According to the justifications, the Digital Code established new rules for trusted digital services, regulating both qualified and unqualified digital signatures, as well as the interaction between government bodies and certification centers in the sphere of digital document exchange.
The draft resolution will create a unified regulatory system that ensures the security and technological compatibility of digital documents. It is also aimed at enhancing the legal reliability of such documents and reducing the risks of their incorrect use.
The adoption of the new resolution will allow for the establishment of mandatory and unified procedures for government authorities, local administrations, and other participants in digital interaction. The document will comply with the principles of technological neutrality, as provided for in the Digital Code, which will help avoid artificial restrictions on the use of alternative digital signature technologies while meeting security requirements.
Furthermore, the project takes into account the transition to a trusted services architecture, within which certification centers, trusted service operators, government institutions, and private organizations will interact. To ensure effective interaction, unified regulatory acts are necessary to define the requirements for digital signatures and the procedure for data exchange.
It is also planned to create conditions for cross-border recognition of digital signatures, which aligns with Kyrgyzstan's international obligations and the provisions of the Digital Code.
Project
Project
Rules for the Use of Digital Signatures by Executive Authorities and Local Self-Government
General Provisions
These Rules define the procedure for the use of digital signatures by executive authorities and local self-government, as well as the requirements for ensuring the compatibility of such signatures during digital interaction or the provision of public digital services.
Interdepartmental digital interaction is carried out by participants using qualified digital signatures issued by accredited certification centers in accordance with established norms.
A digital document signed with a qualified digital signature has legal force in court and government bodies.
Procedure for the Use of Digital Signatures by Authorities
The issuance of a qualified signature verification key certificate to participants in digital interaction is carried out by accredited certification centers.
To obtain a qualified digital signature, the applicant must be registered in the unified identification system or in the corporate information system.
The signed digital document must contain a timestamp indicating the moment of signing.
The integrity of digital documents is verified using digital signature verification services.
The signature can be verified using the means of the accredited certification center.
In digital services, documents signed with a valid digital signature are processed.
A digital signature is considered valid if the conditions specified by law are met.
A participant who submits a document with an invalid signature will receive a notification of refusal to process it, signed with a digital signature.
The digital signature verification key certificate is valid from the moment of issuance unless another start date is specified.
Certificates are created taking into account the validity periods of keys established by operational documentation.
The termination of the digital signature verification key certificate is mandatory in case of a change of the authorized person or breach of key confidentiality.
The participant in digital interaction must immediately notify the certification center of any breach of key confidentiality.
In case of termination of the powers of the authorized person, the certification center must also be notified to terminate the certificate.
In the event of circumstances preventing the lawful use of the digital signature, the participant must notify the certification center.
The certification center enters information about the termination of the certificate into the registry within the established timeframes.
Requirements for Ensuring Compatibility of Digital Signatures
Digital signature means are considered compatible if they provide the same result when verifying the validity conditions of a qualified digital signature.
Digital signature keys must be created and verified in accordance with the requirements of the legislation.
Qualified certificates must comply with established requirements for form.
Digital signature means must have compliance certificates from authorized bodies.
Project
Rules for the Accreditation of Certification Centers
General Provisions
These Rules define the procedure for the accreditation of certification centers and the requirements for their activities.
The accreditation of certification centers is carried out by the sectoral regulator of the national ecosystem.
The accreditation of certification centers is voluntary.
The accreditation of certification centers is valid for 5 years unless a shorter term is specified in the certification center's application.
The root certification center is not subject to accreditation.
Accredited certification centers are required to pay an annual accreditation fee.
An accredited certification center must comply with the requirements of the legislation.
Requirements for Certification Centers
The accreditation of a certification center is carried out on the condition of meeting the following requirements:
the value of the net assets of the certification center is at least one million soms;
availability of financial security for liability for damages caused to other persons in the amount of at least one and a half million soms;
availability of digital signature means that meet the requirements;
the certification center must have at least 2 employees with higher education in the field of IT or cybersecurity;
The requirements established for private certification centers do not apply to government bodies, local authorities, and institutions performing the functions of certification centers.
Requirements for Completeness of Documents for Accreditation
The accreditation of a certification center is carried out based on an application submitted to the national ecosystem regulator.
The application must include the following information:
- organizational and legal form and name of the certification center;
- location and registration number of the certification center;
- taxpayer identification number of the certification center.
The following documents must be attached to the application:
1) founding documents of the certification center;
2) power of attorney or other document confirming the authority of the authorized person;
3) an extract from the balance sheet confirming the value of net assets;
4) a document on the availability of financial security for liability;
5) documents confirming the certification center's ownership of digital signature means;
6) documents confirming the presence of necessary employees in the certification center;
7) compliance certificate for digital signature means;
8) operating instructions for digital signature means;
9) a list of regulatory and technical documents regulating the activities of the certification center.
Administrative Procedures for Accreditation
The national ecosystem regulator makes a decision on the accreditation of the certification center or on refusal within 45 days.
The regulator verifies the accuracy of the information in the certification center's documents.
The regulator has the right to request additional documents for verification.
The regulator conducts inspections and accreditation of the certification center in accordance with current rules.
In case of accreditation, the regulator notifies the certification center and issues a certificate.
In case of refusal of accreditation, the regulator notifies the certification center of the reasons for the refusal.
The accredited certification center must comply with the requirements throughout the accreditation period.
Grounds for Suspension and Revocation of Accreditation
The grounds for refusal of accreditation are non-compliance with requirements or the presence of false information.
The regulator is obliged to issue an order to eliminate violations and suspend the accreditation.
Accreditation may be suspended for no more than 45 days.
The regulator enters information about the suspension of accreditation into the registry.
The certification center notifies the regulator of the elimination of violations.
The regulator checks the elimination of violations and makes a decision on the resumption of accreditation.
In case of revocation of accreditation, the regulator makes an entry in the registry.
In case of termination of the certification center's activities, it must notify the regulator one month before closing.
The regulator enters the corresponding entry in the registry within 5 days.
Procedure for Conducting Inspections of Accredited Certification Centers
The regulator has the right to conduct planned and unplanned inspections of accredited certification centers.
Planned inspections are conducted based on an annual inspection plan.
The plan includes information about legal entities, purposes, dates, and terms of inspections.
The approved plan is published on the regulator's website.
The basis for an unplanned inspection is the expiration of the order or citizen complaints.
Inspections are conducted in an on-site format, with a duration not exceeding twenty working days.
The inspection begins with the presentation of identification and familiarization with the inspection order.
The certification center is obliged to provide access to the necessary documents.
The regulator has the right to involve experts for conducting inspections.
Based on the inspection results, an act is drawn up, which is signed by the inspectors.
The act includes the inspection results and identified violations.
The act is issued to the certification center for review or sent by mail.
In case of violations, an order is issued specifying the deadlines for rectification.
If violations are not rectified, the regulator revokes the accreditation.
7. Procedure for Reporting by Certification Centers.
Certification centers must provide statistical reports on a quarterly basis.
Project
Procedure for Forming Registers of Qualified Certificates
General Provisions
1. This Procedure establishes the procedures for forming registers of qualified certificates issued by accredited certification centers.
2. Certification centers are recognized as accredited after passing accreditation.
3. The accredited certification center ensures the relevance of information in the register.
4. To prevent data loss about certificates, the certification center creates a backup.
5. Information in the register is stored for the entire duration of the certification center's activities.
6. The certification center ensures the protection of information from unauthorized access.
Formation of the Register of Qualified Certificates
7. The formation of the register includes entering data about issued certificates.
8. The maintenance of the register is ensured by means of digital authentication.
9. The register consists of sections: certificates issued to individuals and legal entities, suspended and revoked certificates.
10. The sections contain unique certificate numbers, dates of their validity, and information about the owners.
11. The sections contain information about the suspension and revocation of certificates.
12. When changes are made to the register, the certification center notifies the certificate owner.
13. Information about the suspension of a certificate is entered into the register within 1 working day.
14. Information about the revocation of a certificate is also entered into the register within 1 working day.
15. The certification center notifies the owner of all changes in the register.
16. The transfer of the register occurs in case of termination of the certification center's activities.
17. The certification center transfers the register and digital records in the established manner.
18. The certification center ensures access for certificate owners to information in the register.
19. The register is placed on the certification center's website for access by owners.
20. Certificate owners can demand correction of inaccurate information in the register.
Project
Procedure for Carrying Out the Functions of a Trusted Third Party of the Kyrgyz Republic
1. General Provisions
This procedure defines the goals, tasks, and functions of a trusted third party in the exchange of digital documents.
The authenticity of signatures based on certificates issued by foreign certification centers is recognized by the trusted third party.
The procedure for interaction with trusted parties of other states is determined by international treaties.
2. Goals and Functions of the Trusted Third Party
The trusted third party ensures the mutual recognition of the authenticity of digital signatures.
The main tasks include verifying digital signatures, providing guarantees of trust, and ensuring the lawful application of digital signatures.
The trusted third party must perform functions established by international treaties.
The validity of a digital signature is recognized using the means of the root certification center.
The functions are implemented using state digital services.
3. Rights and Obligations of the Trusted Third Party
The trusted third party has the right to suspend or refuse cross-border document exchange if the signature is recognized as invalid.
The trusted third party is obliged to ensure the level of data protection and maintain records of completed operations.
It must also inform participants of cases of signatures being recognized as invalid.
The trusted third party is responsible for the improper performance of its obligations.
