Statute Details
- Title: Electronic Transactions (Certification Authority) Regulations 2010
- Act Code: ETA2010-RG1
- Legislative Type: Subsidiary legislation (SL)
- Authorising Act: Electronic Transactions Act 2010 (noted in the legislation extract as authorising sections 22, 36 and 38)
- Current Version: 2025 Revised Edition (2 June 2025); status shown as current as at 27 March 2026
- Commencement: 1 November 2010 (as shown in the legislative history)
- Parts: Part 1 (Preliminary) to Part 9 (Administration), plus a Schedule
- Key Provisions (from extract): Section 2 (Definitions); Parts 2–9 cover accreditation, requirements, conduct of business, repository requirements, accreditation mark, public agency application, and administration
- Schedule: Accreditation Mark for Accredited Certification Authorities
What Is This Legislation About?
The Electronic Transactions (Certification Authority) Regulations 2010 (“CA Regulations”) set out the regulatory framework for certification authorities (“CAs”) that issue digital certificates used in electronic transactions. In practical terms, the Regulations operationalise trust: they define how a CA must be accredited, what standards it must meet, and what governance and security controls it must maintain to ensure that certificates are reliable and that the public can place confidence in electronic signatures and related cryptographic credentials.
Digital certificates are the backbone of many secure online interactions—such as authentication, signing, and establishing trust in communications. However, certificates are only as trustworthy as the CA that issues them. The CA Regulations therefore impose detailed obligations on accredited CAs, including requirements for record keeping, transaction logs, certificate lifecycle management (issuance, renewal, suspension, revocation, and expiry), confidentiality, incident handling, and secure signature practices.
The Regulations also address the regulator’s oversight role. They provide mechanisms for refusing accreditation, cancelling or suspending accreditation, conducting inquiries into misconduct, and enabling appeals. In addition, they cover operational requirements such as repository availability (general and specific purpose repositories) and the proper use of an accreditation mark. For practitioners, the CA Regulations are best understood as a compliance and governance blueprint for CA operations, backed by enforcement provisions.
What Are the Key Provisions?
1) Accreditation and ongoing regulatory status (Parts 2 and 3). The Regulations establish a structured accreditation process. Part 2 addresses applications for accreditation and renewal. Part 3 then governs what happens when accreditation is refused, cancelled, or suspended. These provisions matter because accreditation status directly affects whether a CA can lawfully operate as an “accredited certification authority” and whether its certificates can be relied upon in regulated contexts.
From a legal risk perspective, Parts 2 and 3 are critical because they define the regulator’s discretion and the CA’s exposure to adverse outcomes. For example, where allegations of misconduct arise, the Regulations provide for an inquiry process. The “effect” of cancellation or suspension is also addressed, which is particularly important for subscribers and relying parties who may need to manage certificate validity and trust decisions when a CA’s accreditation status changes.
2) Accreditation requirements: governance, personnel, and documentation (Part 4). Part 4 sets baseline requirements for an applicant CA. These include requirements relating to business structure, personnel, and the certification practice statement (“CPS”). The CPS is a central compliance document: it describes how the CA will issue, manage, and revoke certificates, and how it will handle identity verification and related operational controls. Practitioners should treat the CPS not as marketing material but as a binding operational and compliance instrument that must be maintained and kept current.
3) Conduct of business by accredited CAs: security, lifecycle controls, and audit readiness (Part 5). Part 5 is the operational core of the Regulations. It requires “trustworthy record keeping and archival” and mandates “trustworthy transaction logs.” These obligations support evidentiary integrity—e.g., demonstrating what the CA did, when it did it, and why. In disputes, regulator inquiries, or incident investigations, these records and logs are often the difference between defensible compliance and regulatory findings of failure.
Part 5 also addresses certificate lifecycle management in detail. It covers the types of certificates a CA may issue, issuance processes, renewal, suspension, revocation, and expiry dates. The Regulations further require maintenance of the CPS, secure digital signature practices, and compliance audit readiness (including a “Compliance Audit Checklist”). For a practitioner advising a CA, this means that internal controls must be designed to meet both the substantive requirements (e.g., secure signature generation) and the procedural requirements (e.g., auditability and checklist compliance).
4) Incident handling and confidentiality (Part 5). The Regulations include obligations for incident handling and confidentiality. Incident handling is particularly important in the CA context because security events—such as compromise of private keys, failures in identity verification, or system outages—can undermine certificate trust. Confidentiality obligations protect subscriber information and sensitive operational details. Together, these provisions require a CA to balance transparency and accountability (for compliance and audit) with protection of confidential data.
5) Repository requirements (Part 6). Part 6 requires CAs to maintain repositories. The Regulations distinguish between a “general purpose repository” and a “specific purpose repository.” Repositories are where certificate-related information is made available to relying parties and subscribers (for example, certificate status information and related notices). This is a practical trust mechanism: if a relying party cannot access timely and accurate information, the value of certificates is reduced even if the CA’s internal controls are strong.
6) Accreditation mark and public agency application (Parts 7 and 8). Part 7 governs the use of the accreditation mark. This is not merely branding; it is a legal compliance requirement that helps prevent misleading representations about accreditation status. Part 8 addresses applications to public agencies, which is relevant where government bodies may rely on certificates or where accreditation status affects eligibility to provide services in public-sector contexts.
7) Administration: waiver, disclosure, discontinuation, audit, penalties, and composition (Part 9). Part 9 provides the enforcement and administrative machinery. It includes provisions on waiver (where applicable), disclosure obligations, discontinuation of operations of an accredited CA, audit powers, penalties, and composition of offences. For practitioners, these provisions are essential for advising on regulatory exposure and for planning exit strategies. Discontinuation provisions are particularly important for continuity of trust: if a CA ceases operations, relying parties need clarity on what happens to certificates, repositories, and records.
How Is This Legislation Structured?
The CA Regulations are organised into nine Parts plus a Schedule. Part 1 contains preliminary matters, including the citation and definitions. Part 2 covers accreditation applications, and Part 3 covers refusal, cancellation, suspension, inquiry into misconduct, effects of adverse accreditation decisions, and appeals. Part 4 sets accreditation requirements (business structure, personnel, and CPS). Part 5 imposes detailed conduct-of-business obligations on accredited CAs, including record keeping, transaction logs, certificate lifecycle management, secure digital signatures, audit readiness, incident handling, confidentiality, and change in management. Part 6 addresses repository requirements. Part 7 regulates use of the accreditation mark. Part 8 deals with applications to public agencies. Part 9 provides administrative and enforcement provisions, including audit and penalties. The Schedule specifies the accreditation mark itself.
Who Does This Legislation Apply To?
The CA Regulations apply primarily to certification authorities that seek accreditation or that are already accredited under the Regulations. In other words, the obligations are directed at entities performing CA functions—particularly those that issue, renew, suspend, revoke, and manage certificates in a regulated environment.
The Regulations also indirectly affect subscribers and relying parties, because certificate trust depends on CA compliance. While the Regulations’ direct duties are imposed on accredited CAs, subscribers and relying parties benefit from the compliance framework—especially the repository and certificate lifecycle provisions that support informed reliance. Additionally, “trusted persons” are defined in the Regulations, indicating that compliance obligations extend beyond corporate entities to individuals with direct responsibilities for CA operations, security, performance, and key management functions.
Why Is This Legislation Important?
The CA Regulations are important because they translate the abstract concept of “trust” into enforceable operational requirements. For legal practitioners, the Regulations provide the compliance standards that can be referenced in disputes, regulatory investigations, and contract negotiations. When a certificate-related incident occurs—such as an alleged wrongful issuance, failure to revoke, or compromise of private keys—these Regulations help determine whether the CA acted in accordance with required processes and security controls.
From an enforcement perspective, the Regulations create a regulatory pathway for oversight: accreditation can be refused, cancelled, or suspended; misconduct can trigger inquiries; and audits and penalties can follow. This means that CA governance is not optional. A CA’s internal policies, technical controls, and documentation practices must be aligned with the Regulations to reduce the risk of adverse regulatory action and to support defensibility if challenged.
Practically, the Regulations also influence how CAs structure their operations and documentation. The CPS, record keeping, transaction logs, incident handling procedures, and repository maintenance are recurring themes that affect day-to-day operations. For practitioners advising CAs, the key takeaway is that compliance is holistic: it spans people (personnel and “trusted persons”), processes (certificate lifecycle and incident handling), and systems (secure digital signatures and repositories), all supported by audit-ready evidence.
Related Legislation
- Electronic Transactions Act 2010 (authorising provisions referenced in the extract: sections 22, 36 and 38)
Source Documents
This article provides an overview of the Electronic Transactions (Certification Authority) Regulations 2010 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the official text for authoritative provisions.