on the Activities of Certification-Service-Providers, 
the Terms and Procedures of Termination thereof, and the Requirements for Provision of Certification Services

Adopted pursuant to CMD No. 17 dated 31 January 2002
(Promulgated, SG No. 15 dated 8 February 2002)

Chapter One

Article 1. This Ordinance shall govern:

1. The activities of certification-service-providers and the terms and procedures for termination thereof, including termination of activities of registered certification-service-providers;

2. The requirements regarding the format of certificates issued by certification-service-providers;

3. The requirements regarding storage of information about the services provided by certification-service-providers;

4. The requirements regarding the contents, format and sources in relation to the information disclosed by certification-service-providers;

5. The procedure for supporting of electronic directory by certification-service-providers;

6. The requirements towards bodies referred to in Article 32(2), point 4, of the Law on Electronic Document and Electronic Signature (LEDES), and the terms and procedure for the entry thereof in the list pursuant to Article 32(3) of LEDES.

Article 2. (1) Universal electronic signature certificates may only be issued by providers who are registered with the Communications Regulation Commission pursuant to the procedure as laid down in the Ordinance on Procedure for Registration of Certification-Service-Providers.

(2) The providers may as well provide services for creation of private and public keys for advanced electronic signature in observance of the Ordinance on Requirements to The Algorithms for Advanced Electronic Signature.

Article 3. Any certification-service-provider shall be a person able to perform his obligations under the LEDES and this Ordinance in a financially sound manner, and who is adequately ensured in terms of technical equipment and technology.

 Chapter Two

Section I
General Requirements Regarding the Activities

Article 4. (1) Any certification-service-provider for issue of advanced electronic signature certificate is obliged to notify forthwith the Communications Regulation Commission about the start of his activities.

(2) Any certification-service-provider for issue of advanced electronic signature certificate may only start his activities following a registration with the Communications Regulation Commission.

Article 5. (1) The scope of activities of any certification-service-provider concerning issue of certificates as provided for in Article 24 of LEDES and supporting of a directory thereof, shall include:

1. Ensuring, by own or another person’s technical and program means and personnel, of the following activities:

а) acceptance of the request, the latter containing accurate and complete data on the signatory and the owner, and specific data about them, in the cases as provided for in the User’s Guide as per Article 33;

b) verification of the data as per point 1(a) above;

c) creation a certificate on the basis of established identity and valid data at the acceptance and during the verification;

d) supporting of the directory.

2. Performance of the following activities:

а) signing of certificate;

b) publication of certificate in the directory;

c) management of an issued certificate - entry of changes, suspension, resumption, termination;

d) publication of a list of terminated certificates in the directory.

3. Any certification-service-provider shall give third parties an access to the lists of issued and terminated certificates following the requirements laid down in Article 28(2) of LEDES.

(2) The scope of activities of a certification-service-provider may as well include:

1. Creation of key pairs - a private and a public, - for an advanced electronic signature;

2. Providing the customer with a trustworthy electronic-signature-creation environment.

(3) When providing services as per paragraph 2(1) above, the certification-service-provider shall create the key pairs, as well as the other information necessary for electronic-signature-creation, and, after having delivered the private key to the owner/signatory, shall destroy his copy of the private key and the data on its creation with no possibility of their restoration.

(4) It is mandatory for any certification-service-provider, who has issued a universal electronic signature certificate, to provide a service for certification of the date and time of submission of the electronic document signed through such signature.

Article 6. (1) The activities of any certification-service-provider must be organized in such a manner so that the creation of advanced electronic signature and the issue of advanced electronic signature certificate are separated from his other activities.

(2) Any certification-service-provider is obliged to organize the technical divisions in such a manner so that the functions, which fall within the offering of services under Article 5, are separated both under normal and specific exploitation conditions, the latter being necessarily reflected in document(s), from functions and application not related to his activities as certification-service provider.

Article 7. Any provider, who is offering certification-services for an advanced electronic signature, is obliged to take appropriate security measures in conformity with documents representing established international practice (standards, technical specifications, recommendations, guides, etc.).

Article 8. (1) Creation, storage and use of the private key of any registered certification-service-provider shall be performed jointly by at least two employees duly authorized therefor.

(2) The private key of any certification-service-provider shall be archived, stored in an archived form, and shall be restored under the terms as laid down in paragraph (1).

(3) The functions under paragraphs (1) and (2) shall be assigned in writing by the management body of the provider.

Article 9. (1) The physical protection of the private key of any certification-service-provider shall be carried out through establishment of clearly defined perimeters (physical barriers) around the systems for creation and management of certificate. All premises used jointly with other departments or organizations should be outside the major protection perimeter.

(2) Only employees who are duly authorized according to their functional obligations may have physical access to the protected part of premises of any certification-service-provider.

Section II
Requirement Regarding Insurance

Article 10. The certification-service-provider’s liability under Article 29 of LEDES shall be the subject of such provider’s mandatory insurance.

Article 11. The certification-service-provider’s mandatory insurance shall cover his liability for such personal injuries and injuries to property of the owner of advanced or universal electronic signature, or of any third party, for which the insured persons are liable according to the Bulgarian laws or the laws of the country where such injury is caused.

Article 12. The liability limitations as regards the insurer under the mandatory insurance may not exceed the liability limitations as regards the certification-service-provider.

Article 13. Any certification-service-provider is obliged to execute a mandatory insurance contract before the insurable interest has occurred.

Article 14. (1) Any certification-service-provider is obliged to hold an insurance policy for the following minimum insurance amounts:

1. BGN 100 000 for each person injured in any of the events - for providers issuing only certificates where the signature’s effect is limited up to a certain proprietary interest;

2. BGN 500 000 for each person injured in any of the events - for providers issuing certificates with no limitations as to the signature’s effect;

3. BGN 600 000 for each person injured in any of the events - for providers issuing universal electronic signature certificates.

(2) The insurers may offer voluntary insurance policies for insurance amounts above those laid down in paragraph (1).

(3) Where the voluntary insurance policy, executed under the terms herein, covers amounts exceeding the minimum ones as laid down in paragraph (1), the mandatory insurance shall be deemed to have been included in it.

Article 15. (1) The insurance premium shall be paid as a lump-sum, unless otherwise is provided for in the insurance policy.

(2) If the payment is to be made in installments, and in case of delay in the payment of the premium installments, the insurance shall be terminated by 05:00 P.M. on the due date, and the insurer shall notify the Communications Regulation Commission therefor. This circumstance should be pointed out in the insurance policy. If the installment is paid, the insurance shall be resumed at midnight of the day following the day of payment.

Article 16. (1)  In case of an insurance event whereby injuries have been caused, the insured person is obliged to notify the insurer in writing within 7 days about the event. Such notification may be made by the injured person as well.

(2) In case an action is brought against the insured person for proving the event and the insured person’s liability, as well as the amount of damages, the insured person is obliged to ask for the insurer’s joinder in the proceeding.

Article 17. Any agreement between insured and injured persons regarding the amount of compensation is binding upon the insurer only if it has been approved by the latter.

Article 18. The insurer may file an indemnification statement in the cases where the injury has been willfully caused by the insured person.

Article 19. Any compensation under mandatory insurance shall be determined and paid by the insurer within 15 days after the insured or the injured person has submitted the documents whereby the event and the amount of damages have been established.

Article 20. Any rights under mandatory insurance shall extinguish after 5-year limitation period from the date of occurrence of the insurance event.

Section III
Requirement Regarding Available Funds

Article 21. (1) Any certification-service provider is obliged, while performing his activities, to dispose of technical equipment and technologies, which meet the requirements as laid down in Article 28, and the balance value of which is not less than BGN 150 000 at the date of drawing of the annual financial statements.

(2) Any certification-service-provider is obliged, when drawing his annual financial statements, to make a list of the assets, meeting the requirements as laid down in Article 28, to be submitted as an annex to the accounting balance sheet.

(3) Any certification-service-provider shall dispose of cash on hand or on a bank account to an amount not less than BGN 20 000 at any time during the performance of his activities.

(4) The Communications Regulation Commission may at any time examine the condition of the available funds as per paragraph (3) of any certification-service-provider.

Section IV
Requirements Regarding the Hired Personnel

Article 22. (1) Any certification-service-provider is obliged, depending on the scope of his activities under Article 5, to dispose of such number of qualified employees as is needed to ensure the fulfillment of his obligations at any time of performance of his activities.

(2) The technical personnel of any certification-service-provider should possess professional knowledge at least in the following fields:

1. Security technologies, cryptography, public keys infrastructure (PKI);

2. Technical norms for security evaluation;

3. Information systems.

Article 23. (1) Any certification-service-provider shall prepare job descriptions in relation to his personnel at the start of his activities.

(2) The occupations of personnel of any certification-service-provider shall include:

1. Security administrator, responsible for determining and administering the security systems and security rules concerning the entire system, including for approving the creation and termination of the certificates’ effect;

2. System administrator, responsible for installing, configuring and managing the public keys infrastructure, and for registering and creating the certificates;

3. System operator, responsible for the every-day work of the system, who shall perform regular procedures in terms of archiving, reservation and restoration;

4. System surveyors responsible for managing the archives and files, which contain data on registered actions and functions performed within the provider’s system.

(3) The occupations as per paragraph (2) shall be taken by different persons.

Section V
Requirements Regarding the Technical Equipment and Technologies

Article 24. Any certification-service-provider should ensure and employ procedures and methods for administering and managing the security of the used infrastructure, which are in conformity with the standards on information security management having been generally recognized in the international practice.

Article 25. (1) The trustworthiness of the system used, and the technical and cryptographic security of the processes performed through it, are deemed ensured if the technical equipment and the technologies at disposal of the certification-service-provider have passed successful tests and checks.

(2) The evaluation methods concerning the security of the system used shall be based on the common evaluation methods (CEM) as elaborated to the ISO Standard 15408, or on such other methods, capable of ensuring equivalent security evaluation.

(3) Any system and technical devices used by certification-service-provider for providing services for the creation, signing, storage and management of certificates, must be designed and used solely for that purpose.

(4) The checks and tests as provided for in paragraph (1) shall be made every 3 years or in the case of any change affecting the trustworthiness.

Article 26. The creation, storage and use of the private key of any certification-service-provider shall be carried out within a system, the protection profile of which is determined in conformity with the general requirements (CC), level of security EAL 3 or a higher one, according to the ISO Standard 15408, or such other specification, capable of determining equivalent levels of security.

Article 27. (1) Any certification-service-provider is obliged to keep documents concerning the current condition of the technical equipment and technologies used by him.

(2) Any non-observance of the obligation under paragraph (1) shall be deemed a violation of the security requirements.

Article 28. (1) Any certification-service-provider shall use technical equipment and technologies, through which at least the following functions shall be performed in the system employed by him:

1. Checks for proving the origin of the received and exchanged information, related to the creation and management of certificates;

2. Check as to the integrity of the exchanged messages;

3. Signing of the sent messages;

4. Archiving of the working information and their electronic signing;

5. Keeping the integrity of data stored and exchanged, including the used cryptographic keys;

6. Secure storage of the private keys used by certification-service-provider;

7. Management of access to information resources (data on creation of provider’s signature, the advanced signature certificate, the list of terminated certificates, the official documents stored);

8. Creation and archiving of records of internal audits concerning critical situations arisen in relation to the information security.

(2) Any certification-service-provider may as well perform the following functions through the technical equipment and technologies used:

1. Check of the advanced electronic signature pursuant to Article 17(2) of LEDES according to the requirements in the CEN/ISSS technical specifications for electronic signatures;

2. Supporting of an on-line certificate status protocol (OCSP);

3. Check as to the presence of an unique identification name (Dname) in the advanced electronic signature certificate;

4. Storage and using of his private key at a high level of security through the use of a smart card with a password, or of a personal identificator (PIN), and/or of biometrical identificator.

Article 29. (1) In the cases where the certification-service-provider is offering also the service for creation of key pairs, he is obliged to use a secure-signature-creation-device (SSCD) with a protection profile according to Article 26.

(2) It is mandatory that the algorithms, and parameters thereof, as established and supported by the secure electronic-signature-creation-device, comply with:

1. The protection profile as per paragraph (1);

2. The requirements towards the system environment related to the signature generation;

3. The requirements, encompassing the environment, for verifying the advanced electronic signature (the products used in such verification, and their management).

(3) The formats for advanced electronic signature should comply with generally recognized specifications such as RFC 2315, PKCS#7.

Section VI
Supporting of Required Documentation, Relating to the Activities

Article 30. (1) Any certification-service-provider is obliged to reflect in the documents drawn and kept by him the basic principles, according to which his activities are being performed.

(2) The purpose of the documents as per paragraph (1) is:

1. To establish the conformity of the provider with the requirements under LEDES, and the trustworthiness and security of activities performed by him, and

2. To make the services provided by the provider public to the consumers.

Article 31. “Certificate Policy” shall be a document to describe the policy of issuing certificates by the provider and the types of services provided by him.

Article 32. (1) “Certification Practice Statement” shall be a document drawn in conformity with the policy requirements as per Article 31 and the procedures as per Article 34, which should necessarily contain a description in detail of the accomplishment of:

1. Security measures while providing services;

2. Issue, suspension, resumption and termination of the effect of certificates;

3. Granted access to the certificates.

(2) The practices under paragraph (1) shall be drawn according to the generally recognized international specification RFC 2527 or any other equivalent document, and shall at the least contain:

1. Name of the provider and his personal number or code BULSTAT, and number as per the national taxation register;

2. Seat and address of the provider or his branch, where his activities as provider are to be performed;

3. Description of the scope and applicability of the services offered, and the policies supported;

4. Rules and procedures to be followed while issuing and managing, suspending and terminating the effect of advanced electronic signature certificates, including the documents necessary for the acceptance and verification of the request as per Article 5(1), point 1, and those to be stored by the provider depending on the applied for service;

5. Identificators of the supported algorithms for electronic signature and data protection;

6. Period of the certificate’s effect;

7. Description in detail of the format (of the separate fields, extensions inclusive) of the certificates issued;

8. Technology of creation, verification, suspension and termination of the certificate’s effect;

9. Description of obligations of the provider, of any outside person (if any) participating in the activities under Article 5, as well as the obligations of the signatory and the owner of the electronic signature.

Article 33. (1) The documents under Articles 31 and 32 shall be public and shall be incorporated in the User’s Guide.

(2) The User’s Guide shall have the meaning of general terms and shall be binding upon its issuer. The Guide shall be submitted to the Communications Regulation Commission for its approval according to Article 32(1), point 2, of LEDES.

(3) Any amendment to the User’s Guide shall be submitted to the Communications Regulation Commission and, after its approval, shall be reflected and notified to the interested parties.

Article 34. (1) It is obligatory that the security procedures correspond to the generally recognized international standards of information security and the management thereof.

(2) The security procedures shall comprise of at least:

1. Management security measures;

2. Information security measures;

3. Available funds and insurance policies;

4. Requirements as to the reliability of personnel;

5. Measures ensuring the protection of and the limitation of access to separate devices and premises, including the measures under Article 9;

6. Measures ensuring protection against unauthorized access to the information systems;

7. Measures ensuring protection against unauthorized changes.

Article 35. (1) The security procedures are not public. Only the Communications Regulation Commission and its employees, while performing supervisory functions, may have access to them.

(2) The security procedures are subject to approval by the Communications Regulation Commission according to Article 32(1), point 2, of LEDES.

Article 36. The relationships between the certification-service-provider and the owner shall be governed by a written contract, which shall incorporate the general terms and shall provide at least for:

1. The type and description of services;

2. Time-period for their provision;

3. Prices per services;

4. Specific conditions.

Section VII
Procedure for Supporting and Storage of Electronic Directory of Certificates

Article 37. (1) Any certification-service-provider is obliged to support an electronic directory of the certificates of X.500- or LDAP-based access, issued by him.

(2) The directory as per paragraph (1) shall as well contain the certificate of the provider’s electronic signature, and the information as per Article 28(3) of LEDES.

Article 38. Any certification-service-provider shall support a separate list of the terminated certificates.

Article 39. The up-dating of the lists of current and terminated certificates must be done automatically or at least every three hours.

Article 40. The directory must be preserved in a manner so that:

1. Data are entered only by the duly authorized employees;

2. Any making of changes in the data renders impossible;

3. Any possibility of an unauthorized interference is reduced to the minimum.

Section VIII
Termination of Activities

Article 41. (1) Any certification-service-provider who would like to terminate his activities is obliged to notify his intention to do so to the Communications Regulation Commission and to his customers 4 months before such termination at the latest.

(2) Notwithstanding the requirement under paragraph (1), any registered certification-service-provider is obliged to notify forthwith the Communications Regulation Commission in case an action is brought for declaring of bankruptcy, or for declaring the company’s invalidity, or for any other claim for winding-up or initiation of liquidation procedure.

Article 42. Any certification-service-provider is obliged, before the termination of his activities, to ensure the effect of certificates issued by him. To that end, the provider is obliged to notify in writing form the Communications Regulation Commission and his consumers whether another provider will take up the certificates, and to notify his name, by the time of termination of his activities at the latest.

Article 43. (1) Any certification-service-provider is obliged, at the termination of his activities, to transfer the certificates to another provider or to terminate them.

(2) A registered certification-service-provider may transfer the certificates only to another registered provider.

Article 44. (1) Any registered certification-service-provider is obliged to submit all documents concerning his activities under Article 5(1) to the registered provider to whom he has transferred his activities.

(2) In the case where a registered provider has not transferred his activities to another registered provider, such provider shall terminate the effect of certificates and shall submit the documents as per paragraph (1) to the Communications Regulation Commission immediately after the termination of his activities. The Communications Regulation Commission shall support a register of terminated certificates of any certification-service-provider who has terminated his activities.

Article 45. Any certification-service-provider, who has taken up the certificates of a provider, where the latter has terminated his activities, is obliged to maintain such certificates for free for the owner until the end of their term of effect and at the conditions, at which they have been issued.

Chapter Three

Article 46. (1) Any advanced electronic signature certificate in a computerized form is an electronic document in the format as described in specifications generally recognized in the international practice, such format using a standard abstract language for its description, and a standard binary encoding.

(2) The format of certificates as per paragraph (1) should be recognized as an official common format in the international practice, to enable an interoperability of various certification-service-providers.

(3) The Communications Regulation Commission shall support and publish a list of international specifications in force as per paragraph (1).

Article 47. (1) It is mandatory that the format of any advanced electronic signature certificate allows for extensions specified by the certification-service-provider, which contain specific semantic components or limitations in conformity with the adopted certificate profile, peculiar to the applications used by the provider in the public key infrastructure.

(2) A X.509 (v.2, v.3, v.4)-based format using the abstract ASN.1 (Abstract Syntax Notation One) language may be used as a format of advanced electronic signature certificate.

Article 48. In case wireless services are provided, the certification-service-provider shall use a certificate management system (CMS), which is capable of supporting the publication and search of such certificates in the WTLS (Wireless Transport Layer Protocol) wireless format, used by WAPs (Wireless Application Protocols) servers, or in any such format capable of providing equal opportunities.

Chapter Four

Article 49. (1) Any certification-service-provider shall support a data base where the information on his activities relating to the provision of certification services shall be stored.

(2) In case of exchange of key pairs, their encoding in the data base used for their management shall be carried out in the X.509 or PKCS#8 format, or in any other standard format capable of providing equal opportunities.

Article 50. (1) It is obligatory that any data base as per Article 49 contains:

1. The documents provided for in Chapter Two, Section VI;

2. The data on creation and verification of the advanced electronic signature of the provider (the public and the private keys), where:

а) such data should be reflected in documents and stored together;

b) the data on creation of an advanced electronic signature should be stored in a manner excluding the possibility that they become known.

3. The correspondence between the provider and the customer related to the activities pursuant to Article 5;

4. Information about any internal inspections, where any record shall:

а) contain the number and description of the event, date and time of its occurrence, level of strictness of the verification, identificator of the consumer who has caused the event, the result;

b) ensure possibility for timely establishment of changes made in it;

c) ensure search option per periods.

(2) Only explicitly nominated employees of the provider may have an access to the information under paragraph 1(4) above.

Chapter Five

Article 51. (1) The Communications Regulation Commission shall designate the bodies whose verification of the observance by the certification-service-providers of the requirements as laid down in Article 7 and Article 21(1) of LEDES shall be recognized as the valid one, and shall enlist such designated bodies in public lists of verifiers.

(2) There is no limitation as to the number of bodies enlisted pursuant to paragraph (1).

Article 52. (1) The Communications Regulation Commission shall enlist, pursuant to Article 51, any body able to prove his ability to perform verification functions through the fulfillment of requirements as set forth in documents recognized in the international practice (standards, recommendations, guides, technical specifications, etc.).

(2) Any bodies as per paragraph (1) shall meet the following general requirements:

1. The designated bodies and their personnel must not engage in any activities that may conflict with their independence when making verifications ;

2. The bodies must be financially sound and independent;

3. The bodies must ensure complete transparency of the activities performed by them, and must record any essential information relating to these activities;

4. The bodies must dispose of personnel and facilities necessary for the correct and effective performance of their technical and administrative activities;

5. The personnel responsible for the verifications must have:

а) the necessary technical and professional training, including in the fields of electronic signature technologies and security of the information technologies and systems relating to such signature;

b) the necessary knowledge and experience in the field of the verifications they carry out.

6. The bodies must be able to meet their obligations stemming from their activities, including through insurance;

7. The bodies must ensure the confidentiality of the information received.

(3) Any designated body may authorize another person(s) to carry out a partial or entire verification, the former being responsible for the results of the activity of the latter.

Article 53. The Communications Regulation Commission shall publish and maintain lists of the documents as per Article 52(1) as well.


§ 1.   Within the meaning of this Ordinance: 

1. “Security” is a system feature, which is the result of the following goals: confidentiality, accountability, integrity, accessibility and assurance.

2. “Confidentiality” means that the storage data, as well as the processed and transmitted data, are not subject, to a certain extent, to an unauthorized or accidental access and reproduction.

3. “Accountability” means that any actions of a certain entity may be performed solely by this unit.

4. “Integrity” of a system or data means that the technical devices and technologies are protected to the appropriate extent against unauthorized access and change.

5. “Accessibility” means that the requirements for protection against unauthorized or accidental deletion of data, or for denial of service, are met in relation to a certain application.

6. “Assurance” is the confidence that the remaining four goals of the security are achieved.

7. “Level of security” is the rate within the hierarchical security classification, showing for the susceptibility of a given entity to any violation of security goals.

8. “Biometrical identification means” are means for identification of persons through specific attributes reflecting their unique personal traits such as finger prints, a photograph of eye capillaries, or voice picture.

9. “Public Key Infrastructure” (PKI) is the combination of hardware, software, personnel and documents as per Chapter Two, Section VI, necessary for the issue, management and termination of electronic signature certificates.

10. “Certificate’s profile (dossier)” is a specific document, which differs from a standard specification of the certificate (such as the X.509 specification of ITU-T in its 1st through 4th versions) in that that such document defines specific limitations (part of which in fact designs the requirements towards the certificate’s format) on combinations of conditions, actions, etc., which may or may not exist in any different type of certificates used by various countries, organizations, regions, etc.

11. “X.500 Recommendations” is a series of standard recommendations of ITU, which specify the directory services protocol.

12. “Directory Access Protocol” (DAP) is the protocol used for achieving the access to the directory information.

13. “Lightweight Directory Access Protocol” (LDAP) is an Internet standard for common (simple) directories, representing a global model of directory services and being based on the TCP/IP protocol. It is defined in the IETF RFC 1777 “The Lightweight Directory Access Protocol” standard.

14. “Standards of the ASN.1 abstract language” (Abstract Syntax Notation One) is a series of international standards, published jointly by ISO, IEC and ITU, divided into two groups. The first one contains the ITU X.680-X.683 (ISO/IEC 8824-1 through 8824-4) specifications of the abstract language. The second one contains the encoding specifications of such language - ITU X.690 (ISO/IEC 8825-1) for BER (Basic Encoding Rules), DER (Distinguished Encoding Rules) and CER (Canonical Encoding Rules), and ITU X.691 (ISO/IEC 8825-2) for PER (Packed Encoding Rules).

15. “Secure-signature-creation-device” is an electronic-signature-creation device which meets the requirements as laid down in Article 17 (1) of LEDES.

16. “Signature verification data” are data such as codes and public cryptographic keys used for electronic signature verification.

17. “Signature verification device” is a configured software or hardware, used to implement the signature verification data.

18. “Personal identification number” (PIN) is a series of symbols used for identifying the holder of the identification means.


§ 2.   The control on the implementation of this Ordinance is conferred upon the Communications Regulation Commission.

§ 3.   This Ordinance is adopted pursuant to Articles 21(2), 28(4), 32(4) and 37(3) of LEDES.