Electronic Transactions Act

Electronic Transactions (Certification Authorities) Regulations 2010

[GN 213 of 2010 – 1 December 2010] [Section 50]

1. Short title

These regulations may be cited as the Electronic Transactions (Certification Authorities) Regulations 2010.

2. Interpretation

In these regulations –

"Act" means the Electronic Transactions Act;

"annual fee" means the annual fee payable in respect of a licence or recognition at the beginning of each year in respect of that year;

"approval" means an approval issued by the Controller at the Minister's request to a public sector agency under regulation 15, or renewed under regulation 16, as the case may be;

"effective date", in relation to an application, means the date by which all information, particulars and documents required by the Controller or Minister, as the case may be, are submitted;

"foreign certification authority" means a certification authority outside Mauritius;

"initial fee" means the one-off fee payable before a licence or recognition is issued;

"licence" means a licence issued under regulation 5 or renewed under regulation 6, as the case may be;

"recognition" means a recognition issued to a foreign certification authority under regulation 11 or renewed under regulation 12, as the case may be;

"subscriber identity verification method" means a method used to verify and authenticate the identity of a subscriber;

"trusted person" means any person who has –

(a) direct responsibilities for the day-to-day operations, security and performance of a certification authority's transactions or business activities;

(b) duties directly involving the issue, renewal, suspension, revocation of certificates (including the identification of any person requesting a certificate from a certification authority), creation of private keys or administration of a certification authority's computing facilities.

3. Functions of Controller

(1) The Controller shall, in relation to certification authorities –

 (a) exercise supervision over their activities;

 (b) certify their public keys;

 (c) lay down the standards to be maintained by them;

 (d) specify the qualifications and experience of persons employed by them or acting on their behalf;

 (e) specify the terms and conditions subject to which they shall operate;

 (f) lay down their duties;

 (g) specify the contents of written, printed or visual materials and advertisements that may be distributed or used in respect of a certificate and the public key;

 (h) specify the form and content of a certificate and the key pair;

 (i) specify the form and manner in which accounts shall be maintained by them;

 (j) facilitate the establishment of any electronic system by a certification authority, either solely or jointly with other certification authorities, and regulation of such systems;

 (k) specify the manner in which they shall deal with subscribers;

 (l) maintain a publicly accessible database containing the disclosure record of every certification authority which shall contain the particulars set out in the First Schedule.

(2) The Controller shall, in the discharge of its functions under paragraph (1), have regard to public interest and any element of national security.

(3) For purposes of these regulations, the Controller may issue directives and guidelines to certification authorities.

4. Authorised certification authorities

No person or body shall act as certification authority in Mauritius unless –

(a) he or it holds a valid licence issued by the Controller under regulation 5 or 6;

(b) in the case of a foreign certification authority, it is issued with a recognition by the Controller under regulation 11 or 12; or

(c) in the case of a public sector agency, it is issued with an approval under regulation 15 or 16.

5. Application for licence to act as certification authority

(1) Where –

 (a) any person who is a citizen of Mauritius or is duly authorised to carry out business in Mauritius; or

 (b) any body which is a company or body corporate, incorporated in Mauritius or registered with the Registrar of Companies under the Companies Act,

wishes to act as a licensed certification authority for the purposes of the Act, he or it, as the case may be, shall make an application to the Controller in such form and manner as the Controller may determine.

(2) Every application made under paragraph (1) shall be accompanied by the appropriate application fee specified in the Second Schedule and such documents as the Controller may determine.

(3) Where the Controller receives an application made under paragraph (1), it –

 (a) shall give public notice of the application in 2 daily newspapers having wide coverage in the country and invite any interested person wishing to object to the application to do so in writing within 14 days of the publication;

 (b) may direct the applicant to furnish such additional information as it may determine.

(4) In considering an application made under paragraph (1), the Controller shall have regard to the criteria and requirements set out in the Third Schedule.

(5) The Controller may, within a period of 90 days from the effective date of the application, grant or refuse an application made under paragraph (1).

(6) Where the Controller grants the application, it shall, subject to regulation 7, issue a licence to the applicant on such terms and conditions as the Controller may determine.

(7) A licence issued by the Controller under this regulation –

 (a) shall be valid for a period of 5 years from the date of issue; and

 (b) may be renewed.

(8) Where the Controller refuses an application, it shall forthwith notify the applicant by registered post of its refusal, giving reasons for the refusal.

6. Renewal of licence

(1) An application for the renewal of a licence shall be –

 (a) made to the Controller in such form and manner as it may determine, at least 90 days before the date of expiry of the licence; and

 (b) accompanied by the appropriate application fee and such documents as the Controller may require.

(2) Where the Controller receives an application made under paragraph (1), it –

 (a) shall give public notice of the application in 2 daily newspapers having wide coverage in the country and invite any interested person wishing to object to the application to do so in writing within 14 days of the publication;

 (b) may direct the applicant to furnish such additional information as it may determine.

(3) In considering an application made under paragraph (1), the Controller shall have regard to the criteria and requirements set out in the Third Schedule.

(4) The Controller may, within a period of 90 days from the effective date of the application, grant or refuse an application made under paragraph (1).

(5) Where the Controller grants the application, it shall, subject to regulation 7, renew the licence for a period of 5 years on such terms and conditions as the Controller may determine.

(6) Where a licensed certification authority has no intention of renewing its licence, it shall –

 (a) inform the Controller in writing not later than 90 days before the date of expiry of its licence;

 (b) inform all its subscribers in writing not later than 60 days before the date of expiry of its licence;

 (c) give public notice of its intention in 2 daily newspapers having wide coverage in the country and in such manner as the Controller may determine, not later than 60 days before the date of expiry of its licence; and

 (d) take appropriate steps to maintain the validity of any certificate issued by it which is still valid.

(7) Where the Controller refuses an application, it shall forthwith notify the applicant by registered post of its refusal, giving reasons for the refusal.

7. Procedure for taking out licence

(1) Where the Controller grants an application under regulation 5 or 6, the applicant shall take out the licence on payment of the appropriate initial fee and annual fee and on provision of such performance bond specified in paragraph 1 of the Third Schedule as may be determined by the Controller within a period of 90 days of the grant.

(2) The applicant may make a request to the Controller in writing, on reasonable cause shown and not later than 15 days prior to the expiry of the delay, to extend the delay for another period of 90 days.

(3) Where the Controller grants the extended period of 90 days and the applicant fails to take out the licence during that period, the Controller shall rescind its decision to grant or renew the licence and any fee, whether annual fee or initial fee, paid by the applicant shall not be refunded.

8. Refusal to grant application for licence or renewal of licence

(1) The Controller may refuse to grant an application for a licence or for renewal of a licence where –

 (a) the applicant is from a category other than the ones specified in regulation 5(1);

 (b) the Controller requires additional information and the applicant fails to provide the information to the Controller's satisfaction;

 (c) the applicant or its majority shareholder is in the course of being wound up or liquidated;

 (d) a Receiver or a Receiver and Manager has been appointed to the applicant or its majority shareholder or it is in the process of liquidation;

 (e) the applicant or its majority shareholder has, whether in Mauritius or elsewhere, entered into a compromise or scheme of arrangement with its creditors, being a compromise or scheme of arrangement that is still in operation;

 (f) the applicant or its majority shareholder or any trusted person has been convicted, whether in Mauritius or elsewhere, of an offence involving fraud or dishonesty, or has been convicted of any offence under the Act or these regulations;

 (g) the Controller is not satisfied as to the qualifications or experience of the trusted person who is to perform duties in connection with the holding of the licence by the applicant;

 (h) the applicant fails to satisfy the Controller that it is a fit and proper person to be licensed or that all its trusted persons and majority shareholders are fit and proper persons;

 (i) the Controller has reason to believe that the applicant may not be able to act in the best interests of its subscribers, customers or participants having regard to the reputation, character, financial integrity and reliability of the applicant or any of its majority shareholders or trusted persons;

 (j) the Controller is not satisfied as to the financial standing of the applicant or its majority shareholder;

 (k) the Controller is not satisfied as to the record of past performance or expertise of the applicant or its trusted person having regard to the nature of the business which the applicant may carry on in connection with the holding of the licence;

 (l) there are other circumstances which are likely to lead to the improper conduct of business by, or reflect discredit on the method of conducting the business of, the applicant or its majority shareholder or any of the trusted persons; or

 (m) the Controller is of the opinion that it is in the public interest to do so.

(2) For the purpose of paragraph (1) –

 "majority shareholder", in relation to an applicant which is a company, has the same meaning as in the Companies Act.

9. Application by foreign certification authority for recognition

(1) Every foreign certification authority wishing to obtain recognition in Mauritius to issue certificates shall make an application to the Controller in such form and manner as the Controller may determine.

(2) Every application made under paragraph (1) shall be accompanied by –

 (a) proof that the requirements under regulation 10 and the Third Schedule have been satisfied;

 (b) the appropriate application fee; and

 (c) such other information or documents as the Controller may determine.

10. Requirements for recognition

(1) In order to qualify for recognition, every foreign certification authority shall –

 (a) be licensed or otherwise authorised by the relevant competent entity in its country to carry on or operate as a certification authority in that country;

 (b) issue certificates of a level of security equal to or more stringent than the level of security of certificates issued by a licensed certification authority in Mauritius;

 (c) provide for or have a local agent for service of process in Mauritius;

 (d) comply with the standards and other requirements under the Act and these regulations; and

 (e) comply with such other requirements as the Controller may determine.

(2) Notwithstanding paragraph (1)(a), the Controller may grant recognition to a foreign certification authority which does not comply with the requirements of that paragraph on the ground that the country concerned does not require a licence or any other authority to carry on certification practice in that country, but which otherwise satisfies the requirements of paragraph (1)(b), (c), (d) and (e).

11. Grant of application for recognition

(1) Where the Controller receives an application under regulation 9, it –

 (a) shall give public notice of the application in 2 daily newspapers having wide coverage in the country and invite any interested person who wishes to object to the application to do so in writing within 14 days of the publication;

 (b) may direct the applicant to furnish such additional information as it may determine.

(2) The Controller may, within a period of 90 days from the effective date of the application, grant or refuse an application made under regulation 9.

(3) In considering an application made under regulation 9, the Controller shall have regard to the criteria and requirements set out in the Third Schedule.

(4) Where the Controller grants the application, it shall, subject to regulation 13, issue a recognition to the applicant in such form and on such terms and conditions as the Controller may determine.

(5)  A recognition issued by the Controller u

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.