|(Promulgated, SG, No.34/06.04.2001, in force since 07.10.2001, amended, SG, No.112/29.12.2001, in force since 05.02.2002)|
Scope of Applicability
(1) This Act shall regulate electronic document, electronic signature and terms and procedure for providing certification services.
(2) This Act shall not apply:
1. for transactions, for which the law requires a qualified written form;
2. when the act of holding of a document or a copy of it has any legal significance (securities, bills of lading, other).
ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE
(1) Electronic statement shall be a verbal statement, represented in a digital form through a common standard for transformation, reading and visual representation of information.
(2) The electronic statement may contain as well nonverbal information.
(1) Electronic document shall be an electronic statement, recorded on magnetic, optical or other carrier that allows it to be reproduced.
(2) The written form shall be considered observed if an electronic document has been composed.
Signatory and Owner of an Electronic Statement
Signatory of an electronic statement shall be the natural person that is named in the statement as its performer. Owner of an electronic statement shall be the person on behalf of whom the electronic statement has been performed.
Addressee of an Electronic Statement
Addressee of an electronic statement may be a person that by virtue of a Law is obliged to receive electronic statements or that according to unambiguous circumstances may be considered to have agreed to receive the statement in an electronic form.
Intermediary of an Electronic Statement
(1) Intermediary of an electronic statement shall be a person that upon assignment by the owner sends, receives, records, or stores an electronic statement or performs other services, related to it.
(2) The intermediary of an electronic statement shall be obliged:
1. to have technical and technological equipment that is to ensure the trustworthiness of the used systems;
2. to maintain staff that has the necessary expert knowledge, experience and qualification;
3. to ensure conditions for exact determination of the time and source of the transferred electronic statements;
4. to use trustworthy systems for the storage of the information under Point 3;
5. to store the information under Point 3 for a term of six months.
(3) The intermediary of an electronic statement shall be liable for damages caused by non-performance of his or her obligations under Paragraph 2.
Mistake in Transferring an Electronic Statement
The owner shall take the risk of mistakes in transferring the electronic statement, unless the addressee has not exercised reasonable care.
Receipt of an Electronic Statement
(1) The electronic statement shall be considered received if the addressee confirms the receipt.
(2) If no time for confirmation of receipt has been specified the confirmation should be made in a reasonable time.
(3) The confirmation of receipt shall not certify the content of the electronic statement.
Time of Sending an Electronic Statement
The electronic statement shall be sent with its entering into an information system that is not under the control of the signatory.
Time of Receiving an Electronic Statement
(1) The electronic statement shall be received with the sending of a confirmation for its receipt by the addressee.
(2) If a confirmation is not required, the electronic statement shall be received with its entering into the information system, specified by the addressee. If the addressee has not specified an information system, the statement shall be received with its entering into an information system of the addressee, and if the addressee does not have an information system - with its retrieving by the addressee from the information system it has entered into.
Time of Electronic Statement Acquiring
The addressee of the electronic statement shall be considered to have acquired the content of the statement in a reasonable time since its receipt.
Place of Sending and Receiving an Electronic Statement
(1) The electronic statement shall be considered sent from the place of business of its owner.
(2) The electronic statement shall be considered received in the place of business of its addressee.
(3) If the owner or the addressee of the statement has more than one place of business, the place of business shall be considered to be the one that is most closely related to the statement and its performance, with taking into account the circumstances, which the owner and the addressee have known or have taken into consideration at any time before or during the performance of the statement.
(4) If the owner or the addressee does not have a place of business, their permanent residence shall be taken into consideration.
(1) Electronic signature shall be:
1. any information, related to the electronic statement in a way, concerted between the signatory and the addressee, secure enough in view of the turnover needs, that:
a) reveals the identity of the signatory;
b) reveals the consent of the signatory with the electronic statement; and
c) protects the content of the electronic statement from subsequent changes.
2. an advanced electronic signature;
3. an universal electronic signature.
(2) An electronic signature under Points 1 and 2 shall have an effect of a handwritten signature, unless the owner or the addressee of an electronic statement is a state authority or a local self-government authority.
(3) An universal electronic signature shall have an effect of a handwritten signature towards everyone. The Council of Ministers shall specify the state authorities that may use another type of electronic signature in their relations.
Secrecy of a Signature-Creation Data
No one except for the signatory shall have the right of access to the signature-creation data.
Contesting an Electronic Signature
(1) The person, indicated as an owner or a signatory of the electronic statement, may not contest the authorship in relation to the addressee, if the statement has been signed with an electronic signature, and:
1. the statement has been sent through an information system, designed to work in an automatic regime; or
2. the statement has been performed by a person, to whom an access to the method of identification has been given.
(2) Paragraph 1, Point 2 shall not apply from the moment the addressee receives a notification that the electronic statement does not come from the signatory and the addressee has enough time to adapt his or her behavior to the notification.
(3) Paragraph 1 shall not apply when the addressee of the statement has not exercised reasonable care.
ADVANCED ELECTRONIC SIGNATURE
(1) Advanced electronic signature shall be a transformed electronic statement, included, added or logically related to the same electronic statement before its transformation.
(2) The transformation under Paragraph 1 is done through algorithms, including the use of the private key of an asymmetric cryptosystem.
(3) The requirements to the algorithms shall be defined in a Regulation of the Council of Ministers.
Mechanism for Creation and Verification of an Advanced Electronic Signature
(1) Persons, creating an advanced electronic signature should apply a mechanism guaranteeing, that:
1. the signature-creation data can occur only during the electronic signature creation and the secrecy of the data is reasonably assured;
2. the signature-creation data is not accessible, cannot be derived and the signature is protected against forgery;
3. the signature-creation data can be protected by the signatory against the use of others;
4. the content of the statement is made available to the signatory and remains unaltered until the creation of the electronic signature.
(2) Persons, verifying an advanced electronic signature should apply a mechanism guaranteeing, that:
1. the data ascertaining the use of the private key corresponds to the data, given to the person, using the public key;
2. the use of the private key has been reliably verified and the results of that verification have been given to the person that had used the public key.
Secrecy of the Private Key
No one except for the signatory shall have the right of access to the private key.
Activities of the Certification-Service-Providers
(1) Certification-service-provider shall be a person, that:
1. issues certificates under Article 24 and keeps their registry;
2. provides a third person with access to the certificates that have been published.
(2) The certification-service-provider may offer services on the creation of the advanced electronic signature private and public key.
Organizations for Voluntary Accreditation
(1) Certification-service-providers may set up organizations for voluntary accreditation aiming to achieve higher level in the certification services they offer.
(2) The organizations for voluntary accreditation assist the acknowledgement of the legal effect of certificates, issued by the Bulgarian service-providers abroad, and also certificates issued by the foreign service-providers in Bulgaria.
(3) Conditions for participation in the organizations for voluntary accreditation should be widely accessible and should create equality among all certification-service-providers.
Requirements towards Activities of the Certification-Service-Providers
(1) Certification-service-providers perform their activities, while:
1. maintaining available resources that are to ensure performance of their activities in accordance with the requirements of this Law;
2. insuring themselves for the time of their activities against the damages caused by non-performance of their obligations under this Law;
3. having technical equipment and technology, that is to ensure the trustworthiness of the used systems and technical and cryptographic security of the processes they perform;
4. keeping staff that has the necessary expert knowledge, experience and qualification for the performance of activities, especially in the area of advanced electronic signatures technology, and also good level of understanding of the security procedures;
5. ensuring conditions for exact determination of the time of issuance, suspension, renewal, and revocation of the effect of the certificates;
6. ensuring measures against the forgery of certificates and for the confidentiality of the data they have access to in the process of signature creation;
7. using trustworthy systems for storage and administration of certificates, that are to ensure:
a) that only duly authorized employees have access to make changes;
b) that the authenticity and validity of the certificates can be ascertained;
c) possibility for a limited access to the published certificates;
d) any appearance of technical problems in relation to security to be made known immediately to the staff;
e) possibility for the private key confirmation to be canceled with the expiration of the term of the certificate.
8. ensuring possibility for immediate suspension and revocation of the effect of the certificates.
9. immediately informing the Communications Regulation Commission on the beginning of activities under Article 19.
(2) The Council of Ministers shall adopt Regulation under Points 1, 2 and 3 of Paragraph 1.
(3) The certification-service-provider may not use the information it stores for purposes, different from the ones, relating to its activities. It may give to third parties only the information, included in the certificates.
Obligations of the Certification-Service-Provider
The certification-service-provider shall be obliged:
1. to issue a certificate upon request by any person, while prior to that the certification-service-provider has to inform that person if it has been registered under the procedure of Chapter Four and whether it is participating in the organizations for voluntary accreditation;
2. to inform persons, willing to have a certificate issued, on the terms for issuance and use of the certificate, including the restrictions of its effect, as well as on the procedures for complaints submission and disputes resolution;
3. when issuing certificates, to examine by admissible means, the identity of the signatory and the owner of the advanced electronic signature and, if necessary, any other data about these persons, included in the certificate;
4. to publish the certificate that has been issued, so as third parties to have access to it according to the instructions of the owner;
5. not to store or copy data used for the creation of private keys;
6. to undertake immediate actions in relation to the suspension, renewal, and revocation of the effect of the certificate, when finding the relative grounds for it;
7. immediately to inform the owner and the signatory on circumstances relating to the validity or trustworthiness of the issued certificate;
8. to possess an advanced electronic signature, that is to be used only in relation to its activities as a certification-service-provider.
Relations with the Owner
The relations between the certification-service-provider and the owner shall be regulated by a written contract.
Advanced Electronic Signature Certificates
(1) Certificate shall be an electronic document, issued and signed by a certification-service-provider that includes:
1. the name, address, personal identification number (PIN) or BULSTAT of the certification-service-provider, as well as an indication of its nationality;
2. the name or the trade name, address and court registration data of the owner of the advanced electronic signature;
3. the grounds for authorization, the name and address of the natural person (signatory) that is authorized to make electronic statements on behalf of the owner of the advanced electronic signature;
4. the public key that corresponds to the private key of the owner of the advanced electronic signature;
5. the identifications of algorithms with the help of which the public keys of the owner of the advanced electronic signature and of the certification-service-provider are used;
6. the date and the hour of issuance, suspension, renewal, and revocation of the effect;
7. the term of validity;
8. the restrictions of the effect of the signature;
9. the unique identification code of the certificate;
10. the liability and guarantees of the certification-service-provider;
11. reference to the advanced electronic signature certificate under Article 22, Point 8 of the certification-service-provider and to its registration at the Communications Regulation Commission.
(2) When the authorization of the signatory comes from other authorized persons the certificate should include the data under Point 2 of Paragraph 1 for these persons.
(3) Unless something else has been agreed the certificate shall have effect for a period of three years.
(4) The owner and the signatory are obliged to inform immediately the certification-service-provider for any changes in the circumstances, indicated at the certificate.
(5) Changes in the circumstances, indicated in the certificate, cannot be opposed to third conscientious parties.
Issuance of a Certificate
(1) The certification-service-provider shall issue a certificate upon a written request from the owner.
(2) The request under Paragraph 1 shall be satisfied, if:
1. it comes from the owner or a person, duly authorized by him or her;
2. the information concerning the owner, presented to be included in the certificate is veracious and complete; and
3. the private key:
a) is held by the owner;
b) is technically usable for the creation of an advanced electronic signature; and
c) corresponds to the public key, so that through the public key it can be certified that certain advanced electronic signature has been created using the private key.
(3) If the requested certificate concerns an advanced electronic signature of a signatory, different from the owner, the request shall be satisfied, if the requirements under Paragraph 2 have been observed, and:
1. the information presented to be included in the certificate concerning the signatory is also veracious and complete; and
2. the signatory holds the private key.
(4) With the fulfillment of the request the certification-service-provider shall demand from the owner, respectively from the signatory, to accept the content of the requested certificate. It shall change the content of the certificate, if the owner, respectively the signatory, points out inexactness or incompleteness.
(5) The certification-service-provider shall immediately issue the certificate, the content of which has been accepted under the procedure of Paragraph 4 through its publication in the registry of certificates.
Suspension and Renewal of the Effect of the Certificate
(1) Unless something else has been agreed, the certification-service-provider shall have the right to suspend the effect of a certificate, it has issued, for a term needed under the circumstances, but for no more than 48 hours, if there exists a well-founded doubt that the effect of the certificate has to be revoked.
(2) Unless something else has been agreed, the certification-service-provider shall be obliged to suspend the effect of a certificate, issued by it, for a term needed under the circumstances, but for no more than 48 hours:
1. upon a request from the owner, respectively from the signatory, without having an obligation to convince itself in his or her identity or representative authority;
2. upon a request from a person, for whom it is obvious under the circumstances that he or she may know as an agent, partner, employee, member of the family, etc., about infringements of the security of the private key;
3. upon a request from the Communications Regulation Commission.
(3) In case of a present danger for the interests of third parties or in case of existence of enough data about the violation of the law, the Chair of the Communications Regulation Commission may oblige the certification-service-provider to suspend the effect of the certificate for a term needed under the circumstances, but for no more than 48 hours.
(4) The certification-service-provider shall immediately notify the owner and the signatory about the suspension of the effect of the certificate.
(5) The suspension of the effect of the certificate shall be made through making the access to it impossible.
(6) The effect of the certificate shall be renewed:
1. with the expiration of the term of suspension;
2. by the certification-service-provider in case of dropping out of the ground for suspension or upon a request from the owner after the certification-service-provider, respectively the Communications Regulation Commission, have convinced themselves that he or she has learned of the cause for suspension as well as that the request for renewal has been made in consequence of learning.
Revocation of the Effect of the Certificate
(1) The effect of the certificate shall be revoked:
1. with the expiration of the term;
2. with the death or placing under legal incapacity of the natural person - certification-service-provider;
3. with the dissolution of the legal person of the certification-service-provider without transferring its activities to another certification-service-provider.
(2) The certification-service-provider shall be obliged to revoke the effect of the certificate upon a request from the owner or the signatory after it has convinced itself in the identity and representative authority of the owner, respectively the signatory.
(3) The certification-service-provider shall revoke the effect of the certificate in case of:
1. death or placing under legal incapacity of the owner or the signatory;
2. dissolution of the legal person of the owner;
3. revocation of the representative authority of the signatory towards the owner;
4. ascertaining that the certificate has been issued on the basis of false data.
Registry of Certificates
(1) The certification-service-provider shall maintain an electronic registry in which it publishes its own electronic signature certificate under Point 8 of Article 22, and the other issued certificates.
(2) The certification-service-provider cannot limit the access to the registry. Only the signatory can limit the access to his/her signature certificate.
(3) The certification-service-provider shall also publish in the registry under Paragraph 1 information about:
1. the terms and procedure for issuance of a certificate, including the rules for ascertaining the identity of the owner of an advanced electronic signature;
2. the security procedures of the certification-service-provider;
3. the way of using the advanced electronic signature;
4. the terms and procedure for using the advanced electronic signature, including the requirements for storing the private key;
5. the conditions for access to the certificate and the ways of checking the advanced electronic signature;
6. the price for receiving and using a certificate, as well as the prices of the other services, provided by the certification-service-provider;
7. the liability of the certification-service-provider and the owner of an advanced electronic signature;
8. the terms and procedure under which the owner makes a request for revocation of the effect of an advanced electronic signature.
(4) The method for maintaining the registry under Paragraph 1 shall be regulated with a Regulation of the Council of Ministers.
Liability of the Certification-Service-Provider
(1) The certification-service-provider shall be liable before the owner of the advanced electronic signature and all third parties for the damages caused:
1. by non-performance of the requirements under Article 21 and of the obligations under Article 22 and 25;
2. from false or missing data in the certificate at the moment of its issuance;
3. to them in case that during the issuance of the certificate the person, pointed as a signatory, has not disposed of the private key, corresponding to the public key;
4. by non-correspondence of the data for the use of the private key and the data disposed to the person using the public key.
(2) The agreements by which the certification-service-provider's liability for negligence is excluded or limited shall be invalid.
(3) The certification-service-provider shall not be liable for damages, caused by the use of the certificate beyond the limits of restrictions of its effect, listed in it.
Liability of the Owner and the Signatory towards Third Parties
(1) The owner shall be liable towards conscientious third parties, when during the creation of the key pair (public and private key) an algorithm not corresponding to the requirements of the Regulation under Article 16, Paragraph 3 has been used.
(2) The owner shall be liable towards conscientious third parties, if the signatory:
1. does not perform exactly the security requirements, specified by the certification-service-provider;
2. does not request from the certification-service-provider revocation of the certificate, when he has learned that the private key has been used illegally or a danger of its illegal use exists.
(3) The owner, who has accepted the certificate with its issuance, shall be liable towards conscientious third parties:
1. if the signatory is not authorized to hold the private key corresponding to the public key pointed in the certificate;
2. for false statements made before the certification-service-provider that are related to the content of the certificate.
(4) The signatory, who has accepted the certificate with its issuance, shall be liable towards conscientious third parties, if he has not been authorized to request the issuance of the certificate.
Liability of the Owner and the Signatory towards the Certification-Service-Provider
The owner, respectively the signatory, shall be liable towards the certification-service-provider, if he or she has accepted the certificate, issued by the certification-service-provider on the basis of false data, presented by him or her, respectively on the basis of data concealed by him or her.
Regulation and Control
Powers of the Communications Regulation Commission
(1) The Communications Regulation Commission shall have the following powers:
1. to exercise control over the certification-service-providers concerning the trustworthiness and security of the certification services;
2. to approve the manuals for the consumers and the prescribed security procedures;
3. to work out, co-ordinate and propose to the Council of Ministers for adoption draft Regulations under this Law and also concerning:
a) The regulation of the activities of the registered certification-service-providers and the procedure for termination of their activities;
b) The requirements concerning the format of certificates issued by the certification-service-providers;
c) The requirements for the storage of information on the services provided by the certification-service-providers;
d) The requirements for the content, form and sources in relation to the information disclosed by the certification-service-providers;
(2) In the performance of its functions the Communications Regulation Commission shall have the right:
1. of free access to the objects liable to control;
2. to examine the documents proving the qualification of the staff of the certification-service-providers;
3. to request information and documents related to the exercise of control;
4. to determine persons that would control the fulfillment of the requirements of Article 17 and Article 21, Paragraph 1 by the certification-service-providers.
(3) The Communications Regulation Commission shall maintain and publish the list of persons under Paragraph 2, Point 4.
(4) The activities of the certification-service-providers and the procedure for termination of their activities, the requirements concerning the format of certificates issued by the certification-service providers, the requirements for the storage of information on the services provided by the certification-service-providers, the requirements for the content, form and sources in relation to the information disclosed by the certification-service-providers, the requirements towards persons under Paragraph 2, Point 4 as well as procedure and conditions for their inclusion in the list under Paragraph 3 shall be defined in a Regulation of the Council of Ministers.
UNIVERSAL ELECTRONIC SIGNATURE
(1) Universal electronic signature shall be an advanced electronic signature, the certificate for which is issued by the certification-service-provider, registered under Article 34.
(2) Universal electronic signature shall be also:
1. the electronic signature of the Communications Regulation Commission, with which it signs acts, issued on the basis of its powers, determined by the law.
2. electronic signatures under Point 8 of Article 22 of the registered certification-service-providers.
(1) The Communications Regulation Commission registers the certification-service-providers and keeps the registry of their advanced electronic signature certificates under Article 22, Point 8.
(2) The Communications Regulation Commission publishes at the registry under Paragraph 1 its own advanced electronic signature certificate under Article 33, Paragraph 2, Point 1.
Powers of the Communications Regulation Commission towards Registered Providers
(1) The Communications Regulation Commission has the following powers:
1. registers the certification-service-providers;
2. refuses to register the certification-service-providers that do not fulfill the necessary requirements;
3. deletes the registration of the certification-service-providers.
(2) The Communications Regulation Commission shall provide information about the public keys of the registered certification-service-providers. The information is provided in an electronic form, contains the certificates and it is signed with the universal electronic signature of the Communications Regulation Commission.
Registration of the Certification-Service-Providers
(1) Along with submitting an application for registration as a certification-service-provider the applicant shall present:
1. certificate for current court registration;
2. an insurance policy under article 21, paragraph 1, point 2;
3. the rules for issuance of a certificate, including the rules for ascertaining the identity of the owner of the universal electronic signature;
4. the security procedures applied during issuance and use of the universal electronic signature;
5. the terms and procedure for using the universal electronic signature, including the requirements for storing the private key;
6. the price for receiving and using a certificate as well as the prices for the rest of the services, provided by the certification-service-provider;
7. declaration that the requirements under Article 21, Paragraph 1, Points 1, 3 and 4 have been fulfilled;
8. documents proving the fulfillment of the requirements under Article 17 and Article 21, Paragraph 1, Points 5 - 8;
(2) The application for registration shall be considered in a one-month term. Registration may be denied only if the applicant has not presented the necessary documents, does not satisfy the requirements under Paragraph 1 of Article 21 and Article 17, or has not paid the necessary state fee.
(3) The notification for the denial should point all the defects of the application.
(4) The denial for registration shall be appealed through the procedure under the Law on Administrative Proceedings.
(5) The applicant may remove the defects and may submit a new application.
(6) The procedure for registration shall be specified with a Regulation of the Council of Ministers.
Deletion of Registration
(1) The registration shall be deleted:
1. if the applicant has presented a false data;
2. in case of flagrant or systematic violations of this Law and of the Regulations on its application.
(2) The activities of the registered certification-service-provider shall be terminated with the deletion of the registration, unless the activities are not transformed to another registered certification-service-provider.
(3) The termination of the activities of the registered certification-service-providers on the issuance of the universal electronic signature certificates shall be regulated with the Regulation under Article 32, Paragraph 4.
Registry of Certification-Service-Providers
(1) The registry of certification-service-providers shall be public. Anyone may request information for the registered certification-service-providers.
(2) Anyone may request information on the terms and procedure for registration of a certification-service-provider.
(1) For the registration of the certification-service-providers and providing information under Article 35, Paragraph 2 a state fee shall be collected.
(2) The rate of the state fee shall be specified with a tariff, approved by the Council of Ministers.
Activities of the Registered Certification-Service-Provider
The registered certification-service-provider that has issued a certificate for universal electronic signature certifies the date and the hour of the presentation of the electronic document signed with such a signature.
APPLICATION OF ELECTRONIC DOCUMENT AND UNIVERSAL ELECTRONIC SIGNATURE BY THE STATE AND MUNICIPALITIES
Obligation for Accepting and Issuing Electronic Documents
(1) The Council of Ministers shall determine its subordinate authorities, which:
1. may not deny acceptance of electronic documents, signed with an universal electronic signature;
2. may not deny issuance of permits, licenses, approvals, and other administrative acts in the form of an electronic document, signed with an universal electronic signature;
(2) The acceptance and issuance in the court system of electronic documents, signed with an universal electronic signature, shall be regulated by a Law.
(3) The acceptance and issuance of electronic documents, signed with an universal electronic signature, by other state authorities except for the ones under Paragraphs 1 and 2 and by the local self-government authorities shall be regulated by their own acts. The procedure and form for performing and storing of the electronic documents shall be regulated by internal rules.
Storage of Electronic Documents
The state authorities and the local self-government authorities shall be obliged to store the electronic documents within the established period for storing documents.
PROTECTION OF PERSONAL DATA
Obligation for Personal Data Protection
(1) The protection of personal data, collected by the certification-service-providers, needed for the activities, carried out by them, and the protection of registers kept shall be regulated by a Law.
(2) The regime under Paragraph 1 shall also apply in relation to the personal data known to the Communications Regulation Commission, which during the performance of its obligations supervises the activities of the certification-service-providers.
(3) The certification-service-providers shall collect personal data about the signatory and the owner of the signature, only to the extent necessary for issuing and using a certificate.
(4) Data about a third party may be collected only with the explicit consent of the person it is related to.
(5) The collected data may not be used for purposes, different from the ones pointed in Paragraph 3, except with the explicit consent of the person it is related to or if this is permitted by a Law.
RECOGNITION OF CERTIFICATES ISSUED BY CERTIFICATION-SERVICE-PROVIDERS ESTABLISHED IN OTHER COUNTRIES
Grounds and Procedure
(1) Certificates, issued by certification-service-providers, registered in other countries in accordance with the national legislation of these countries, shall be recognized as equal to certificates, issued by a Bulgarian certification-service-provider, if one of the following conditions has been met:
1. the obligations of the certification-service-provider that has issued the certificate and the requirements for its activities correspond to the requirements, provided in this Law, and the certification-service-provider is recognized in the country, where it is established;
2. a Bulgarian certification-service-provider that has been accredited by the organization under Article 20 or that has been registered under Article 34, has taken an obligation to be liable for actions or failure to take actions by the certification-service-provider, established in another country, in cases falling under Article 29; or
3. the certificate, or the certification-service-provider that has issued the certificate, were recognized according to an international agreement that has come into force.
(2) The conditions under Point 1 and 2 of Paragraph 1 shall be ascertained by the Communications Regulation Commission through the act of publishing into an electronic register of:
1. public key certificates of foreign certification-service-providers recognized by the Communications Regulation Commission to be in conformity with Paragraph 1, Point 1.
2. the electronic signature certificate of the foreign certification-service-provider, for which the liability has been accepted under Paragraph 1, Point 2 and the electronic signature certificate of the Bulgarian certification-service-provider that has accepted the liability and conditions upon which the liability has been accepted.
ADMINISTRATIVE PENAL PROVISIONS
(1) Anyone who commits or allows the commitment of an offence under Article 17, Article 18, Article 19, Paragraph 1, Article 21, Paragraphs 1 and 3, Article 22, Article 24, Paragraphs 1 and 2, Article 25, Paragraphs 2, 3 and 5, Article 26, Paragraphs 2, 3, 4, 5 and 6, Article 27, Paragraphs 2 and 3, Article 28, Paragraph 1, 2 and 3, Article 29, Paragraph 1, Article 30, Paragraph 1 shall be liable to a fine from 100 to 10 000 BGL, if the offence is not qualified as a crime.
(2) In cases under Paragraph 1 a legal person or a sole proprietor shall be liable to a property sanction to an amount from 500 to 50 000 BGL.
Findings of the Offences, Drawing up of Statements and Issuance of Penal Enactments
(1) The statements on findings of the offences shall be drawn up by persons, authorized by the Chair of the Communications Regulation Commission and the penal enactments shall be issued by him or her or by an official, authorized by him or her.
(2) With the finding of the offences persons drawing up the statements may confiscate and retain the material evidence related to the ascertaining of the offences through the procedure under Article 41 of the Law on Administrative Offences and Penalties.
(3) The drawing up of statements and the issuance, appeal, and execution of penal enactments shall be carried out through a procedure set up in the Law on Administrative Offences and Penalties.
§ 1. Within the meaning of this Law:
1. 'Qualified written form' is a form for validity or form giving proof, where the law envisages additional requirements to the written form, such as certification of a signature by a notary, deed of a notary, handwritten statement, participation of witnesses or civil servants at the time the statement was performed and others.
2. 'Asymmetric cryptosystem' shall be a system for encryption of information, allowing the creation and use of cryptographic key pairs, that includes a private key connected through an algorithm to a public key, and having the following characteristics:
a) the content of the electronic statement can be encrypted with one of the keys, and it can be decrypted with the other;
b) through the use of the public key it can be undoubtedly determined whether the transformation of the original electronic statement has been made using its corresponding private key and whether the electronic statement has been altered after its transformation;
c) if one of the keys is made known, it is practically impossible to find out the other.
3. 'Cryptographic key' shall be a sequence of bits, used in an algorithm for the transformation of information from readable into ciphered form (encryption) or vice versa from ciphered into readable form (decryption).
4. 'Public key' shall be the one of the key pair, used in an asymmetric cryptosystem, that is accessible to all and used by everyone for the electronic signature verification;
5. 'Private key' shall be the one of the key pair, used in an asymmetric cryptosystem for the electronic signature creation;
6. 'Signature-creation-device' shall be the configured software or hardware used to implement the signature-creation-data;
7. 'Signature-creation-data' shall be the unique data such as codes or cryptographic keys, used by the signatory for an electronic signature creation.
TRANSITIONAL AND FINAL PROVISIONS
§2. In the Law on Telecommunications (Promulgated: SG 93/August 11, 1998; Amended: SG 26/March 23, 1999, in force since March 23, 1999; SG 10/February 4, 2000, in force since February 4, 2000; SG 64/August 4, 2000) in Article 22 a new paragraph 4 is added:
"(4) The State Telecommunications Commission registers and supervises provision of certification services, related to electronic signatures, under the procedure set up in a separate law."
§3. This Act comes into force six months after its promulgation in State Gazette.
§4. The Council of Ministers shall prepare the Regulations referred to in this Law within a period of five months after its promulgation and shall adopt them in one-month term after the Law comes into force.
§5. The application of this Law is assigned to the Council of Ministers and to the State Telecommunications Commission.
TRANSITIONAL AND CONCLUDING PROVISIONS
to the Law on Amending and Supplementing the Law on Telecommunications
(SG, No.112/2001, in force since 05.02.2002)
§78. (1) In the Law on Electronic Document and Electronic Signature (SG, No.34/2001) everywhere the words "State Telecommunications Commission" shall be replaced with "Communications Regulation Commission".