By Lenka Glynn and Kelly Tymburski
The Telecommunications Regulatory Authority (TRA) of the UAE recently introduced a licensing framework applicable to certification service providers operating in the UAE. But what does this mean and to whom does it apply?
The Telecommunications Regulatory Authority (TRA) of the UAE recently introduced a licensing framework applicable to certification service providers operating in the UAE. But what does this mean and to whom does it apply? These are just some of the questions we will explore below.
What is a Certification Service Provider?
The widely recognised benefits of using electronic forms of communications and commerce would be compromised if persons conducting business electronically did not have a reliable way of verifying who they are dealing with and the overall integrity of their communications. This is why the concept of authentication of the identity of persons in the electronic environment is absolutely critical to the continued success of electronic communications, from both a practical and a legal standpoint.
A certification service provider (CSP) effectively functions as a 'trusted third party' that authenticates the identity of persons involved in electronic communications and transactions and helps to substantiate the integrity of such persons.
One of the most common forms of authentication is the use of public key infrastructure (PKI) schemes. In a technical nutshell, in PKI schemes the identity of a person / entity is linked to a public key using an electronic document called a digital certificate. A CSPs' role in the PKI scheme is to first verify the identity of certificate applicants, then issue the applicant with a certificate which contains specific identifying information about the applicant and its public key. It is important to note that PKI schemes are not the only forms of authentication available, but at present are probably the most regularly employed.
The role of the CSP in this process, as the entity responsible for identifying the certificate user and issuing the certificate, is critical. Indeed, the CSP (and its reliability and trustworthiness) acts as the very foundation to the integrity of the entire system and the relationships between participants.
Why was the new CSP framework introduced?
In recent years, the TRA has demonstrated a marked commitment to further developing and promoting information technologies in the UAE. Particular emphasis has been placed on promoting and encouraging electronic commerce, customer protection in the online environment, as well as removing obstacles that might hinder electronic transactions.
The establishment of a regulatory regime for the licensing, approval, monitoring and overseeing CSPs was one of the tasks which had to be undertaken in order to achieve the above objectives. This task was realised through the promulgation of Ministerial Resolution No.1 of 2008 Regarding the Issuance of Certification Service Provider Regulations published in the UAE official gazette on 31 December 2008 and a supplementary cabinet decision setting forth the respective fees due in relation to the CSP regime in February 2009 (collectively, the ‘CSP Regulations’).
What does the new CSP licensing framework entail?
An entity that wishes to provide CSP services is required to obtain a licence from the TRA. An application for a CSP licence is to be submitted to the TRA and must contain extensive information about the applicant. If granted, a CSP licence will be valid for a term of five years from the date of its grant, and may be renewed upon application of the licensee no later than three months before its expiry.
The CSP Regulations set out extensive operational criteria that must be adhered to by the CSP applicant and licensee, including the establishment and maintenance of a certification practice statement. The certification practice statement is a detailed document setting out the applicable processes, rules and procedures of how the CSP operates. The certification practice statement must comply with the requirements and guidelines of the TRA, and must be made publicly available. A CSP applicant must also demonstrate and maintain the availability of financial resources in an amount not less than five million Dirhams, and comply with information security standards such as the International Organization for Standardization 27000 series of standards or such other standards as may be promulgated by the TRA.
The CSP Regulations also set forth various requirements aimed at ensuring fair dealings and consumer protection, including the requirement that contracts entered into between the CSP and its signatories (effectively, its customers) must be fair, clear and comprehensible. In the event the CSP wishes to impose any purpose-based or monetary limits on a certificate, these must be stated clearly and unambiguously on the certificate itself.
The CSP Regulations also require that CSPs shall implement fair and efficient complaints resolution processes and establish privacy policies conforming with recognised international guidelines. The CSP Regulations also prescribe that any engagement by CSPs in advertising and commercial communications practices must be fair, honest and transparent.
To help ensure compliance, the CSP Regulations also require every CSP to undergo auditing and inspection procedures. In fact, every CSP must be audited upon application for a license (or license renewal) and every two years during the term of an existing license.
Applicable fees under the CSP Regulations
To apply for the grant or renewal of a CSP licence, the applicant must pay to the TRA a licence processing fee of five thousand Dirhams. If successful, the applicant will need to pay an additional twenty thousand Dirhams per year for the TRA’s registration of the licence, or can instead pay seventy five thousand Dirhams for registration for the entire five year term following grant of the licence.
The licence processing fee and registration fee are not refundable. Additional fees may also be payable to the TRA where there are any amendments in CSP data or information relevant to the licence registration.
The newly implemented CSP Regulations demonstrate but one example of the TRA’s commitment to promoting the digital economy of the UAE. Although it is not yet clear exactly how the new framework will be administered (as supplementary application forms and guidelines referred to in the CSP Regulations are not yet publicly available on the TRA website), the regime itself is an encouraging starting point from which the regulation of CSPs and their activities in the UAE will commence.
By Lenka Glynn, Legal Director at DLA Piper Middle East LLP and Kelly Tymburski, Legal Consultant at DLA Piper Middle East LLP