for those two applications.

The ESCB-PKI certification authority shall issue electronic certificates and provide other electronic certification services for certificate subscribers of the ESCB central banks and of third parties working with them to enable them to securely access and use ESCB and Eurosystem electronic applications, systems, platforms and services.

The ESCB-PKI shall provide the following certification services:

(a)

certificate issuance, renewal and revocation, and confirmation of a certificate’s validity with regard to different certificate types;

(b)

issuance of certificates for authentication, electronic signature and encryption in relation to ESCB and non-ESCB users, and technical certificates;

(c)

private key recovery to ensure the recovery of public key-based encrypted information in the case of certificate loss;

(d)

delivery and management of cryptographic tokens to certificate subscribers when needed;

(e)

provision of information on ESCB-PKI certificate management procedures, and technical support to ESCB project managers to help them to integrate ESCB-PKI certificates into their applications.

Other services may be added in the future as required by ESCB and Eurosystem electronic applications, systems, platforms and services.

Article 4

ESCB-PKI framework

Subject to this Decision, the responsibilities and functions of the providing central bank and of the other Eurosystem central banks with regard to ESCB-PKI implementation, operation and use shall be set out in a Level 2 – Level 3 Agreement and further specified in ESCB-PKI certificate policies and the ESCB-PKI certification practice statement.

The Level 2 – Level 3 Agreement, which includes the Service Level Agreement, contains the agreement negotiated between the providing central bank and the Eurosystem central banks in relation to the responsibilities and functions of the providing central bank and the Eurosystem central banks. It shall be submitted for endorsement by the Governing Council and then signed by the providing central bank and the Eurosystem central banks.

The Service Level Agreement is both an agreement defining the level of services to be provided by the providing central bank to the Eurosystem, and an agreement defining the level of services to be provided by the Eurosystem to the non-euro area NCBs and third parties in relation to the ESCB-PKI.

▼M1

The ESCB-PKI certification practice statement is a set of rules governing the life cycle of electronic certificates, from the initial request to the subscription end or revocation, as well as the relationships between the certificate applicant or subscriber, the ESCB-PKI certification authority and the relying parties. It covers certificates falling under the scope of Directive 1999/93/EC and Regulation (EU) No 910/2014 of the European Parliament and of the Council ( 3 ) and certificates falling outside their scope. It also sets out the roles and responsibilities of all parties and establishes the procedures concerning issuing and managing certificates. It is annexed to the Level 2 — Level 3 Agreement.

▼B

An ESCB-PKI certificate policy is a set of rules which is applicable to each type of certificate issued. Each set provides implementation details relating to the ESCB-PKI certification practice statement for each type of certificate issued. ESCB-PKI certificate policies are annexed to the Level 2 – Level 3 Agreement.

The ESCB-PKI certificate policies and the ESCB-PKI certification practice statement shall be published on the ESCB-PKI website ( 4 ).

Information concerning the ESCB-PKI certification authority, including its identity, and its technical components is set out in the Annex to this Decision.

Article 5

Responsibilities and roles of the providing central bank

The providing central bank shall be responsible for operating and maintaining the ESCB-PKI for the benefit of the Eurosystem central banks, including hosting, operation and management carried out in accordance with the Level 2 – Level 3 Agreement. In particular, it shall deliver certificates and ESCB-PKI services in accordance with business requirements and technical specifications, such as the ESCB certificate acceptance framework and the requirements and specifications set out in the Level 2 – Level 3 Agreement.

The providing central bank shall put the necessary organisational infrastructure in place for creating, issuing and managing certificates and shall ensure that the infrastructure is maintained. For that purpose, in consultation with the ITC, the providing central bank may adopt rules concerning its internal organisation and administration.

The providing central bank shall act as the ESCB-PKI certification authority and the ESCB-PKI validation authority.

The Level 2 – Level 3 Agreement shall establish the liability regime applying to the providing central bank.

Article 6

Responsibilities and roles of the Eurosystem central banks

Each Eurosystem central bank shall be responsible for identifying its certificate subscribers. It shall create the role of registration officer to perform this task who shall have the authority to register third party users.

Each Eurosystem central bank shall act as a relying party in relation to certificates for encryption and electronic signature issued by the ESCB-PKI for other Eurosystem central banks or third party users’ certificate subscribers.

Each Eurosystem central bank using ESCB-PKI services shall act as a registration authority for its certificate applicants and ensure that its certificate applicants accept and apply the user terms and conditions set out in the ESCB-PKI certification authority’s application form for its services.

Article 7

Relationships between the Eurosystem central banks, third parties and certificate subscribers

Each Eurosystem central bank shall make arrangements with regard to third party secure access and use of the ESCB and Eurosystem electronic applications, systems, platforms and services through the use of ESCB-PKI certificates. These arrangements shall exclusively govern the relationship between the relevant Eurosystem central bank and the third parties that use ESCB-PKI certificates. All third parties shall comply with the ESCB-PKI certificate policies, the ESCB-PKI certification practice statement and the user terms and conditions set out in the ESCB-PKI certification authority’s application form for its services.

Article 8

Relationships with relying parties

An electronic certificate issued under this Decision may be relied upon provided that a relying party:

(a)

verifies the validity, suspension or revocation of the certificate using current revocation status information;

(b)

takes account of any limitations on use specified in the certificate; and

(c)

accepts the ESCB-PKI certification practice statement and the applicable ESCB-PKI certificate policies.

Article 9

Rights to the ESCB-PKI

The ESCB-PKI shall be fully owned by the Eurosystem central banks.

In view thereof, the providing central bank shall grant to the Eurosystem central banks, to the extent feasible under applicable legislation, all licenses regarding the intellectual property rights required to enable the Eurosystem central banks to use the ESCB-PKI and its components and the full range of ESCB-PKI services and also provide ESCB-PKI services to third parties under the ESCB-PKI certification practice statement and the ESCB-PKI certificate policies. The providing central bank shall indemnify the Eurosystem central banks against any infringement claims raised by third parties in relation to such intellectual property rights.

The details regarding the Eurosystem central banks’ rights to the ESCB-PKI shall be agreed between Level 2 and Level 3 in the Level 2 – Level 3 Agreement.

▼M2

Article 9a

Use of the ESCB-PKI services by cooperating authorities

Subject to the approval of the Governing Council, a cooperating authority may use the ESCB-PKI services in order to access and use ESCB and Eurosystem electronic applications, systems, platforms, databases and services for the purpose of cooperating with the ESCB or with the SSM and may act for that purpose as a registration authority for its internal users.

Cooperating authorities that decide to use the ESCB-PKI services shall submit a declaration to the Governing Council by which they confirm their use of the services and accept compliance with the related obligations.

Cooperating authorities that decide to use the ESCB-PKI services shall comply with the applicable legal framework, including the Level 2 – Level 3 Agreement.

▼B

Article 10

Liability of Eurosystem central banks towards users

▼M1

Unless they prove that they have not acted negligently, the Eurosystem central banks shall be liable in accordance with their functions and responsibilities in the ESCB-PKI for any damage caused to a user who reasonably relies on a qualified certificate, as defined in Directive 1999/93/EC and Regulation (EU) No 910/2014, as regards:

(a)

the accuracy at the time of issuance of all the information contained in a qualified certificate, and the question of whether the certificate contains all the details prescribed for a qualified certificate as defined in Directive 1999/93/EC and Regulation (EU) No 910/2014;

▼B

(b)

any assurance that at the time of issuance of a qualified certificate, the certificate subscriber identified therein held the signature-creation data corresponding to the signature-verification data given or identified in the certificate;

(c)

any assurance that the signature-creation device and the signature-verification device function together in a complementary manner, in cases where the ESCB-PKI generates both;

(d)

any failure to register revocation of a qualified certificate.

The Eurosystem central banks assume no commitments, give no guarantees and accept no liability towards users unless expressly stated in this Decision and in the ESCB-PKI certification practice statement.

Article 11

Participation of non-euro area NCBs in the ESCB-PKI

A non-euro area NCB may act as a registration authority for its internal users as well as for third party users, and may create the role of a registration officer to perform this task.

Subject to the approval of the Governing Council, a non-euro area NCB may also decide to use ESCB-PKI services under the same conditions as those applying to Eurosystem central banks. For that purpose, the non-euro area NCB shall submit a declaration to the Governing Council in which it confirms that it will comply with the obligations laid down in this Decision and in the Level 2 – Level 3 Agreement. A non-euro area NCB shall not become co-owner of the ESCB-PKI and shall not be obliged to contribute to the ESCB-PKI financial envelope.

Article 12

Data protection

Eurosystem central banks shall comply with the data protection legislation applicable to their processing of personal data in the performance of their functions related to the ESCB-PKI.

Article 13

Audit

Audits of the ESCB-PKI shall be performed in accordance with the principles and arrangements set out in the audit policy. They shall be without prejudice to the internal controls and audit rules that apply to or are adopted by the Eurosystem central banks.

▼M2

Article 14

Financial arrangements

Participating central banks and participating competent authorities shall bear the costs of developing and operating the ESCB-PKI services according to a defined reimbursement framework, which is based on a cost allocation key, as further specified in the ESCB-PKI financial envelopes following the applicable reimbursement rules. Cooperating authorities shall contribute to the costs in accordance with a specific reimbursement framework.

▼B

Article 15

Role of the Executive Board

In accordance with Article 17.3 of Decision ECB/2004/2 of 19 February 2004 adopting the Rules of Procedure of the European Central Bank ( 5 ), the Governing Council delegates its normative powers to the Executive Board to take any measures to implement this Decision that are necessary for the efficiency and security of the ESCB-PKI, and to adopt amendments relating to the technical aspects of the ESCB-PKI and ESCB-PKI services provided for in the annexes to the Level 2 – Level 3 Agreement after taking into consideration the advice of the ITC and, if applicable, of the Eurosystem IT Steering Committee.

The Executive Board shall notify the Governing Council of any measure that it takes pursuant to paragraph 1 without undue delay and shall abide by any decision adopted by the Governing Council on the matter.

▼M1

ANNEX

Information concerning the ESCB-PKI certification authority, including its identity, and its technical components

The ESCB-PKI certification authority is identified in its certificate as the issuer and its private key is used to sign certificates. The ESCB-PKI certification authority is in charge of:

(i)

issuing private and public key certificates;

(ii)

issuing revocation lists;

(iii)

generating key pairs associated with specific certificates, e.g. those that require key recovery;

(iv)

maintaining overall responsibility for the ESCB-PKI and ensuring that all the requirements necessary to operate it are met.

The ESCB-PKI certification authority includes all individuals, policies, procedures and computer systems entrusted with issuing electronic certificates and assigning them to the certificate subscribers.

The ESCB-PKI certification authority includes two technical components:

—

The Root ESCB-PKI certification authority: This certification authority, at the first level, only issues certificates for itself and its subordinate certification authorities. It is only in operation when carrying out its own narrowly-defined responsibilities. Its most significant data are:

SHA-1 certificate ( 6 ):

Distinguished name	CN=ESCB-PKI ROOT CA, O=EUROPEAN SYSTEM OF CENTRAL BANKS, C=EU
Serial number	596F AC4C 218C 21BC 4E00 6B42 A164 46DD
Distinguished name of issuer	CN=ESCB-PKI ROOT CA, O=EUROPEAN SYSTEM OF CENTRAL BANKS, C=EU
Validity period	From 21-06-2011 11:58:26 to 21-06-2041 11:58:26
Message digest (SHA-1)	CEFE 6C32 E850 994A 09EA 1A77 0C60 3D90 ADC9 9192
Message Digest (SHA-256)	C919 CF49 C024 7E50 2E0C C3C9 81E0 FB88 A013 AA2B 15C9 5142 F491 BDE7 E403 E3FB
Cryptographic algorithms	SHA-1/RSA 4096

SHA-256 certificate:

Distinguished name	CN=ESCB-PKI ROOT CA, O=EUROPEAN SYSTEM OF CENTRAL BANKS, C=EU
Serial number	4431 9C5F 91E8 162F 4E00 73F6 6AB8 71D8
Distinguished name of Issuer	CN=ESCB-PKI ROOT CA, O=EUROPEAN SYSTEM OF CENTRAL BANKS, C=EU
Validity period	From 21-06-2011 12:35:34 to 21-06-2041 12:35:34
Message digest (SHA-1)	3663 2FBA FB19 BDBC A202 3994 1926 ED48 4D72 DD4B
Message Digest (SHA-256)	7963 2A97 1D12 A889 9724 BB35 C37B 51D2 3E21 4DF9 20C3 2450 093E 0EA7 49FB AAEB
Cryptographic algorithms	SHA-256/RSA 4096

—

The Online ESCB-PKI certification authority: This certification authority, at the second level, is subordinate to the Root ESCB-PKI certification authority. It is responsible for issuing ESCB-PKI certificates for users. Its most significant data are:

SHA-1 certificate ( 7 ):

Distinguished name	CN= ESCB-PKI ONLINE CA, O=EUROPEAN SYSTEM OF CENTRAL BANKS, C=EU
Serial number	2C13 E18F FDB5 91CE 4E9 550B B5A3 F59C
Distinguished name of issuer	CN=ESCB-PKI ROOT CA, O=EUROPEAN SYSTEM OF CENTRAL BANKS, C=EU
Validity period	From 22-07-2011 12:46:35 to 22-07-2026 12:46:35
Message digest (SHA-1)	D316 026C D2CF 1A8C 4AA3 8C29 EE3D 591E 4286 AD08
Message Digest (SHA-256)	4B18 7644 BF79 4F83 D000 999D 7927 433F 75F3 CFB1 643A 6D0F 8A25 9435 BE86 1B7A
Cryptographic algorithms	SHA-1/RSA 4096

SHA-256 certificate:

Distinguished name	CN= ESCB-PKI ONLINE CA, O=EUROPEAN SYSTEM OF CENTRAL BANKS, C=EU
Serial number	660C 9B12 9A0A 6C21 5509 38DD 54A0 ED2D
Distinguished name of Issuer	CN=ESCB-PKI ROOT CA, O=EUROPEAN SYSTEM OF CENTRAL BANKS, C=EU
Validity period	From 22-07-2011 12:46:35 to 22-07-2026 12:46:35
Message digest (SHA-1)	E976 D216 4A5F 62DA C058 6BE0 EC10 EF24 36B8 12AC
Message Digest (SHA-256)	1335 26DC 99E9 CC36 62F8 F5FA 2006 3005 BA90 E663 2BF3 4F18 A84B A39B 5FAA 5700
Cryptographic algorithms	SHA-256/RSA 4096

( 1 ) www.ecb.europa.eu

( 2 ) Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).

( 3 ) Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).

( 4 ) http://pki.escb.eu

( 5 ) OJ L 80, 18.3.2004, p. 33.

( 6 ) This certificate will be used only in systems that do not support higher algorithms.

( 7 ) This certificate will be used only in systems that do not support higher algorithms.

Top