Gen-N836-20-Dec-2024-ETA

GOVERNMENT GAZETTE

OF THE

REPUBLIC OF NAMIBIA

N$24.80	WINDHOEK - 20 December 2024	No. 8540
CONTENTS Page	CONTENTS Page	CONTENTS Page
GENERALNOTICE No. 836	Communications Regulatory Authority of Namibia: Notice of Intention to make Regulations regarding Accreditation of Security Products and Services and Providers of Such Products and Services: Electronic Transactions Act, 2019............................................................................................................................ ________________	1
General Notice	General Notice	General Notice
No.	836	2024
NOTICE OF INTENTION TO MAKE REGULATIONS REGARDINGACCREDITATION OF SECURITYPRODUCTSAND SERVICESAND PROVIDERS OF SUCH PRODUCTS AND SERVICES: ELECTRONIC TRANSACTIONSACT, 2019	NOTICE OF INTENTION TO MAKE REGULATIONS REGARDINGACCREDITATION OF SECURITYPRODUCTSAND SERVICESAND PROVIDERS OF SUCH PRODUCTS AND SERVICES: ELECTRONIC TRANSACTIONSACT, 2019	NOTICE OF INTENTION TO MAKE REGULATIONS REGARDINGACCREDITATION OF SECURITYPRODUCTSAND SERVICESAND PROVIDERS OF SUCH PRODUCTS AND SERVICES: ELECTRONIC TRANSACTIONSACT, 2019
(a)	publishes this Notice of Intention to make Regulations regarding Accreditation of Security Products and Services and Providers of Such Products and Services as set out in Schedule 2; and	publishes this Notice of Intention to make Regulations regarding Accreditation of Security Products and Services and Providers of Such Products and Services as set out in Schedule 2; and
(b)	provides the concise statement of the reasons and purpose for the proposed regulations set out in Schedule 1.	provides the concise statement of the reasons and purpose for the proposed regulations set out in Schedule 1.
The Authority invites the public to submit comments in writing to the Authority on or before the 30 January 2025, and a written comment must	The Authority invites the public to submit comments in writing to the Authority on or before the 30 January 2025, and a written comment must	The Authority invites the public to submit comments in writing to the Authority on or before the 30 January 2025, and a written comment must

• (a) contain the name and contact details of the person making the written submissions and the name and contact details of the person or entity on whose behalf the written submissions are made, if different;
• (b) be clear and concise; and
• (c) be sent or delivered ̶
• (i) by hand to the head office of CRAN, Freedom Plaza, Courtside (3rd and 4th Floors), c/o Fidel Castro and Rev. Micheal Scott Streets, Windhoek;
• (ii) by post to CRAN, Private Bag 13309, Windhoek, Namibia; or
• (iii) by electronic mail to CRAN email address: legal@cran.na.

In terms of regulation 7 of the Regulations regarding Rule-Making Procedures the Authority herewith gives notice that it will hold a hearing regarding the proposed regulations as follow:

DATE:	31 January 2024
TIME:	08h00 to 13h00
VENUE:	Droombos Country lodge

The public is invited to make comments or oral submissions at the hearing. Notice of oral submissions to be made during the hearing must be submitted to the Authority not later than 10 days before the date of the hearing. Such written notice must be accompanied by a concise statement setting out the basis and rationale for the oral submissions.

Oral submissions made at the aforesaid public hearing must ̶

• (a) contain the name and contact details of the person making the written submissions and the name and contact details of the person or entity on whose behalf the written submissions are made, if different;
• (b) be clear and concise.

The aforesaid notice of oral submissions must be sent or submitted to by the Authority in the manner provided above.

T. MUFETI CHAIRPERSON COMMUNICATIONS REGULATORY AUTHORITY OF NAMIBIA

SCHEDULE 1

CONCISE STATEMENT OF PURPOSE

The purpose of the rule-making procedure is for the Authority to comply with section 47 of the Electronic Transactions Act, 2019 (Act No. 4 of 2019) that requires the Authority to make regulations prescribing issues relating to accreditation of security products and security services as well as suppliers of security products and providers of security services, and to -

• (a) to introduce to the public the proposed regulations that will govern accreditation of security products and services and providers of such products and services by the Authority; and
• (b) ensure that the proposed regulations are in line with the enabling legislation, the Electronic Transactions Act, 2019 and that it covers all other necessary concerns.

1. Definitions

SCHEDULE 2

REGULATIONS REGARDING ACCREDITATION OF SECURITY PRODUCTS AND SERVICES AND PROVIDERS OF SUCH PRODUCTS AND SERVICES: ELECTRONIC TRANSACTIONS ACT, 2019

The Communications Regulatory Authority of Namibia under section 47 read with sections 41 to 46 of the Electronic Transactions Act, 2019 (Act No. 4 of 2019) and after having followed the rulemaking procedure in terms of the Regulations regarding Rule-Making Procedures published under General Notice No. 334 of 17 December 2010 as amended by General Notice No. 554 of 14 October 2021, has made the regulations set out in the Schedule.

SCHEDULE

ARRANGEMENT OF REGULATIONS

PART 1 INTRODUCTORY PROVISIONS

PART 2

ACCREDITATION OF SECURITY PRODUCTS AND CERTIFICATION SERVICE PROVIDERS

2. Types of products and services that may not be provided without being accredited
3. Classification of security products, security services and providers of products and services
4. Accreditation of certification service providers
5. Application for accreditation as certification service providers
6. Issuance of certificate of accreditation
7. Amendment of accreditation
8. Renewal of accreditation
9. Refusal to grant and renew accreditation
10. Suspension, revocation and lapsing of certificate of accreditation
11. Surrender of certificate of accreditation
12. Cede, pledge, encumber and dispose of certificate of accreditation
13. Transfer and assignment of certificate of accreditation
14. Audit report
15. Certification practice statement
16. Database of accredited security products and certification service providers, suspended and revoked accreditations
17. Change in ownership, management etc of certification service provider
18. Review and audits
19. Inquiry into allegation of misconduct
20. Appeal to High Court

PART 3

FOREIGN CERTIFICATION SERVICE PROVIDERS

21. Recognition as foreign certification service providers
22. Application for recognition
23. Granting of recognition
24. Suspension, revocation and lapsing, ceding, pledging, encumber, disposing, transfer and surrender of certificate of recognition
25. Register of recognised foreign certification service providers

PART 4

ADVANCED ELECTRONIC SIGNATURE SCHEME, KEY MANAGEMENT AND ISSUANCE OF SUBSCRIBER CERTIFICATES

26. Approval of advanced electronic signatures
27. Storage and control of private keys
28. Disposal of key pairs
29. Issuance of subscriber certificates
30. Particulars of subscriber certificates
31. Obtaining subscriber certificate
32. Acceptance of subscriber certificate
33. Disclosure and compliance with certification practice statement
34. Prohibition of publication of subscriber certificate
35. Representation on issuance of subscriber certificate
36. Recommended reliance limits
37. Limitation of liability for certification service provider
38. Suspension of subscriber certificate
39. Notice of suspension
40. Revocation of subscriber certificate
41. Revocation without consent of subscriber
42. Notice of revocation of subscriber certificates
43. Publication of revocation list of subscriber certificates
44. Management of records
45. Obligations of subscribers for generating keypairs
46. Information system audit
47. Appeals against decisions of certification service providers
48. Annexure 1: Forms
49. Annexure 2: Requirements and Conditions for Electronic Signature Creation and Verification Devices, Qualifying Certificates, Service Providers and Key Personnel

Annexure 3: Fees

Definitions

1. In these regulations a word or phrase to which a meaning has been assigned in the Act has that meaning, and unless the context otherwise indicates -

'certificate of accreditation' means a certificate issued to a certification service provider under regulation 6;

'certification practice statement' means a statement issued by a certification service provider specifying the practices that the service provider employs in issuing a subscriber certificate;

'certification service' means a security service referred to in section 41 of the Act, and includes the service of ̶

• (a) issuing subscriber certificates necessary for giving advanced electronic signatures to subscribers;
• (b) enabling the verification of advanced electronic signatures given on the basis of subscriber certificates;

PART 1 INTRODUCTORY PROVISIONS

• (c) implementing procedures for suspension and revocation of subscriber certificates;
• (d) checking the revocation status of the subscriber certificate and advising the relying party; or
• (e) issuing cross-pair certificates;

'certification service provider' means a person accredited under regulation 5 to provide certification service and manage and issue subscriber certificates and public keys;

'key pair', in an asymmetric cryptosystem, means a private key and its mathematically related public key having a property that allows the public key to verify an electronic signature that the private key creates;

'key personnel' means employees who have direct responsibility for the day to day operations, security and performance of a certification service provider, or whose duties directly involve the issuance, renewal, suspension, revocation of certificates, the process of identification of any person requesting a certificate, the creation of private keys or the administration of the certification service providers computing facilities;

'private key' means the key of a key pair used to create an electronic signature;

'public key' means the key of a key pair used to verify an electronic signature;

'standard subscriber agreement' means an agreement between the certification service provider and its subscriber for the provision of recognised electronic signatures.

'subscriber' means a person who is the subject named or identified in a subscriber certificate issued to that person and who holds a private key that corresponds to a public key listed in that certificate, and a signer has a corresponding meaning;

'subscriber certificate' means a digital record issued to a subscriber by a certification service provider for the purpose of supporting electronic signatures which purports to confirm the identity or other significant characteristics of the person who holds a particular keypair;

'subscriber certificate revocation list' means a list of subscriber certificates that have been revoked under regulation 9; and

'the Act' means the Electronic Transactions Act, 2019 (Act No. 4 of 2019).

PART 2 ACCREDITATION OF SECURITY PRODUCTS AND

CERTIFICATION SERVICE PROVIDERS

Types of products and services that may not be provided without being accredited

2. A person may not -
3. (a) supply digital or electronic product or provide certification service;
4. (b) carry on or operate, or hold himself or herself out as carrying on or operating or providing certification service,

unless such ̶

• (i) product or service has been accredited; or

• (ii) person has been accredited and issued with a certificate of accreditation as a service provider,

by the Authority in terms of section 42 of the Act and in accordance with regulation 5.

Classification of security products, security services and providers of such products and services

3. Every digital or electronic product, every digital or electronic service, or every provider of such product or service that has as its purpose referred to in section 41(1) of the Act is classified as security product, security service, or provider of security products or security services, respectively, and are treated as such in terms of the Act and these regulations.

Accreditation of security products and services

4. (1) A person who wishes to apply for accreditation of a security product or as a supplier or provider of a security product must apply to the Authority in a manner determined by the Authority.

• (2) A person who wishes to operate as certification service provider must, in addition to requirements provided in sections 41 and 42 the Act, apply to the Authority for accreditation as certification service provider in terms of regulation 5.

Application for accreditation as certification service providers

5. (1) The application for accreditation to operate as certification service provider is made in Form 1 set out in Annexure 1, and is accompanied by -
6. (a) proof of payment of a non-refundable application fee as set out in Annexure 3;
7. (b) a certification practice statement referred to in regulation 15;
8. (c) an undertaking signed by the applicant to -
9. (i) undergo and pass an initial audit; and
10. (ii) fulfil other requirements relating to qualification, expertise, manpower, financial resources and infrastructure facilities necessary as determined by the Authority from time to time for the granting of accreditation.

• (2) The Authority must within 90 days of receipt of an application for accreditation grant or refuse the application.
• (3) The Authority, in considering an application for accreditation, must have regard to ̶

9. (a) the financial and technical capability of the applicant;
10. (b) the ability of an advanced electronic signatures to -
11. (i) uniquely be linked to the subscriber;
12. (ii) identify the subscriber;
13. (iii) be maintained under the sole control of the subscriber;

• (iii) be linked to the data or data message to which it relates in a manner that any subsequent change of the data or data message is detectable; and
• (v) enable face to face identification of the subscriber;
• (c) the quality of the hardware and software systems;
• (d) the procedures for the processing of products or services;
• (e) the availability of information to third parties relying on the certification service;
• (f) the regularity and extent of audits by an independent body;
• (g) the ability of the applicant to comply with the applicable certification service standards; and
• (h) any other relevant factor the Authority may determine.
• (4) Where the Authority refuses an application for accreditation, it must inform the applicant, in writing, giving reasons for its refusal.
• (5) Where the Authority fails to make a decision within the period specified under subregulation (2), the application is deemed to have been granted, and the applicant is entitled to receive its certificate of accreditation.
• (6) The Authority may request for further particulars in respect of an application for accreditation, and where the Authority requests for such particulars the period referred to in subregulation (2) stops running for that period and resumes upon receipt of the requested particulars.

Issuance of certificate of accreditation

6. (1) Where an application for accreditation made under regulation 5 meets all the requirements and conditions, the Authority must -
7. (a) grant the application; and
8. (b) issue the applicant with a certificate of accreditation in Form 2 set out in Annexure 1.

• (2) A certificate of accreditation issued in terms of this regulation is valid for a period of two years.
• (3) A certification service provider must at all times display its certificate of accreditation in a conspicuous manner in its place of business.
• (4) The Authority, as soon as practical after the issuance, renewal, suspension or revocation of a certificate of accreditation, must announce the issuance, renewal, suspension or revocation of the certificate by notice -

7. (a) on its website; and
8. (b) in any other media of its choice circulating widely.

Amendment of accreditation

7. (1) A certification service provider may, at any time during the validity of its certificate of accreditation, apply to the Authority for amendment of the terms or conditions of accreditation or any matter relating to the accreditation.

• (2) An application for amendment of accreditation is accompanied by the application fee set out in Annexure 3.

• (3) The Authority must upon receipt consider the application for amendment of accreditation and may grant or refuse the application.

• (4) Where the application for amendment of accreditation is granted, the Authority -

• (a) must make the relevant amendments to the certificate, terms or conditions of accreditation, upon payment of the fee set out in Annexure 3;

• (b) must, allow the certificate to continue to have effect as varied until its expiry;

• (c) may not refund any fees paid with respect to the accreditation.

• (5) The Authority, on its own motion, may vary the terms or conditions of accreditation where the amendment is necessary ̶

• (a) in the public interest; or

• (b) to address the concerns of the members of the public or subscribers.

• (6) The Authority, before making any amendment of the terms or conditions of accreditation issued under subregulation (5), must notify the certification service provider concerned of its intention to amend the accreditation ̶

• (a) in the manner specified in the notice; and

• (b) specifying the period, not being less than 30 days from the date of receipt of the notice, within which the service provider may make a written representation to the Authority in respect of the proposed amendment.

Renewal of accreditation

8. (1) A certification service provider who wishes to renew its accreditation must apply to the Authority for the renewal of accreditation at least 90 days before the date of expiry of its certificate of accreditation.

• (2) An application for renewal of accreditation is made in Form 1 set out in Annexure 1 and is accompanied by ̶

• (a) an application for renewal of accreditation fee set out in Annexure 3;

• (b) the latest version of the certification practice statement;

• (c) a copy of the latest version of the standard subscriber agreement;

• (d) the audited financial statements of the two preceding years, where applicable;

• (e) a latest audited report; and

• (f) any other necessary information as the Authority may request.

• (3) An application for renewal of certificate of accreditation is considered by the Authority within 60 days from the date of receipt of the application.

• (4) The Authority must grant a renewal of certificate of accreditation where it is satisfied that the applicant ̶

• (a) meets the requirements of the Act and these regulations; and

• (b) has complied with the terms and conditions imposed on its accreditation.

Refusal to grant and renew accreditation

9. (1) The Authority may refuse to grant or renew accreditation where -
10. (a) the applicant ̶
11. (i) fails to comply with any provision of the Act or these regulations or the certification service standards;
12. (ii) fails to provide the Authority with further information it requested regarding the processing of the application concerned;
13. (iii) is wound up or liquidated;
14. (iv) has, within a period of 10 years immediately preceding the date of his, her or its accreditation or renewal, been convicted, whether in Namibia or elsewhere, of an offence involving fraud or dishonesty or has been convicted of an offence under the Act or these regulations; or
15. (v) or any of its owners or key personnel is found guilty of misconduct of business;
16. (b) it is not satisfied with ̶
17. (i) the qualifications or experience of the key personnel of the applicant;
18. (ii) the financial standing of the applicant or its significant owners; or
19. (iii) the record of past performance or expertise of the applicant or of its personnel;
20. (c) it has reason to believe that the applicant may not be able to act in the best interest of its subscribers or customers having regard to the reputation, character, financial integrity and reliability of the applicant or any of its significant owners or key personnel; or
21. (d) it is of the opinion that it is in the interest of the public to do so.

• (2) The Authority must inform the applicant of the reasons for refusal to grant or renew accreditation.

Suspension, revocation and lapsing of certificate of accreditation

10. (1) The Authority may suspend or revoke the certificate of accreditation of a certification service provider if ̶

• (a) the Authority is of the view that the information provided in the application for accreditation is false, misleading or inaccurate;

• (b) the certification service provider ̶

• (i) fails to undergo an audit required under regulation 18;

• (ii) is likely to be wound up;

• (iii) fails to carry on the business for which it was accredited; or

• (iv) contravenes or fails to comply with any term or condition in respect of its accreditation;

• (c) the Authority has reason to believe that the certification service provider or any of its key personnel has not performed their duties efficiently, honestly or fairly; or

• (d) the Authority has received a written request by the certification service provider to suspend or revoke the accreditation.

• (2) Where the Authority is satisfied that a certification service provider is not complying with or has not complied with a term or condition of accreditation, the Authority may suspend or revoke the certificate of accreditation.

• (3) The Authority must notify the certification service provider in writing of any intended suspension or revocation of certificate of accreditation including -

• (a) the reasons for suspension or revocation;

• (a) the timelines for rectification of non-compliance; and

• (b) the action that it intends to take in the event of non-compliance with the notice within the period specified in the notice.

• (4) The Authority may not suspend or revoke a certificate of accreditation without first giving the certification service provider an opportunity to be heard and to comply with the directives of the Authority, if any, within a reasonable specified period.

• (5) The Authority, in determining whether it is necessary to suspend or revoke a certificate of accreditation, must consider the extent of loss or damages to persons likely to be affected by the suspension or revocation.

• (6) A certificate of accreditation which remains unutilized for six months from the date of issue lapses automatically at the expiry of six months.

Surrender of certificate of accreditation

11. (1) Where a certification service provider decides not to continue providing the certification service, the service provider must -

• (a) notify the Authority in writing of the surrender of the certificate of accreditation; and
• (b) agree with the Authority on the terms and conditions of the surrender of the certificate of accreditation with particular reference to anything done or any benefit obtained under the certificate.
• (2) Where a certificate of accreditation is surrendered, its validity ends and the certification service provider -
• (a) ceases all entitlements to any benefits arising from the certificate; and
• (b) is not entitled to a refund of any fees paid with respect to the certificate.

Cede, pledge, encumber and dispose of certificate of accreditation

12. A certification service provider may not cede, pledge, encumber or otherwise dispose of its certificate of accreditation except under regulation 13.

Transfer and assignment of certificate of accreditation

13. (1) A certification service provider may transfer or assign its certificate of accreditation to any person with the prior approval of the Authority.

• (2) An application for approval to transfer or assign a certificate of accreditation is made to the Authority in a manner and form determined by the Authority, and the Authority may, within 60 days of receipt of the application -

3. (a) grant the application on the terms and conditions that it may determine, and issue a transfer of certificate of accreditation upon payment of transfer fee set out in Annexure 3; or
4. (b) refuse the application and give reasons for the refusal.

Audit report

14. (1) A certification service provider must provide an information audit report compiled by an auditor appointed by the Authority.

• (2) All fees relating to the audit report is borne by the certification service provider.
• (3) The audit report must confirm in respect of -

4. (a) an advanced electronic signature that it ̶
5. (i) conforms with the requirements of section 41 of the Act and is capable of identifying the signer;
6. (ii) is created by qualifying signature creation and signature verification devices;
7. (iii) is based on a qualifying certificate; and
8. (iv) complies with the international standards with which the certification service provider claims in its application for accreditation; and
9. (b) a certification service provider that it -

• (i) satisfies the requirements and conditions set out in Annexure 2;
• (ii) has systems in place to ensure compliance with the Act and these regulations;
• (iii) has sufficient financial resources to provide for professional indemnity or insurance cover; and
• (iv) has personnel who satisfy the requirements and conditions set out in Annexure 2.

Certification practice statement

15. (1) A certification service provider must -
16. (a) prepare a certification practice statement in accordance with the certification service standards, these regulations and guidelines issued by the Authority from time to time; and
17. (b) submit the certification practice statement to the Authority for approval before accreditation is granted, renewed or any operation commenced.

• (2) A certification service provider, in its certification practice statement, must specify -

5. (a) any limitation of its liabilities and, particularly, the implication of reliance limitations specified; and
6. (b) the subscriber identity verification method for the issuance, suspension, revocation and renewal of subscriber certificate.

• (3) When the Authority approves a certification practice statement, the certification service provider may not change the statement without a prior written approval of the Authority.
• (4) A certification service provider must -

9. (a) file with the Authority a copy of its certification practice statement and specify its effective date; and
10. (b) publish it on its website which is accessible to members of the public.

• (5) A certification service provider must record all changes made to its certification practice statement together with the effective date of each change.
• (6) A certification service provider must keep in a secure manner a copy of each version of its certification practice statement and record the date it came into effect and the date it ceased to have effect.

Database of accredited security products and certification service providers, suspended and revoked accreditations

16. (1) The Authority must keep and maintain a database of all security products and certification service providers accredited by the Authority and suspended and revoked accreditations.

• (2) The register must contain -

3. (a) the name and address of the certification service provider; and

• (b) a description of the certification service provider.
• (3) The Authority must publish the register on its website and by any other means it thinks fit for access to the public.

Change in ownership, management and operation of certification service provider

17. (1) A certification service provider that wishes to change its ownership, management or operations may make an application to the Authority for approval.

• (2) Upon receipt of an application for change of ownership, management or operations the Authority may ̶

3. (a) request the applicant to submit an audit report; or
4. (b) suspend or revoke the accreditation of the service provider.

• (3) Where an audit report is requested, all expenses is borne by the certification service provider.
• (4) Where the Authority has authorised a change in the ownership or management of a certification service provider, it must publish a copy of the latest certification practice statement of the certification service provider on its website and by any other means it thinks fit for access to the public.

Review and audits

18. (1) The Authority must monitor the conduct, systems and operations of every certification service provider to ensure that it complies with the Act, these regulations and certification service standards and, where necessary ̶
19. (a) require a service provider to undergo an audit if it is of the opinion that -
20. (i) a significant change in the ownership or operations of the certification service provider has occurred, or
21. (ii) such audit is reasonably required or is otherwise necessary;
22. (b) issue such direction to the certification service provider concerned for compliance as it thinks necessary; or
23. (c) temporarily suspend or revoke the accreditation.

• (2) Where an audit is required in terms of subregulation (1)(a), a certification service provider must at its own cost commission an audit report to be compiled by an auditor appointed by the Authority which must be completed within such period as the Authority may specify.

Inquiry into allegation of misconduct

19. (1) The Authority may inquire into any allegations that ̶
20. (a) a significant change in the ownership, management or operations of a certification service provider has occurred, the approval of which has not been granted in terms of regulation 17;

• (b) an employee of a certification service provider has committed an act which may render him or her guilty of misconduct and unfit to continue with the service of the certification service provider;
• (c) a certification service provider has contravened a provision of the Act, these regulations or certification standards; or
• (d) a certification service provider is in breach of its certification practice statement or the terms of its standard subscriber agreement.
• (2) If, after inquiring into an allegation made under subregulation (1) and having given the certification service provider an opportunity to be heard, the Authority is of the opinion that the allegation is proven, it must take any appropriate action under regulation 17.
• (3) If the Authority is of the opinion that the allegation under subregulation (1) is made in bad faith, it may require the person who made the allegation to be liable for the costs related to the inquiry including costs of an audit that may be required.

Appeal to High Court

20. A certification service provider aggrieved by the decision of the Authority may within 30 days of receipt of the decision appeal to the High Court.

PART 3 FOREIGN CERTIFICATION SERVICE PROVIDERS

Recognition as foreign certification service providers

21. The Authority may recognise a foreign certification service provider as a certification service provider for the purposes of these regulations, where the service provider ̶
22. (a) is duly licensed or certified or authorised to issue certification services in the country in which it operates;
23. (b) complies with the requirements of the Act and these regulations and accepted international technical standards; and
24. (c) has established a local agent to provide certification service in Namibia.

Application for recognition

22. (1) An application for recognition as foreign certification service provider for the purposes of these regulations is made to the Authority in a manner determined by the Authority.

• (2) An application for recognition as certification service provider is accompanied by -

3. (a) proof that the requirements under regulation 21 have been satisfied, including a report from a qualified auditor certifying that the standards and technical requirements have been satisfied;
4. (b) the prescribed fee; and
5. (c) such other information or documents as the Authority may require.

Granting of recognition

23. (1) On receipt of an application for recognition made under regulation 22, the Authority must consider the application with 60 days of receipt.

• (2) Upon consideration of the application after having had regard to all the requirements, conditions and suitability of the applicant, the Authority may grant the application with or without conditions or refuse the application.
• (3) Where the Authority grants the application, the Authority must issue the applicant with a certificate of recognition as certification service provider and register its name on database list referred to in regulation 16.
• (4) All the terms and conditions regarding a certificate of accreditation apply with the necessary changes to a certificate of recognition.
• (5) Where the Authority refuses an application, the Authority must immediately notify the applicant in writing of its refusal and the reasons for its refusal.
• (6) Where a holder of certificate of recognition issued under subregulation (3) issues a subscriber certificate to a subscriber, such certificate is valid for the purposes of the Act and these regulations.

Suspension, revocation and lapsing, ceding, pledging, encumber, disposing, transfer and surrender of certificate of recognition

24. (1) The provisions applicable to accreditation of certification service providers relating to suspension, revocation, lapsing, ceding, pledging, encumber and dispose and transfer of certificates of accreditation apply with the necessary changes to the suspension, revocation, lapsing ceding, pledging, encumbering and dispose, transfer and assignment, of certificates of recognition.

• (2) The Authority, by notice in the Gazette , may revoke the certificate of recognition granted under regulation 23 -

3. (a) if the Authority finds that the recognised foreign certification service provider no longer satisfies the requirements contemplated under regulation 21; or
4. (b) if the recognised foreign certification service provider applies for a revocation of the recognition.

• (3) A revocation under subregulation (2)(b) is without prejudice to a fresh application for recognition being made by the foreign certification service provider.
• (4) Where the Authority is satisfied that a recognised foreign certification service provider has contravened any of the conditions and restrictions of recognition under subregulation (1), it may revoke the recognition.

Register of recognised foreign certification service providers

25. The Authority must -
26. (a) publish a list of recognised foreign certification service providers in such form and manner as it may determine; and
27. (b) keep and maintain a Register of recognised foreign certification service providers in such form as it may consider fit.

PART 4 ADVANCED ELECTRONIC SIGNATURE SCHEME, KEY MANAGEMENT AND ISSUANCE OF SUBSCRIBER CERTIFICATES

Approval of advanced electronic signatures

26. (1) An advanced electronic signature scheme must be approved for the purposes of the Act and these regulations if ̶
27. (a) the advanced electronic signature scheme uses a secure public-key algorithm for the generation of the key pair and a secure public-key algorithm and hash function for the creation of the electronic signature;
28. (b) the advanced electronic signature scheme satisfies the technical component requirements; and
29. (c) the electronic signature created is not capable of being modified to contain a subliminal channel.

• (2) A key pair used to create and verify an electronic signature may not be used to encrypt and decrypt any messages.

Storage and control of private keys

27. (1) The data storage medium for the private key may be hardware- based or software-based.

• (2) If the data storage medium of the private key -

3. (a) is hardware-based, the subscriber holding the private key must ensure that the token, smart card or other external devices in which the private key is stored is kept in a secure place and in a secure manner; or
4. (b) is software-based, the subscriber holding the private key must ensure that the computer system in which the private key is stored is reasonably secure.

• (3) A subscriber holding the private key must -

6. (a) keep secret the personal identification numbers or other data used for the identification of the rightful holder of the private key in conjunction with the data storage medium for the private;
7. (b) exercise reasonable care in retaining control of the private key corresponding to the public key listed in its certificate;
8. (c) prevent the disclosure of the private key to a person not authorised to create electronic signature concerned;
9. (d) continue to take control of the private key during the operational period of its certificate and during any period of suspension of its certificate.

Disposal of key pairs

28. (1) If a key pair is no longer in use or to be used, or if the private key of the key pair is compromised, the holder of the key pair must dispose of it in a suitable manner, including by destroying it.

• (2) A holder of the key pair to be disposed of must use secure means and method to destroy the keys.
• (3) Despite subregulation (1), if the holder desires to retain a key pair that is no longer in use or to be used, or that has been compromised, the holder must ensure that the key pair is stored by a reasonably secure method.

Issuance of subscriber certificates

29. (1) A certification service provider, on receipt of an application from a prospective subscriber, may grant the application, if -
30. (a) the prospective subscriber is the person to be listed in the certificate to be issued;
31. (b) in the case of a prospective subscriber acting through an agent, the certification service provider has verified that the subscriber has authorised the agent to have custody of the private key of the subscriber and to request issuance of a certificate listing the corresponding public key;
32. (c) the information in the certificate to be issued is accurate;
33. (d) the subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate;
34. (e) the private key is capable of creating an electronic signature;
35. (f) the public key to be listed in the certificate can be used to verify an electronic signature affixed by the private key held by that subscriber;
36. (g) information regarding the conditions of usage of the certificate and limits on the value of transactions, where applicable, is available; and
37. (h) sufficient information that can be used to locate or identify one or more repositories in which notification of the revocation or suspension of the certificate would be listed if the certificate is suspended or revoked.

• (2) A certification service provider must -

11. (a) determine, based on official documents, the identity of the person to whom the certificate is issued; and
12. (b) specify, in the certification practice statement, the subscriber identity verification method applied in the issuance of certificates.

• (3) A certification service provider must -

14. (a) give a subscriber an opportunity to verify the contents of the certificate before the subscriber accepts it;
15. (b) inform a subscriber, in writing, of the legal effect of an advanced electronic signature, the limitations on the use of certificates and the dispute resolution procedures, applicable;
16. (c) warn subscribers, in writing, not to allow third parties to use signature creation data associated with signature verification data in the certificate.

• (4) Where the subscriber -

2. (a) accepts the issued certificate, the certification service provider must publish a signed copy of the certificate in a repository;
3. (b) does not accept the certificate, the certification service provider may not publish the certificate.

• (5) Once a certification service provider has issued a subscriber certificate and the subscriber has accepted the certificate, but a fact that may significantly affect the validity or reliability of the certificate subsequently becomes known to the service provider, the service provider must notify the subscriber as soon as practicable.
• (6) A certification service provider must log and keep in a secure manner the date and time of all transactions relating to the issuance of a subscriber certificate.
• (7) Where a certification service provider issues an additional certificate to a person based on a valid certificate held by the same person and subsequently the original certificate is suspended or revoked, the service provider must investigate and determine whether the new certificate should also be suspended or revoked.

Particulars of subscriber certificates

30. A subscriber certificate must set out ̶
31. (a) the number of the certificate;
32. (b) the name of the subscriber;
33. (c) the personal identification code or registry code of the subscriber;
34. (d) the public key of the subscriber;
35. (e) the period of validity of the certificate;
36. (f) the issuer and registry code of the issuer; and
37. (g) a description of the limitations on the scope of use of the certificate.

Obtaining subscriber certificate

31. A subscriber must ensure that -
32. (a) all material representation to a certification service provider for purposes of obtaining a subscriber certificate; and
33. (b) all information known to the subscriber and represented in the certificate,

are accurate and complete to the best of his or her knowledge and belief, regardless of whether such representations are confirmed by the certification service provider.

Acceptance of subscriber certificate

32. (1) A subscriber is deemed to have accepted a subscriber certificate, if the subscriber ̶

• (a) publishes or authorises the publication of the certificate ̶
• (i) to one or more persons; or
• (ii) in a repository; or
• (b) otherwise demonstrates approval of the certificate while knowing or having notice of its contents.
• (2) A subscriber who accepts a certificate issued by a certification service provider, must certify that ̶
• (a) the subscriber rightfully holds the private key corresponding to the public key listed in the certificate;
• (b) a representation made by the subscriber to the certification service provider to the information listed in the certificate is true; and
• (c) information in the certificate that is within the knowledge of the subscriber is true.

Disclosure and compliance with certification practice statement

33. (1) A certification service provider must disclose -
34. (a) its certificate that contains the public key corresponding to the private key used by that certification service provider to digitally sign another certificate;

• b) a certification practice statement referred to in regulation 15;

4. (c) a notice of the revocation or suspension of certificate; and
5. (d) any other fact that materially and adversely affects either the reliability of a certificate that the service provider has issued or the ability of the service provider to carry out its obligations.

• (2) In the event of an occurrence that materially and adversely affects the trustworthy system of a certification service provider or a certificate issued by it, the service provider must -

7. (a) use reasonable efforts to notify any person who is known or likely to be affected by that occurrence.
8. (b) act in accordance with procedures governing such an occurrence as specified in its certification practice statement.

Prohibition of publication of subscriber certificate

34. A person may not publish a subscriber certificate or otherwise make it available to another person if ̶
35. (a) that person is not the certification service provider;
36. (b) the subscriber listed in that certificate has not accepted it; or
37. (c) the certificate has been suspended or revoked, unless that publication is for the purpose of verifying an electronic signature created prior to that suspension or revocation.

Representation on issuance of subscriber certificate

35. A certification service provider by issuing a subscriber certificate, represents to any person who reasonably relies on the certificate, that ̶
36. (a) the service provider has issued the certificate in accordance with the applicable certification practice statement incorporated by reference in the certificate, or of which the relying party has notice;
37. (b) the service provider has complied with requirements under these regulations for issuing of certificate, and that the subscriber listed in the certificate has accepted it;
38. (c) the subscriber identified in the certificate holds the private key corresponding to the public key listed in the certificate;
39. (d) the public key and private key of the subscriber constitute a functioning key pair;
40. (e) information in the certificate is accurate, unless the service provider has stated in the certificate or incorporated by reference in the certificate a statement that the accuracy of specified information is not confirmed; and
41. (f) the service provider has no knowledge of any material fact which if included in the certificate would adversely affect the reliability of the representations in paragraphs (a) to (d).

Recommended reliance limits

36. A certification service provider -
37. (a) must, in issuing a certificate to a subscriber, specify a recommended reliance limit in the certificate; and
38. (b) may specify different reliance limits in different certificates as it considers fit.

Limitation of liability for certification service provider

37. Subject to an agreement between a certification service provider and a subscriber, a certification service provider is not liable -
38. (a) for any loss caused by reliance on a false or forged electronic signature of a subscriber, if, with respect to the false or forged electronic signature, the certification service provider complied with the requirements of this act; or
39. (b) in excess of the amount specified in the certificate as its recommended reliance limit for either ̶
40. (i) a loss caused by reliance on a misrepresentation in the certificate of any fact that the certification service provider is required to confirm; or
41. (ii) failure to comply with requirements for issuance of the certificate and representations on issuance of the certificate.

Suspension of subscriber certificate

38. (1) A certification service provider may suspend a subscriber certificate ̶

• (a) on request by the subscriber listed in the certificate or a person duly authorised by that subscriber;
• (b) by court order; or
• (c) if there are reasonable grounds to believe that -
• (i) incorrect data has been entered in the certificate; or
• (ii) it is possible to use the private key corresponding to the public key contained in the certificate without the consent of the subscriber.
• (2) Where the private key corresponding to the public key listed in the subscriber certificate has been compromised, the subscriber must as soon as possible request the issuing certification service provider to suspend or revoke the certificate.

Notice of suspension

39. A certification service provider must, after the suspension of a certificate under regulation 38, publish a signed notice of the suspension in the repository.

Revocation of subscriber certificate

40. A certification service provider must revoke a subscriber certificate ̶
41. (a) on receiving a request for revocation by the subscriber listed in the certificate and confirming that the person requesting the revocation is the subscriber, or is an agent of the subscriber with authority to request the revocation;
42. (b) on receiving a certified copy of the death certificate of the subscriber, or on confirming by other evidence that the subscriber is dead; or
43. (c) on presentation of documents effecting a dissolution of the subscriber, or on confirming by other evidence that the subscriber has been dissolved or ceases to exist.

Revocation without consent of subscriber

41. (1) A death certificate must revoke a subscriber certificate, regardless of whether the subscriber listed in the certificate consents, where the certification service provider confirms that ̶
42. (a) a material fact represented in the certificate is false;
43. (b) the private key or trustworthy system of the certification service provider was compromised in a manner materially affecting the reliability of the certificate;
44. (c) an individual subscriber is dead; or
45. (d) a subscriber has been dissolved, wound up or otherwise ceases to exist.

• (2) The certification service provider must, where it revokes the subscriber certificate under subregulation (1), immediately notify the subscriber listed in the certificate.

Notice of revocation of subscriber certificates

42. (1) A certification service provider must, publish a signed notice of the revocation under regulation 40 or 41 in a repository specified in the subscriber certificate.

• (2) The certification service provider must, where one or more repositories are speci- fied, publish a signed notice of the revocation in all those repositories.

Publication of revocation list of subscriber certificates

43. (1) A certification service provider must maintain a revocation list of subscriber certificates.

• (2) A certification service provider that contravenes subregulation (1) commits an offence and is liable, on conviction, to a fine not exceeding N$50 000.

Management of records

44. (1) A certification service provider must keep securely all records relating to ̶

• (a) issuance, renewal, suspension and revocation of subscriber certificates, including the identity of any person requesting a subscriber certificate;

• (b) the process of generating key pairs by the subscribers and by itself;

• (c) the administration of its computing facilities; and

• (d) such other information as may be determined by the Authority.

• (2) A certification service provider may keep its records in paper- based form, electronic form or any other form and avail the records to the Authority in a manner the Authority requires.

• (3) A certification service provider must index, store, and preserve the records kept under subregulation (2) in a form that the records may be reproduced in an accurate, complete, legible manner and a manner accessible to the Authority or to any authorized person.

• (4) A certification service provider must retain -

• (a) a record of all the subscriber certificates it has issued and preserve them so that they are accessible;

• (b) all records required to be kept under subregulation (1); and

• (c) all the logs of the creation of the archive of certificates required under subregulation (3),

for a period of not less than seven years.

Obligations of subscribers for generating keypairs

45. (1) Where a subscriber wishes to generate a keypair whose public key is to be listed in a certificate and accepted by the subscriber, the subscriber must generate that key pair using a trustworthy system.

• (2) This regulation does not apply to a subscriber who generates the key pair using a system approved by a certification service provider.

Information system audit

46. (1) A certification service provider must conduct an information system audit annually and submit the audit report to the Authority.

• (2) Despite subsection (1), the Authority may require a certification service provider to conduct an information system audit as and when the Authority considers it necessary at the cost of the certification service provider.

Appeals against decisions of certification service providers

47. A person aggrieved with the decision of a certification service provider may appeal to the Authority within 14 days of receipt of the decision or notice of suspension or revocation.

ANNEXURE 1

COMMUNICATIONS AUTHORITY OF NAMIBIA (CRAN)

Electronic Transactions Act, 2019 (Act No. 4 of 2019)

Regulations Regarding Accreditation of Security Products

and Certification Service Providers, 2024

Application for Accreditation/Renewal As Certification Service Provider

(Section 42/Regulation 5)

The application form is for Certification Service Providers who desire to be accredited, recognised or renew their accreditation, under the Regulations Regarding Accreditation of Security Products and Services and Providers of such Products and Services ('Regulations') made under the Electronic Transactions Act. The applicants are required to comply with the Certification Service Standards (CSS) issued by the Communications Regulatory Authority of Namibia (CRAN)

1.1 Applicants Details

Company Name:

Physical Address:

Postal address:

Telephone:

Facsimile:

Mobile:

Email:

Form 1 (Continue)

1.2 Contact Person Details (Official Communication)

Name:

Designation:

Physical Address:

Postal Address:

National I.D / Passport No.

Telephone:

(Work) (Res)

Email Address

Facsimile:

Mobile:

Email:

• 1.3

• Company Registration: …………….. State whether company is:

Public Limited/ Private Limited

Owned by State/ Others (please specify):………………………………………………………

Main business activity

Company website (URL)

The following information should be attached:

• (a) Company registration certificate, where the applicant company is a subsidiary of another company, information about the parent and ultimate holding companies (the entire group structure) must be provided; and

• (b) A certified true copy of the applicant company's resolution(s):

• (i) to apply for accredited or recognition as Certification Service Provider, or (in the case of an accredited secure digital signature provider applying for renewal of its accreditation) for renewal of its accreditation; and

• (ii) to authorise, for the purpose of making this application on the applicant company's behalf, the person(s) making the application.

SECTION 1:

PARTICULARS OF THE APPLICANT

1.4 Ownership:

Provide names, addresses and contact details of Directors/ Board Members:

Name of Company/lndividual
Country of Incorporation/ Nationality
National I.D/Passport No. Company Registration Number
Physical Address
Postal Address
Share%

Name of Company/Individual
Country of Incorporation/Nationality
National I.D/Passport No. Company Registration Number
Physical Address
Postal Address
Share%

Please attach Shareholder Certificates

1.5 Management Structure

Provide the details of the key executive management

Name:	Name:
Designation:	Designation:
Physical Address:	Physical Address:
Postal Address:	Postal Address:
National I.D/Passport No.	National I.D/Passport No.
Telephone: (Work) (Res)	Telephone: (Work) (Res)
Facsimile:	Facsimile:
Mobile:	Mobile:
Email:	Email:

Provide the curriculum vitae for the key personnel. The applicant is required to provide contact details of the key personnel as per the Certification Service Standards.

Noame:	Name:
Designation:	Designation:
Physical Address:	Physical Address:
Postal Address:	Postal Address:
National I.D/Passport No:	National I.D/Passport No:
Telephone: (Work) (Res)	Telephone: (Work) (Res)

Form 1 (Continue)

Form 1 (Continue)

Email:

Email:

Facsimile:

Facsimile:

Mobile:

Mobile:

SECTION 2:

LEGAL PROCEEDINGS INFORMATION

• 3.1 Has the applicant ever been involved in any legal proceeding or dispute settlement in Namibia or elsewhere in its capacity as a Certification Service Provider?

Yes No

If the answer to the above question is 'yes', please furnish complete details (please attach a separate sheet if the space provided is inadequate).

...............................................................................................................................................................

...............................................................................................................................................................

...............................................................................................................................................................

...............................................................................................................................................................

Form 1 (Continue)

• 3.2 Has the applicant company or its substantial shareholder or any of their respective directors and key executives, or any of the trusted persons, ever been convicted of an offence for which the conviction involved a finding that it/he/she acted fraudulently or dishonestly?

Yes No

If the answer to the above question is 'yes', please furnish complete details (please attach a separate sheet if the space provided is inadequate).

SECTION 3: ACCOMPANYING DOCUMENTS

The Applicant should attach the following documents:

• (a) Full technical description of the advanced electronic signature system;

• (b) Certification Practice Statement of the applicant;

• (c) Standard subscriber agreement;

• (d) Audited report in accordance with Certification Service Standards Compliance Check-list issued

• (e) by the Authority;

• (f) Privacy/security policy;

• (g) Detail Business Plan covering the following:

• (i) Profit and loss accounts, balance sheets and cash flow statements, target market, business strategy. All assumptions used e.g. asset depreciation policies, subscriber projections, budget and annual increase/decrease in operating expenditure should be clearly explained;

• (i) Financial ratios including return on assets, return on equity, operating profit margin, net profit margin, current ratio, quick ratio and debt-equity ratio;

• (ii) All capital expenditure and working capital requirements for the preceding five years of operations;

• (iii) Source of Funding;

• (iv) Proposed fee structure for the advanced electronic signature;

• (v) Human Resource plan including the organisational chart, curriculum vitae of the key personnel;

• (g) Incident Management plans and Disaster Recovery Plan; and

• (h) Audited Financial Report for the previous two (2) years.

SECTION 4: DECLARATION

1. In applying to CRAN to operate as an accredited Certification Service Provider under the Electronic Transactions Act, 2019 and the Regulations, I declare that all the above information provided by the company is true and complete.
2. In the event that any of the information provided by the company is found to be false or misleading, the Authority reserves the right to take appropriate enforcement action against the company under the Act and the Regulations (including, without limitation, suspending and revocation of the accreditation of the company).

Applicant Name: ……………………………….....................………………..........

Name of Representative: ……………………………….....................………………

Signature: ……………………………….....................………………..........………

Designation: ……………………………….....................……………….................

Date: .……………………………….....................………………............................

Company Stamp: ……………………………….....................………………...........

Form 2

COMMUNICATIONS AUTHORITY OF NAMIBIA (CRAN)

Electronic Transactions Act, 2019 (Act No. 4 of 2019)

Regulations Regarding Accreditation of Security Products and Services and Providers of Such Products and Services, 2024

Certificate of Accreditation as Certification Service Provider

(Regulation 6)

Communications Regulatory Authority (CRAN), in the exercise of powers conferred upon it under section 42 of the Electronic Transactions Act, 2019 (No. 4 of 2019), hereby issues a

CERTIFICATE OF ACCREDITATION AS CERTIFICATION SERVICE PROVIDER

to………………………………………………………………………………………………………

Having its registered office at ……………………………………………………………………to offer certification service and manage and issue subscriber certificates and public keys to the potential subscribers for a period of five (5) years, subject to the provisions of the Electronic Transactions Act, 2019 (No. 4 of 2019) and the conditions in Annexure 1 attached hereto and such regulations and conditions as have been or may be imposed from time to time.

The Service Provider must at all times display the Certificate in a conspicuous place at the registered offices of the Service Provider.

Given under my Hand and Seal at .......................................this ..........day of ........................... 20.......

(Accreditation Mark)

………………………………….. (Signature)

Chief Executive Officer

ANNEXURE 2

COMMUNICATIONS AUTHORITY OF NAMIBIA (CRAN)

Electronic Transactions Act, 2019 (Act No. 4 of 2019)

Regulations regarding Accreditation of Security Products and Services and Providers of Such Products and Services, 2024

Requirements and Conditions for Electronic Signature Creation and Verification Devices, Qualifying Certificates, Service Providers and Key Personnel

(Regulation 13)

A. Requirements for Qualifying Signature Creation Devices

1. A qualifying signature creation device must, by appropriate technical and procedural means, ensure as a minimum that ̶
2. (a) the signature creation data used for signature generation can practically occur only once, and that their secrecy is reasonably assured;
3. (b) the signature creation data used for signature generation cannot, with reasonable assurance, be derived and the signature is protected against forgery using currently available technology; and
4. (c) the signature creation data used for signature generation can be reliably protected by the legitimate signatory' against use by others.
5. A qualifying signature creation device should not alter the date to be signed or prevent such data from being presented to the signer prior to the signature process.

B. Requirements for Qualifying Signature-Verification Devices

1. During the signature-verification process it must be ensured with reasonable certainty that ̶

• (a) the date used for verifying the signature corresponds to the data displayed to the verifier;
• (b) the signature is reliably verified and the result of that verification is correctly displayed;
• (a) the verifier can, as necessary, reliably establish the contents of the signed data;
• (b) the authenticity and validity of the certificate required at the time of signature verification are reliably verified;
• (c) the result of verification and the identity of the signatory are correctly displayed;
• (d) the use of a pseudonym is clearly indicated; and
• (e) any security-relevant changes can be detected.

C. Requirements for Qualifying Certificates

1. A qualifying certificate must contain -
2. (a) an indication that the certificate is issued as a qualifying certificate;
3. (b) the identification of the certification service provider and the jurisdiction in which it is established;
4. (c) the name of the signatory or pseudonym, which must be identified as such;
5. (d) provision for a specific attribute of the subscriber, if relevant, depending on the purpose for which the certificate is intended;
6. (e) signature verification data which corresponds to signature creation data under the control of the signer;
7. (f) an indication of the beginning and end of the period of validity of the certificate;
8. (g) the identity code of the certificate;
9. (f) the advanced electronic signature of the certification service provider issuing it;
10. (i) limitations on the scope of use of the certificate, if applicable; and
11. (j) limits on the value of transaction for which the certificate can be used, if applicable.

D. Requirements for Qualifying Certification Service Providers

A certification service provider must ̶

• (a) be a fit and proper person to the satisfaction of the Communications Regulatory Authority;

• (b) demonstrate the reliability and expertise necessary for providing certification services;

• (c) demonstrate adherence or the ability to adhere to these Regulations;

• (d) ensure the operation of a prompt and secure directory and a secure and immediate revocation service;

• (e) ensure that the date and time when a certificate is issued or revoked can be determined precisely;

• (f) verify, by appropriate means, the identity and, if applicable, any specific attributes of the person to whom a certificate is issued;

• (g) use trustworthy systems and products which are protected against modification and ensure the technical and cryptographic security of the process supported by them;

• (h) take measures against forgery of certificates, and in cases where the certification service provider generates signature creation data, guarantee confidentiality during the process of generating such data;

• (i) maintain sufficient financial resources to operate in conformity with the requirements laid down in the Act, and these Regulations, in particular to bear the risk of liability for damages, for example, by obtaining appropriate insurance;

• (j) not store or copy signature creation data of the person to whom the certification service provider provided key management services;

• (k) before entering into a contractual relationship with a person seeking a certificate to support his or her electronic signature, inform that person by means of communication of the precise terms and conditions regarding the use of the certificate, including any limitations on its use and procedures for complaints and dispute settlement. Such information, which may be transmitted electronically, must be in writing. Relevant parts of this information must also be made available on request to third-parties relying on the certificate; and

• (l) use trustworthy systems to store certificates in a verifiable form so that ̶

• (i) only authorised persons can make entries and changes;

• (ii) information can be checked for authenticity;

• (iii) certificates are publicly available for retrieval in only those cases for which the consent the consent of the certificate holder has been obtained; and

• (iv) any technical changes compromising these security requirements are apparent to the operator.

E. Requirements for Key Personnel of Qualifying Certification Service Providers

1. A certification-service-provider must ensure that its key personnel -

2. (a) are fit and proper persons to carry out the duties assigned to them; and

3. (b) have not within a period of ten (10) years preceding their employment been convicted, whether in Namibia or elsewhere, of ̶

4. (i) an offence involving fraud or dishonesty; or

5. (ii) an offence under the Act or these Regulations.

6. Key personnel must possess the relevant expert knowledge, experience, and qualifications necessary for the services provided, expertise in electronics signature technology and familiarity with prior security procedures, they must also apply administration and management procedures which are adequate and correspond to recognised certification service standards and must possess knowledge of the Act and these Regulations.

Signed at……………………………. on this.……..day of……..………………….20……

………………………………….. (Signature)

Chief Executive Officer

ANNEXURE 3

COMMUNICATIONS AUTHORITY OF NAMIBIA (CRAN)

Electronic Transactions Act, 2019 (Act No. 4 of 2019)

Regulations Regarding Accreditation of Security Products and Services and Providers of Such Products and Services, 2024

Fees Payable under the Regulations

(Regulations 5, 6, 7, 8, 9 and 13)

Item	Description of Item	Fees in NAD (N$)
1	Application for Accreditation as Certification Service Provider	20 000
2	Certificate of Accreditation	30 000
3	Application for Renewal of Certificate of Accreditation	20 000
4	Renewal of Certificate of Accreditation	30 000
5	Application for Amendment of Accreditation (Certificate, Terms or Conditions)	20 000
6	Amendment of Accreditation (Certificate, Terms or Conditions)	30 000
7	Application for Transfer of Certificate of Accreditation	20 000
8	Transfer of Certificate of Accreditation	30 000

________________