Opinion and Proposals in connection with a Draft Act for Amendment and Supplementation of the Electronic Governance Act

TO

MINISTRY OF ELECTRONIC GOVERNANCE OF THE REPUBLIC OF BULGARIA

POSITION AND PROPOSALS

from BESCO

in connection with the Draft Amendment to the Electronic Governance Act


LAW ON AMENDMENT AND SUPPLEMENT TO THE ELECTRONIC GOVERNANCE ACT

(Promulgated SG No. 46 of June 12, 2007, amended SG No. 82 of October 16, 2009, amended SG No. 20 of February 28, 2013, supplemented SG No. 40 of May 13, 2014, amended SG No. 13 of February 16, 2016, amended and supplemented SG No. 38 of May 20, 2016, amended and supplemented SG No. 50 of July 1, 2016, supplemented SG No. 62 of August 9, 2016, supplemented SG No. 98 of December 9, 2016, amended SG No. 88 of October 23, 2018, amended and supplemented SG No. 94 of November 13, 2018, amended and supplemented SG No. 94 of November 29, 2019, supplemented SG No. 102 of December 31, 2019, amended SG No. 69 of August 4, 2020, supplemented SG No. 85 of October 2, 2020, amended and supplemented SG No. 15 of February 22, 2022)


§ 1. In Art. 2, paragraphs 3, 4 and 5 are created:

"(3) A primary data administrator is also a person or organization under Art. 1, para. 2, when a law provides that the data it collects or creates for the first time and amends or deletes must be provided for the purposes of providing an administrative service.

"(4) A central data administrator is a person under Art. 1, para. 1 and 2, who by virtue of law centrally processes data provided by primary data administrators. Central administrators are considered primary administrators with respect to the obligations for data provision.

"(5) The requirement for provision or proof of data by a recipient of an electronic administrative service shall be deemed fulfilled when the provider of the electronic administrative service has collected the data in accordance with para. 1.

Notes:

On § 1. In general, the proposal is appropriate and we support it. At the same time, we identify imperfections in some of the proposals, which we address:

  1. On the proposed new para. 3, there is an imprecisely formulated rule. We propose a new wording.

"(3) A primary data administrator is also a person or organization under Art. 1, para. 2, when the data it collects or creates for a citizen or organization for the first time and amends or deletes such data, is necessary for the provision of an electronic administrative service."

With regard to the scope of the EGA, it covers electronic administrative services. In order for the law to extend its effect and to oblige administrations to collect data also in the case of offline administrative services, it is appropriate to amend another law that systematically contains the rules for limiting administrative regulation and control through the introduction of the principle of single collection and multiple use of data — the Law on Limitation of Administrative Regulation and Administrative Control over Business Activity. Therefore, we propose the following amending provision to be introduced in the Transitional and Final Provisions:

"§ XX. Art. 5, para. 2 of the Law on Administrative Regulation and Administrative Control over Business Activity (Promulgated SG No. 55 of June 17, 2003, corrected SG No. 59 of July 1, 2003, amended SG No. 107 of December 9, 2003, amended SG No. 39 of May 12, 2004, amended SG No. 52 of June 18, 2004, amended SG No. 31 of April 8, 2005, amended SG No. 87 of November 1, 2005, amended SG No. 24 of March 21, 2006, amended SG No. 38 of May 9, 2006, amended SG No. 59 of July 21, 2006, amended SG No. 11 of February 2, 2007, amended SG No. 41 of May 22, 2007, amended SG No. 16 of February 15, 2008, amended SG No. 23 of March 27, 2009, amended SG No. 36 of May 15, 2009, amended SG No. 44 of June 12, 2009, amended SG No. 87 of November 3, 2009, amended SG No. 25 of March 30, 2010, amended SG No. 59 of July 31, 2010, amended SG No. 73 of September 17, 2010, amended SG No. 77 of October 1, 2010, amended SG No. 39 of May 20, 2011, amended SG No. 92 of November 22, 2011, supplemented SG No. 26 of March 30, 2012, amended SG No. 53 of July 13, 2012, amended SG No. 82 of October 26, 2012, amended SG No. 109 of December 20, 2013, amended SG No. 47 of June 26, 2015, amended SG No. 57 of July 28, 2015, supplemented SG No. 103 of December 28, 2017, supplemented SG No. 15 of February 16, 2018, amended SG No. 77 of September 18, 2018, supplemented SG No. 101 of December 7, 2018, amended SG No. 17 of February 26, 2019, amended SG No. 24 of March 22, 2019, supplemented SG No. 83 of October 22, 2019, amended SG No. 101 of December 27, 2019, supplemented SG No. 21 of March 12, 2021, amended SG No. 25 of March 29, 2022) is amended as follows:

(2) The administrative body may not require the provision of information or documents that are available to it, to another body, or to a person under Art. 1, para. 2 of the Electronic Governance Act, but shall obtain them ex officio for the purposes of the respective proceedings."

  1. On the proposed new para. 5. We consider it imprecise. From its reading, one may be left with the incorrect impression that it establishes an irrebuttable presumption that the requirement for provision and proof of data is deemed fulfilled ONLY if the provider of the electronic administrative service has collected the data automatically, from the primary data administrator. In other words, if the provider has not collected them, then the requirement for their provision and proof is considered absent, and therefore the citizen must provide and prove the data under the general procedure. This leaves open the possibility for every state body to excuse itself on the grounds that for some reason it failed to collect the data in compliance with the principle of single collection and multiple use of data and to require citizens and organizations to prove them under the general procedure. We consider that the logic of the current law is different. It establishes an administrative obligation on providers of electronic administrative services to collect data ex officio and non-compliance with this obligation is backed by an administrative sanction. The proposed provision opens a door to non-fulfillment of this administrative obligation and there is no logic in establishing such a provision. Therefore, we propose a refined version of the provision:

"(5) Where a law requires the provision or proof of data by a recipient of an electronic administrative service for the purposes of its provision, this requirement shall be deemed fulfilled if the data have been collected by the provider of the electronic administrative service in accordance with para. 1."

At the same time, we propose a new amending provision also in the general Law on Limitation of Administrative Regulation and Administrative Control over Business Activity.

(New paragraph to the proposal for amendment of LARACBA)

"2. In Art. 5, a new para. 5 is introduced:

(5) Where a law requires the provision or proof of data by a citizen or organization for the purposes of providing an administrative service, this requirement shall be deemed fulfilled if the data have been collected by the administrative body in accordance with Art. 1, para. 1 of the Electronic Governance Act."


§ 2. In Art. 4, the following amendments and supplements are made:

para. 3 is repealed

paragraphs 6 and 7 are created

"(6) Administrative bodies shall have the right to free access to all registers for the purposes of exercising their administrative penal powers."

"(7) A subordinate legislative act may not introduce a requirement to prove a circumstance through the submission of data about a person or object on paper, if the person or object has an identification number and is entered in a register."

On § 2. The proposals reveal significant imperfections:

  • On the repeal of para. 3 — we have no comments;
  • On the proposed new para. 6, we consider it inappropriate because as formulated it means that every administrative penal body will have the right to free and unlimited direct access to all registers maintained by other state bodies. This is dangerous and would seriously threaten the constitutional rights of citizens, as well as directly contradict the General Data Protection Regulation (GDPR). If the administrative penal body has immediate, direct and free access to all registers, there will be no traceability as to whether and which data it accesses, nor what the connection of such access is to a specific administrative proceeding. Even bodies investigating crimes do not have such access, let alone administrative penal bodies. There is a procedure established in the LAAN that determines the rules for how administrative penal bodies may request data about citizens from other bodies. For certain bodies, exceptions exist allowing access to premises and data for the purposes of their powers (e.g. SANS), but such a general rule for all administrative penal bodies is constitutionally impermissible. Beyond the above, such a provision has no systematic place in the EGA, insofar as the subject matter of this law is only the provision of electronic administrative services, and not the procedure for establishing and imposing administrative violations and penalties. In this regard, we propose that paragraph 6 be dropped.

If the intention of the proposer is to establish free access to data collected and processed by primary data administrators, we propose that a new paragraph 3 of Art. 2 be adopted as follows:

"§ XX. In Art. 1, a new para. 3 is added:

(3) The primary data administrator shall provide the data to the persons under para. 1 free of charge."

  • On the proposed para. 7, we understand the logic of the proposer, but in our view this provision would not fulfill its functions because it carries legal uncertainty. First of all, creating a statutory provision that prohibits a subordinate act from contradicting it is legally inconsistent, as this is a basic constitutional principle. Beyond the above, there is no general normative definition of the concept "identification number of an object." For persons, another term is used — unified identifier (§ 1, item 22 of the Supplementary Provisions of the EGA). For other objects, there is no definition of what this concept means, moreover that in different laws it is named in different ways. It may be a registry identifier (when entered under a unique number in a register) or an object identifier (when the object itself has an identifier — e.g. a motor vehicle). Third, the entry of the object may not be in a register but in a database. Not all data on persons and information objects maintained by state bodies are kept in registers. Beyond the above, it should be taken into account that our entire legislation rests on the fact of creating and providing data related to persons, regardless of whether objects or rights owned by them are connected to this. Conversely, requesting data by object may affect the basic rules of the General Data Protection Regulation (e.g. an administrative body requesting data on a car registration number to find out in whose name it is registered). The current EGA model of ex officio collection of data for the needs of a service, concerning a citizen or organization by their unified identifier, is sufficient, because data on any object may be requested insofar as they are linked to a specifically identified person. Due to the great legal uncertainty, this provision should be deleted.


§ 3. In Art. 5, the following amendments and supplements are made:

In para. 2, the words "in accordance with the Electronic Identification Act and/or through means of electronic identification determined by a decision of the Council of Ministers, issued and maintained by administrative bodies" are replaced with the words:

"1. In accordance with the Electronic Identification Act

  1. With a means within notified electronic identification schemes in accordance with Art. 9 of Regulation (EU) No 910/2014
  2. With a means within the scheme under para. 6
  3. With other means determined by the ordinance under Art. 12, para. 4."

In para. 4, the words "Coordinated with the Minister of Electronic Governance" are added at the beginning, and a second sentence is added at the end: "Services for which no level of assurance is specified shall be considered services with a level of assurance 'low'."

A new paragraph 6 is created with the following text:

"(6) The Minister of Electronic Governance creates and maintains an electronic identification scheme with a level of assurance 'high' in accordance with Regulation (EU) No 910/2014."

On § 3. The proposed amendments to Art. 5 are acceptable and timely and we principally support them. Some imperfections are identified, which we propose be taken into account:

  • On the proposed amendments to para. 2:
    • it is necessary to place a semicolon at the end of the sentences of all items;
    • On item 2, the word "means" must be replaced with "means of electronic identification," given the legally established term in Art. 3, para. 2 of Regulation (EU) 910/2014;
    • On item 3, the word "means" must be replaced with "means of electronic identification," given the legally established term in Art. 3, para. 2 of Regulation (EU) 910/2014;
    • The currently proposed item 4 should become item 5, and item 4 should be introduced with the following content: "4. A means of electronic identification with level 'high,' issued within a trust service for electronic identification with national coverage, entered in the Trust List maintained by the Communications Regulation Commission under Art. 22 of Regulation (EU) 910/2014." These services have become widespread in Bulgaria and are used by all market agents in the private sector, including being integrated into the Single Portal for Electronic Governance maintained by the MEG. To leave no doubt as to their legality in accordance with Regulation (EU) 910/2014 and the possibility of their use for the needs of electronic administrative services, they should be explicitly listed in the EGA as a possible method, especially since the Council of Ministers by its Decision No. 634 of 13.08.2021 established them as a prerequisite for notification as national schemes under Art. 9 of Regulation (EU) 910/2014.


§ 4. In Art. 7v, para. 1, a new item "e" is created with the following text:

"e. creation, storage, management and sharing of data"

On § 4. We support the proposal.


§ 5. A new Art. 10a is created with the title "Fees for the provision of electronic administrative services" and the following text:

"Art. 10a. (1) Administrative bodies shall set lower fees for the provision of administrative services in cases where they are provided electronically.

(2) The amount of the reduction shall be determined by the Council of Ministers."

On § 5. We principally support the proposal, but have significant comments on its legality. First of all, it should be borne in mind that state fees cannot be determined by administrative bodies but by a Tariff — a normative act adopted by the Council of Ministers. Municipal fees are determined by the municipal council itself. Under para. 2, for example, the Council of Ministers cannot determine the amount of the reduction in municipal fees for electronic administrative services. Therefore, as a whole, this provision is imprecisely formulated. The reduction should be established in the law. We propose the following wording:

"Art. 10a. State and municipal fees for electronic administrative services shall be collected at a reduced rate of twenty percent. The Council of Ministers may determine for certain electronic administrative services state fees with a higher percentage of reduction, and municipal councils respectively — for local fees."


§ 6. In Art. 13, para. 1, the following amendments and supplements are made:

The current item 10 becomes item 11.

A new item 10 is created with the following text:

"The fee for the provision of the service electronically"

On § 6. We support the proposal.


§ 7. In Art. 22, a new paragraph 6 is created with the following text:

"(6) An application for an administrative service, submitted after the applicant has been identified with a means of identification with a level of assurance equal to or higher than the level of assurance of the service under para. 4, does not require a signature. The integrity of the application is guaranteed by an electronic time stamp within the meaning of Regulation (EU) 910/2014."

On § 7. We principally support the proposal, but have a number of significant comments and proposals. We understand the desire of the proposer to facilitate the use of electronic administrative services by citizens by eliminating the requirement for the use of qualified electronic signatures when submitting electronic administrative service applications. However, the necessary balance must be considered for the protection of the rights and interests of both citizens and the state, as this could lead to very serious consequences threatening the rights and interests of all.

First of all, it is imprecise to stipulate that with the appropriate level of assurance of the electronic identification means, no signature is required. In practice, any data in electronic form that are appended to or logically associated with other data in electronic form and that the holder of the electronic signature uses to identify themselves as the author of a document are called an electronic signature (see Art. 3(10) of Regulation (EU) 910/2014). Therefore, upon identification and submission of an application, we still have an electronic signature, albeit a simple one. However, a more substantial issue should be taken into account. When submitting applications for electronic administrative services, citizens are not simply filling out a form as in an online shop. They are exercising their administrative rights vis-à-vis the state. And this exercise is very often connected with limitation and preclusive periods. The mechanism for exercising these rights in the paper world is not coincidentally linked to the written form of the document, signed with a handwritten signature. This is so that in case of dispute, it can be proven with a high degree of certainty who exactly exercised the rights, what rights they requested to exercise with the application and when. And there are thousands of disputes over administrative service applications annually, insofar as these give rise to the state's obligation to provide some administrative service, and the state often delays and often refuses to provide the service.

With the proposer's proposal, in practice it is proposed that after the applicant has identified themselves with the appropriate level of security (which is the analogue of presenting an identity card), no signature whatsoever on the composed electronic document should be required. In this situation, in case of dispute, any citizen who has submitted an application electronically may contest at least three circumstances, the presence of which in the traditional submission of paper applications is proven by the presence of a signature. Namely, to claim that 1) they did not consent to the statement; 2) this is not their statement; 3) the statement has been altered and this is not the will they expressed. In this situation, the burden of proof falls on the state, which must prove these facts, and this is extremely difficult, in many cases impossible. In the reverse case, where there is delayed or incorrect provision of an administrative service by the state, there is a danger of analogous disputing in proceedings by the administrative body itself. In such a dispute, the need to prove the content of the application and consent to it, from which precisely the obligation of the body to provide the service arose, will fall with even greater weight on citizens, and in a vast number of cases it would be even more difficult or impossible for them to organize and conduct adequate proof. Such a confluence of circumstances would in practice worsen, rather than facilitate, the position of citizens vis-à-vis the state in the provision of administrative services. In this situation, we find it evident that the uncertainty arising from the absence of a signature requirement creates risks in both directions — for the state, when it is in its interest to prove that a specific application was submitted in the form in which it was executed, and for citizens, when it is in their interest to prove that the application was not executed correctly.

With qualified signatures, such uncertainty does not exist. The proof of consent, authorship and content of the signed statement is secured by the technology and by the liability borne by the trust service provider in case a qualified certificate is issued to another person. Moreover, with them, the burden of proof is reversed and it is presumed that the signature belongs to the alleged author, and whoever claims otherwise must prove it in proceedings. For this reason, Regulation (EU) 910/2014 itself, when regulating the use of electronic signatures for public services (Art. 27), addresses the advanced electronic signature as the minimum level of security, and the practice of almost all EU member states is to use the higher level — a qualified signature.

Particularly sensitive is the moment of making applications by business organizations — for applications for large public procurement, for declaring sensitive circumstances and data (personal, health, banking, insurance, business secrets and any other legally protected information). In our view, for the protection of the rights and interests of both the state and citizens and organizations, a higher level of protection and establishment of authorship — through a qualified electronic signature — should be maintained for them. If the state wishes to give impetus to the development of e-governance services, it can simply use the financial mechanisms used in leading countries in this direction, such as Austria and Estonia, by covering the cost of qualified signatures for citizens in cases of signing for the needs of electronic administrative services.

On the other hand, substantial attention should also be paid to the second sentence of the proposal — that the integrity of applications be guaranteed by an electronic time stamp under Regulation (EU) 910/2014. Please note that the legally recognized function of the electronic time stamp is not to guarantee the integrity of the statement, but only the time at which the statement existed (see Art. 3(33) of the Regulation). A domestic legislative act cannot contradict the Regulation and re-regulate the legal effects of the use of a phenomenon regulated by a higher-ranking act. It is also notable that an ordinary electronic time stamp is required, which pursuant to Art. 41(1) of the Regulation does not benefit from a presumption as to the time of existence of the document, and can therefore easily be contested by anyone, and again the burden of proof will fall on the opposing party. Only the qualified electronic time stamp benefits from such a presumption (Art. 41(2) of the Regulation).

In light of the above, we consider that the proposed text would seriously affect the social relations connected with the submission of electronic administrative service applications. On the one hand, it would facilitate citizens at the start of the process, but on the other hand it would threaten both their rights and interests and those of the state, given the extreme difficulty of proving the authorship and time of submitted applications through which administrative rights are exercised.

In this regard, we propose maintaining the logic of the provision while easing the burden for citizens — natural persons, and maintaining qualified electronic signatures for use by businesses. We also propose maintaining the use of qualified electronic signatures when applying for services where the applications contain health, insurance, banking, commercial or other legally protected information:

"(6) An application for an administrative service, submitted after the applicant — a natural person — has been identified with a means of identification with a level of assurance equal to or higher than the level of assurance of the service under para. 4, requires an ordinary electronic signature, and where the application transmits health, insurance, banking, commercial or other legally protected information, a qualified electronic signature is required. The integrity of the application is guaranteed by a qualified electronic time stamp within the meaning of Regulation (EU) 910/2014."


§ 8. In Art. 24a, the current text becomes para. 1 and a new para. 2 is created:

"2. Intermediary services may be provided for remuneration."

On § 8. We support the proposal.


§ 9. In Art. 26, a new para. 6 is created:

"6) Administrative bodies shall indicate in the application forms for administrative services the possibility of service through the Secure Electronic Delivery System."

On § 9. We principally support the proposal.


§ 10. A new Art. 26a is created with the title "Requirements for the Secure Electronic Delivery System":

"Art. 26a. (1) The system under Art. 26, para. 2 shall use at least an electronic time stamp within the meaning of Regulation (EU) 910/2014 for each sent and received message.

(2) At least once every two years, the Minister of Electronic Governance shall commission an audit of the system by a conformity assessment body within the meaning of Art. 2, item 13 of Regulation (EC) No 765/2008 to determine the conformity of the system with the requirements of the standards under Art. 44, item 2 of Regulation (EU) No 910/2014.

(3) The report from the audit performed shall be published on the official website of the Ministry of Electronic Governance after reflecting the recommendations contained therein, but no later than 6 months from the body under para. 2.

(4) The electronic address for delivery in the system under Art. 26, para. 2 shall be the combination of the address of the system and one of the following identifiers:

a) Unified Civil Number

b) Personal Number of a Foreigner

c) Number and type of identity document

d) Unified Identification Code in the Commercial Register and the Register of Non-Profit Legal Entities

e) Unified Identification Code in the BULSTAT Register.

(5) In the system under Art. 26, para. 2, persons may indicate and withdraw their consent for acts, slips, including electronic slips and penal decrees under the procedure of the Law on Administrative Violations and Sanctions to be delivered to them electronically through the same system.

(6) In the system under Art. 26, para. 2, persons may indicate a system for qualified electronic registered mail within the meaning of Regulation (EU) 910/2014. The system under Art. 26, para. 2 shall forward without owing a fee or any other type of payment all messages to the indicated system. The requirements for electronic registered mail systems within the meaning of Regulation (EU) 910/2014, the conditions and the protocol for message exchange shall be determined by the ordinance under Art. 12, para. 4."

On § 10. In principle, some of the proposals in the proposed text are acceptable and we support them; on others we have significant objections.

On para. 1, the proposal is not acceptable. If the system is to be subject to an audit for compliance with the requirements of standard ETSI EN 319 521, the use of an electronic time stamp is not permissible, but only a qualified electronic time stamp.

On para. 2, an audit of the secure delivery system will be unsuccessful if the service is not qualified and the provider (the state) has not undergone a general audit under standards ETSI EN 319 401, ETSI EN 319 411-1, ETSI EN 319 411-1 and ETSI EN 319421.

On para. 3, even if it is theoretically assumed that the state can pass the general audit for a qualified provider and for the secure delivery service, the reports from the audits performed contain confidential information regarding information security and are prohibited from being disclosed to third parties. Their disclosure is an event that significantly compromises information security and leads to revocation of the audit certification.

On para. 4, if the system is to be subject to audit under ETSI EN 319 521, persons cannot be identified in it by the listed identifiers. The infrastructure and scheme of the standard require entirely different models for the identification of persons.

On para. 5, we have no objections.

On para. 6, we principally support the proposal, but have serious reservations about the provision. First of all, with regard to the statutory exemption of the state from paying remuneration to qualified trust service providers, this contradicts the principle of free movement of goods and services and the freedom in the provision of trust services established by Regulation (EU) 910/2014. This is grounds for imposing a sanction on the state for creating barriers to the cross-border use of trust services. The state should bear this cost, just as it pays for other services in the offline and online world, such as sending registered mail or sending an SMS message. Furthermore, regarding the proposal for the state to determine by ordinance the requirements for electronic registered mail systems within the meaning of Regulation (EU) 910/2014, as well as the conditions and protocol for message exchange, this is impermissible for the state to do. The requirements for providers are determined by standards ETSI EN 319 401, ETSI EN 319 411-1, ETSI EN 319 411-1 and ETSI EN 319421, and the exchange protocol is established in standard ETSI EN 319 521.

In connection with the above, we propose the following wording for Art. 26a:

"Art. 26a. (1) The Minister of Electronic Governance shall adopt an ordinance on the requirements for the system under Art. 26, para. 2.

(2) The system under Art. 26, para. 2 shall be subject to a general information security audit once every two years. The Minister of Electronic Governance shall commission an audit of the system by a conformity assessment body within the meaning of Art. 2, item 13 of Regulation (EC) No 765/2008.

(3) The certificate of conformity from the audit performed shall be published on the official website of the Ministry of Electronic Governance.

(4) In addition to the declarations for delivery under Art. 25, para. 2, persons may indicate in the system under Art. 26, para. 2 their consent to have inspection acts, slips, penal decrees and other acts of the administration delivered to them.

(5) In the system under Art. 26, para. 2, persons may indicate delivery through qualified electronic registered mail services provided by qualified trust service providers within the meaning of Regulation (EU) 910/2014. The integration of the system under Art. 26, para. 2 with these services shall be carried out in compliance with the established technological standards therefor, in accordance with Regulation (EU) 910/2014. The costs of sending messages through a qualified electronic registered mail service shall be borne by the provider of electronic administrative services that sent the message."


§ 11. In Art. 32, para. 1, after the words "its information system," a comma and the words "the Secure Electronic Delivery System" are added.

On § 11. We principally support the proposal.


§ 12. In Art. 37, the following amendments are made:

  1. The current text of Art. 37 becomes para. 1.
  2. A new paragraph is created with the following content:

"(2) Administrative acts issued by administrative bodies in electronic form when providing internal electronic administrative services may also be signed only with a qualified electronic seal within the meaning of Regulation (EU) 910/2014. In this case, an electronic signature is not required for the validity of the administrative act."

On § 12. We principally support the proposal.


§ 13. Art. 52a is created with the title "Centralized Register Management System" and the following text:

Art. 52a. (1) The Minister of Electronic Governance creates and maintains a centralized register management system.

(2) Through the system under para. 1, the Minister of Electronic Governance allows the creation and maintenance of registers in electronic form that meet the requirements of this law.

(3) Administrative bodies and persons under Art. 1, para. 2 shall use the system under para. 1:

  1. Free of charge and without limitation on the resources used
  2. Mandatorily for all registers for which they do not have a specialized information system

(4) The procedure for requesting and using a register through the system under para. 1 shall be governed by the ordinance under Art. 12, para. 4."

On § 13. We principally support the proposal.


§ 14. Art. 52b is created with the title "Information Security of Registers" and the following text:

"Art. 52b. (1) The information security requirements for registers maintained by the persons under Art. 2, para. 1 shall be determined by the ordinance under Art. 12, para. 4.

(2) The requirements under para. 1 shall include at minimum requirements for:

  1. fault tolerance
  2. regular creation of backup copies
  3. storage of reliable data for traceability of actions performed
  4. performance of external penetration tests"

On § 14. We principally support the proposal.


§ 15. In Art. 58b, para. 2, at the end are added the words "as well as projects and activities within the scope of Art. 7d, which are planned for implementation without the awarding of a public procurement contract under the procedure of the Public Procurement Act."

On § 15. We principally support the proposal.


§ 16. In § 1 of the Supplementary Provisions, the following amendments and supplements are made:

  • in item 12, after the word "financial," a comma is placed and the word "insurance" is added;
  • in item 27, after the word "cloud," the words "the protected shared information space" are added;
  • in item 31, the words "the identification, authorship and integrity of the person who sends, receives or delivers electronic documents or electronic statements through the system." are replaced with the words "the identification of the person who sends, receives or delivers electronic documents or electronic statements through the system, as well as the authorship and integrity of those documents";
  • in item 35, after the words "which represents by" the words "virtue of" are added, after the word "power of attorney" the words "or contract" are added, and after "and" the words "/or" are added;
  • item 48 is created:

"48. 'Register' is a structured database whose purpose is to store and be a trusted authentic source of data, for which there is a normative basis and a normatively defined procedure for entry, deletion and/or certification of circumstances. Where necessary, the data in the register shall be subject to logical processing.";

  • item 49 is created:

"49. 'Protected shared information space' is a set of network and hardware components with software-defined rights and conditions for access and data exchange, through which a high level of security, availability of provided services, and centralized management of access to internal and external resources are guaranteed, enabling the performance of official duties by employees regardless of the physical location of users."


Transitional and Final Provisions

§ 17. In Art. 518 of the Insurance Code (Promulgated SG No. 102 of December 29, 2015, supplemented SG No. 62 of August 9, 2016, amended and supplemented SG No. 95 of November 29, 2016, supplemented SG No. 103 of December 27, 2016, supplemented SG No. 8 of January 24, 2017, supplemented SG No. 62 of August 1, 2017, amended and supplemented SG No. 63 of August 4, 2017, amended and supplemented SG No. 85 of October 24, 2017, supplemented SG No. 92 of November 17, 2017, amended and supplemented SG No. 95 of November 28, 2017, amended SG No. 103 of December 28, 2017, amended SG No. 7 of January 19, 2018, amended and supplemented SG No. 15 of February 16, 2018, amended SG No. 24 of March 16, 2018, amended SG No. 27 of March 27, 2018, supplemented SG No. 77 of September 18, 2018, amended and supplemented SG No. 101 of December 7, 2018, amended and supplemented SG No. 17 of February 26, 2019, supplemented SG No. 42 of May 28, 2019, amended SG No. 83 of October 22, 2019, supplemented SG No. 26 of March 22, 2020, amended SG No. 64 of July 18, 2020, amended SG No. 21 of March 12, 2021, amended and supplemented SG No. 16 of February 25, 2022, amended and supplemented SG No. 25 of March 29, 2022), a new para. 5 is created:

"(5) The Guarantee Fund is a person performing public functions and a primary data administrator within the meaning of the Electronic Governance Act."

On § 17. We principally support the proposal.


§ 18. In the Law on Administrative Violations and Sanctions (Promulgated SG No. 92 of November 28, 1969, amended SG No. 54 of July 11, 1978, amended SG No. 28 of April 9, 1982, amended SG No. 28 of April 8, 1983, amended SG No. 101 of December 27, 1983, amended SG No. 89 of November 18, 1986, amended SG No. 24 of March 27, 1987, amended SG No. 94 of November 23, 1990, amended SG No. 105 of December 19, 1991, amended SG No. 59 of July 21, 1992, amended SG No. 102 of November 21, 1995, amended SG No. 12 of February 9, 1996, amended SG No. 110 of December 30, 1996, amended SG No. 11 of January 29, 1998, supplemented SG No. 15 of February 6, 1998, amended SG No. 59 of May 26, 1998, supplemented SG No. 85 of July 24, 1998, amended SG No. 89 of August 3, 1998, supplemented SG No. 51 of June 4, 1999, amended SG No. 67 of July 27, 1999, supplemented SG No. 114 of December 30, 1999, amended SG No. 92 of November 10, 2000, amended SG No. 25 of March 8, 2002, amended SG No. 61 of June 21, 2002, amended SG No. 101 of October 29, 2002, supplemented SG No. 96 of October 29, 2004, amended SG No. 39 of May 10, 2005, amended SG No. 79 of October 4, 2005, amended SG No. 30 of April 11, 2006, amended SG No. 33 of April 21, 2006, amended SG No. 69 of August 25, 2006, amended SG No. 108 of December 29, 2006, amended SG No. 51 of June 26, 2007, amended SG No. 59 of July 20, 2007, amended SG No. 97 of November 23, 2007, amended SG No. 12 of February 13, 2009, amended SG No. 27 of April 10, 2009, amended SG No. 32 of April 28, 2009, amended SG No. 10 of February 1, 2011, amended SG No. 33 of April 26, 2011, amended SG No. 39 of May 20, 2011, amended SG No. 60 of August 5, 2011, amended SG No. 77 of October 4, 2011, amended SG No. 19 of March 6, 2012, supplemented SG No. 54 of July 17, 2012, amended SG No. 77 of October 9, 2012, supplemented SG No. 17 of February 21, 2013, supplemented SG No. 98 of November 28, 2014, supplemented SG No. 107 of December 24, 2014, amended and supplemented SG No. 81 of October 20, 2015, amended SG No. 76 of September 30, 2016, supplemented SG No. 101 of December 20, 2016, amended and supplemented SG No. 63 of August 4, 2017, supplemented SG No. 101 of December 19, 2017, amended and supplemented SG No. 20 of March 6, 2018, supplemented SG No. 38 of May 8, 2018, supplemented SG No. 83 of October 22, 2019, supplemented SG No. 94 of November 29, 2019, amended and supplemented SG No. 13 of February 14, 2020, amended and supplemented SG No. 109 of December 22, 2020, amended SG No. 21 of March 12, 2021, amended SG No. 25 of March 29, 2022), the following additions are made:

1. In Art. 40, a new para. 5 is created:

(5) In the cases under para. 4, the act may be drawn up in the absence of the offender under the procedure of Art. 43, paras. 7–10.

We principally support the proposal.

2. In Art. 43, new paragraphs 7, 8, 9 and 10 are created:

"(7) A slip, electronic slip, act for establishing an administrative violation, drawn up in the absence of the offender, or a penal decree shall be delivered under the procedure of Art. 26 of the Electronic Governance Act, if the offender has expressed consent for this under the procedure of Art. 26a, para. 5 of the Electronic Governance Act. After the expiry of the period under Art. 26, para. 3, delivery shall be carried out under the procedure of this law.

(8) A slip, electronic slip and penal decree shall be considered delivered in the event that the offender pays the fine imposed by them.

(9) In cases of prior consent expressed by the offender under the procedure of Art. 26a, para. 5 of the EGA, the administrative body shall create the act for establishing an administrative violation as an electronic document, signed by the drafter and at least one of the witnesses indicated therein through an electronic signature. In the event that a witness does not have an electronic signature, a certified electronic image of a paper document shall be sent to the offender by the administrative body.

(10) The signing of the act by the offender shall be carried out with at minimum an advanced electronic signature, after which the offender shall send it to the sanctioning body through the Secure Electronic Delivery System."

3. In Art. 47, a new para. 3 is created:

"(3) Administrative penal bodies shall use the secure electronic delivery system within the meaning of the Electronic Governance Act."

We principally support the proposal. In para. 9, the word "paper" should be replaced with "written." No normative act uses the term paper or paper-based. On para. 10, we consider that given the enormous number of challenges to acts for issuing violations under the Road Traffic Act, the signature must be qualified only, with time certified by a qualified electronic time stamp. Sending need not be through the Secure Electronic Delivery System — with remote signing technology using a QES, the administrative penal body sends the document signed by it to the offender, and not the other way around.


§ 19. In Art. 169 of the Tax and Social Insurance Procedure Code (Promulgated SG No. 105 of December 29, 2005 [followed by extensive list of amendments and supplements]) a new paragraph 10 is created:

"(10) Obligations paid through the portal under Art. 12, para. 1 of the Electronic Governance Act shall be paid in full as separate entries in the portal for principal, interest and costs."

On § 19. We principally support the proposal.


§ 20. In Art. 45 of the Public Finance Act (Promulgated SG No. 15 of February 15, 2013, amended SG No. 95 of December 8, 2015, amended and supplemented SG No. 43 of June 7, 2016, amended and supplemented SG No. 91 of November 14, 2017, amended and supplemented SG No. 98 of November 17, 2020) new paragraphs 3 and 4 are created:

"(3) The compensation under para. 2 for reduced revenue from fees for certificates under the Civil Registration Act shall be carried out proportionally to the number of persons with a permanent address in the respective municipality for whom ex officio data provisions have been made under the procedure of the Electronic Governance Act. The Minister of Electronic Governance shall provide the Minister of Finance with data on the number of ex officio provisions for each municipality.

(4) The Minister of Finance together with the Minister of Electronic Governance shall determine the methodology for the compensation under para. 3."

On § 20. We principally support the proposal.


§ 21. 1. In Art. 106, para. 1, item 2 of the Civil Registration Act (Promulgated SG No. 67 of July 27, 1999 [followed by extensive list of amendments and supplements]) the words "legally established" are replaced with the words "normatively established."

2. In Art. 106, a new para. 6 is created:

"(6) Data from the ESGRAON shall be provided to state bodies and institutions under the procedure of the Electronic Governance Act for the purposes of administrative proceedings."

On § 21. We principally support the proposal, with one comment. The words "state bodies and institutions" should be replaced with "providers of electronic administrative services."


§ 22. Administrative bodies shall bring the application forms for administrative services into conformity with Art. 26, para. 6 within 6 months of the entry into force of this law.

On § 22. We principally support the proposal.


§ 23. The law shall enter into force from the date of promulgation in the State Gazette, with the exception of Art. 26a, paras. 5 and 6 of paragraph 10 and paragraph 18, which shall enter into force six months after the entry into force of this law, and Art. 3 of paragraph 1, item 1 of paragraph 2 and paragraph 11, which shall enter into force on 01.01.2024.

On § 23. We principally support the proposal.

Why did BESCO create Leadership & Advocacy Academy?

Leadership & Advocacy Academy doesn’t only develop individual participants. For BESCO, it is a long-term investment in a stronger ecosystem - building capacity where it matters most: within the organizations, institutions, and communities that shape the public environment.