Back

Information Technology (Recognition of Foreign Certifying Authorities Operating under a Regulatory Authority) Regulations, 2013

The Information Technology (Recognition of Foreign Certifying Authorities Operating under a Regulatory Authority) Regulations, 2013

Published vide Notification New Delhi, the 6th April, 2013

Act2257

Ministry of Communications And Information Technology

(Department of Electronics and Information Technology)

G.S.R. 204 (E). - In exercise of the powers conferred by clause (b) of sub-section (2) of Section 89 of the Information Technology Act, 2000 (21 of 2000), the Controller hereby, after consultation with the Cyber Regulations Advisory Committee and with the previous approval of the Central Government, makes the following Regulations, namely: -

  1. Short title and Commencement.- (1) These Regulations may be called the Information Technology (Recognition of Foreign Certifying Authorities operating under a Regulatory Authority) Regulations, 2013.

(2) They shall come into force on the date of their publication in the Official Gazette.

  1. Definitions.- In these Regulations, unless the context otherwise requires,-

(a) "Act" means the Information Technology Act, 2000 (21 of 2000);

(b) "Certifying Authority" means a person who has been granted a licence to issue a Digital Signature Certificate under section 24;

(c) "Controller" means the Controller of Certifying Authorities appointed under sub-section (1) of Section 17 of the Act;

(d) "Foreign Certifying Authority" means a certifying authority other than one licensed to issue a digital signature certificate under Section 24 of the Act and whose installed facilities and infrastructure associated with all functions of generation, issue and management of digital signature certificates are located outside India;

(e) "Recognized Foreign Certifying Authority" means a Foreign Certifying Authority who has been granted recognition under these regulations pursuant to sub-section (1) of Section 19 of the Act;

(f) Words and expressions used herein and not defined, but defined in the Act, shall have the meanings respectively assigned to them in the Act.

  1. Recognition of foreign certifying authorities which operate under a regulatory authority in that country.(A) Recognition of Foreign Certifying Authorities.-

(1) A foreign certifying authority shall be deemed as recognized under these regulations if it has been authorized to issue Digital Signature Certificates by a recognized regulatory authority established under the laws of a country other than India.

(2) A regulatory authority shall be specified as a recognized regulatory authority under these regulations if the laws of the country under which such regulatory authority is established require a level of reliability at least equivalent to that required for issue of a Digital Signature Certificate under the Act and such regulatory authority accords similar recognition to the Controller and to certifying authorities licensed under the Act.

(3) The Controller may, with the previous approval of the Central Government, publish in the Official Gazette, a list of recognized regulatory authorities for the purposes of these regulations from time to time.

(4) The Controller shall enter into a memorandum of understanding with each recognized regulatory authority mentioned in sub-regulation (3) for the purposes of these regulations.

(5) A memorandum of understanding mentioned in sub-regulation (4) shall remain valid for 5 years from the date of its execution.

(6) The determination of whether a country's laws require a level of reliability at least equivalent to that required for issue of a Digital Signature Certificate under the Act, shall be made with regard to the factors decided by the Controller and shall, inter alia, include:-

(a) financial and human resources, including existence of assets within the country;

(b) trustworthiness of hardware and software systems;

(c) procedures for processing of certificates and applications for certificates and retention of records;

(d) availability of information to subscribers identified in certificates and to potential relying parties; and

(e) regularity and extent of audit by an independent body;

(B) Recognized Foreign Certifying Authority not to issue certificates in India. - Notwithstanding anything contained in these regulations, a Recognized Foreign Certifying Authority shall not issue digital signature certificates to Indian nationals residing in India.

Explanation: For the purposes of these regulations, the term "Indian National" shall include a company, a firm, an association of persons, a body of individuals or a local authority whose registered office or principal place of business is located in India.

(C) Validity of recognition. - (1) A recognition granted under regulation 3(A) shall remain valid unless suspended or revoked, as the case may be, under regulation 3(E).

(2) The recognition granted under these regulations shall not be transferable.

(D) Digital Signature Certificates issued prior to recognition to be invalid. - Where any Foreign Certifying Authority is recognized under these regulations, all digital signature certificates issued by such Certifying Authority prior to such recognition shall be invalid for the purposes of this Act.

(E) Suspension or revocation of recognition. - A recognition granted under regulation 3(A) shall be suspended or revoked if the authorization granted by the appropriate recognized regulatory authority to the Recognized Foreign Certifying Authority for issuance of a Digital Signature Certificate has been suspended or revoked by such regulatory authority.

(F) Renewal of recognition. - (1) The provisions of these regulations shall apply in the case of an application for renewal of recognition as it applies to a fresh application for recognition.

(2) A Recognized Foreign Certifying Authority shall submit an application for the renewal of its recognition not less than forty-five days before the date of expiry of the period of validity of recognition.

(3) The application for renewal of recognition may be submitted in the form of electronic record subject to such requirements as the Controller may deem fit.

(G) Refusal of recognition. - The Controller may refuse to grant or renew a recognition if-

(i) the applicant has not provided the Controller with such information relating to its business, and to any circumstances likely to affect its method of conducting business, as the Controller may require; or

(ii) the applicant is in the course of being wound up or liquidated; or

(iii) a receiver has, or a receiver and manager have been appointed by the court in respect of the applicant; or

(iv) the applicant or any trusted person has been convicted, whether in India or out of India, of an offence the conviction for which involved a finding that it or such trusted person acted fraudulently or dishonestly, or has been convicted of an offence under the Act or these rules; or

(v) an applicant commits breach of, or fails to observe and comply with, the procedures and practices as per the Certification Practice Statement; or

(vi) an applicant fails to comply with the directions of the Controller; or

(vii) the authorization granted to the applicant, to issue a Digital Signature Certificate under laws of a recognized country has been suspended or revoked:

Provided that the reasons for refusal of the recognition may be mentioned.

(H) Requirements Prior to Cessation as recognized Foreign Certifying Authority. - Before ceasing to act as a recognized Foreign Certifying Authority, the recognized Foreign Certifying Authority shall -

(a) give notice to the Controller of its intention to cease acting as a recognized Foreign Certifying Authority:

Provided that the notice shall be made ninety days before ceasing to act as a recognized Foreign Certifying Authority or ninety days before the date of expiry of recognition;

(b) advertise sixty days before the expiry of recognized or ceasing to act as recognized Foreign Certifying Authority, as the case may be, the intention in such daily newspaper or newspapers and in such manner as the Controller may determine;

(c) notify its intention to cease acting as a recognized Foreign Certifying Authority to the subscriber of each unrevoked or unexpired Digital Signature Certificate issued by it:

Provided that the notice shall be given sixty days before ceasing to act as a recognized Foreign Certifying Authority or sixty days before the date of expiry of unrevoked or unexpired Digital Signature Certificate, as the case may be;

(d) the notice shall be sent to the Controller, affected subscribers and Cross Certifying Authorities by digitally signed email and registered post;

(e) revoke all Digital Signature Certificates that remain unrevoked or unexpired at the end of the ninety days notice period, if the subscribers have requested for revocation;

(f) make a reasonable effort to ensure that discontinuing its recognition causes minimal disruption to its subscribers and to persons duly needing to verify digital signatures by reference to the public keys contained in outstanding Digital Signature Certificates;

(g) make reasonable arrangements for preserving the records for a period of seven years;

(h) pay reasonable restitution (not exceeding the cost involved in obtaining the new Digital Signature Certificate) to subscribers for revoking the Digital Signature Certificates before the date of expiry.