The ESA sets out specific provisions mentioning regulations that may be made by the Minister on the recommendation of the NITA-U. We have identified various sets of regulations below (set out in bold type) that may have to be drafted in line with the provisions of the ESA. The section numbers set out in parentheses are references to the specific provisions of the ESA.
i. Procedures relating to qualifications and recognition of certification service providers, auditors, repositories and date stamp services
Procedures for recognising certification service providers (13(b)(i)); Procedures for recognising certification service providers outside of Uganda (13(b)(ii)) (37(1)); Procedures for recognising government entities for operating as certification service providers (13(b)(iii)); Qualifications required for certification service providers (23); Forms and procedures of applications (exemptions, renewals, replacements) for a licence as a certification service provider (22(3)) (25) (35) (36); Licence fees (and renewal fees, replacement fees) payable by certification service providers (26) (35) (36); Regulation of activities of certification service providers (regulations and/or licence conditions) (33) (39); Qualifications for auditors and procedures for auditing certification service providers (38(3); Requirements for recognition of repositories and procedures for recognition (77); Requirements for recognition of date stamp services and procedures for recognition (79)
ii. Procedures relating to the issuance, revocation and suspension of certificates issued by certification service providers
Fees payable by subscribers (for certificates and revocation of certificates) to certification service providers (24(1)) (72(b)); procedures for suspensions of certificates by the Controller (63)
iii. Regulations relating to information requirements in respect of certification service providers
Regulations for the maintenance of database of certification service provider disclosure records 21(3) + requirements for the content, form and sources of information in certification service provider disclosure records, the updating and timeliness of such information and other practices and policies relating to certification service provider disclosure records (97(1)(d)); The form of certification practice statements (97(1)(e)); Requirements for the submission of information by certification service providers to controller (41(1)); Fees payable for requests for disclosures of certification practice statements and other facts in an investigation (44(2))
iv. Procedures relating to standards for secure electronic signatures
Security procedures (necessary for secure electronic signatures) (11(1)); The procedure for the review of software for use in creating digital signatures and of the applicable standards in relation to digital signatures and certification practice and for the publication of reports on such software and standards (97(1)(i))
In addition to the provisions specifically mentioning regulations set out above, there are a few other provisions in the ESA that lend themselves to the promulgation of regulations. We have identified the further regulations that might be necessary below (in bold type). Note that section 97 is a catchall provision dealing with the making of regulations, and it states, in addition to listing certain regulations, that the Minister may make regulations as are necessary for giving full effect to the provisions of the ESA and their implementation.
v. Procedures for revocation of licences of certification service providers (to supplement section 27)
vi. Procedures for appeals (to supplement section 28)
vii. Procedures for orders by the controller to revoke certificates (to supplement section 49)
viii. Procedures for publication of unreasonable risk advisories with repositories (to supplement section 80)
Identification of Regulations Required Questions
- We would first like to solicit your comment on the sufficiency of the list of regulations identified.
- In addition to your comment on the sufficiency of the list of regulations that we have identified (i.e. is it over inclusive), we would like your suggestions for any other regulations that are necessary to give effect to the provisions of the ESA. In particular, we would like to request you to consider whether there are any other necessary or appropriate regulatory interventions that will need to be made.
- We also welcome any experience you can share with us regarding specific issues. For example, in respect of procedures relating to standards for secure electronic signatures, do you suggest the incorporation by reference to internally recognised standards, and if so, which ones?
No comments:
Post a Comment