The creation of the French Network and Information Security Agency (ANSSI) under the decree n°2009-834 of 7 July 2009 and the development of the General Security Database (RGS) following ordinance n°2005-1516 of 8 December 2005 and under the decree n°2010-112 of 2 February 2010 to boost the legislations regarding the legal value of electronic signatures.
The General Security Database (RGS) with annexes are in the form of several documents and define security rules that administrative authorities can apply in securing their information systems. In relation to electronic signatures, it defines three qualification levels for certification service providers.
Three qualification levels
These levels apply a certain number of rules concerning the electronic certificate, the conditions under which it is issued, as well as the storage arrangements for the private key. Regarding the latter:
- for level ***, the signature creation arrangements must be qualified at a reinforced level.
- for level **, the signature creation arrangements must be qualified at minimum at a standard level.
- for level *, the signature creation arrangements must be qualified at minimum at an elementary level.
As the Certification Type Signature Policy (annexe of RGS) explains in chapter I.1 :
“The implementation of an electronic signature procedure respecting the requirements outlined for the level *** offers the possibility of benefiting from the presumption of reliability of the signature procedure as provided for in article 1316-4 of the civil code, provided that the electronic signature is secure (cf. articles 1 and 2 of the decree [SIG]). In fact, the requirements contained in this PC Type regarding electronic certification service providers and arrangements for the creature of level *** signatures respectively comply with the technical requirements of article 6 (secure arrangements for the creation of a signature) and article 3 (qualified certificates) of the decree [SIG] subject to compliance with the qualification procedures outlined in [ORDINANCE]. Given that the decree [SIG] is transposed under the French rule of law of the European directive [DIRSIG], an electronic signature procedure respecting the defined requirements for level *** allows qualified signatures to be generated under said directive. “
Therefore, service providers of RGS level *** qualified certifications for the service of electronic signatures are in fact qualified providers within the meaning the decree of 26 July 2004.
Otherwise said, the electronic signature is presumed to be of equal reliability. This signature is based on the use of a qualified RGS *** electronic certificate.