Yesterday Albert and I discussed the first part of Regulation 22 (paras 1-12) and we will now be dealing with the second half of it (13-21). There was plenty to say about those first paragraphs so I recommend a reading through those before today's entry. In this second half we will go into the nitty gritty details of communications between contracting authorities and economic operators and how they should be organised.
Use of tools and devices not generally available (paras 13-15)
As mentioned yesterday, although the general rule of Regulation 22 is that general purpose communications tools and devices should be used (and in my view that includes also file formats), there may be situations whereby it is necessary for the contracting authority not to do so. The caveat being that an alternative means of access is provided to economic operators. For example, if the contracting authority wants a particularly safe means of communication to be used (one that is not widespread) it will need to provide the economic operators with the tool free of charge. Let's say the contracting authority demands a certain encryption standard like PGP to be used. It needs to offer economic operators a free access to that tool, provide "online tokens" for free or allow for alternative channels of electronic communication to be used. I think particularly the third exception defeats the purpose of using strong encryption in the first place...
Thinking of an opposite scenario, ie when the contracting authority is stuck in the dark ages of technology and wants suppliers to use Internet Explorer 6 (or a similar old, obsolete, insecure browser), it has to supply alternative means of communication to economic operators, such as modern cross-compatible browsers like Chrome or Firefox, which effectively will force it to upgrade its systems nonetheless.
Technical etc requirements for tools and devices (paras 16-17)
Regulation 22 includes a detailed list of technical requirements for the tools and devices that can be used for communications. The overarching comment is that electronic communications mean a lot more than just email. Furthermore, email (in its regular guise) will simply not comply with most of the requirements set on these paragraphs (ie, restricted access, time-stamping and encryption, electronic signatures). Thankfully there are plenty of platform services on the market that will take care of these requirements on behalf of contracting authorities. However, the requirement of free access for the market means that such platforms are precluded from charging economic operators at least in what relates to actual tendering (if they bundle extra services, that is a different matter).
As for "etc" as good lawmaking practice. Well, that is something that only the lawmaker can explain as it was not included in Article 22 of Directive 2014/24/EU.
Security requirements (paras 18-19)
Paragraph 18 forces the contracting authority to make a risk assessment regarding the procedure and decide if "advanced electronic signatures" are necessary or not, with paragraph 19 establishing the test.
I would argue that in this day and age of easy, accessible hacking, end-to-end encryption AND "advanced electronic signatures" should be mandatory. Any public procurement communication without them should fail all and every risk assessment although I do not see the point of having the assessment on the first place. All unencrypted communications immediately trip the risk of confidential information from tenderers leaking out.
Electronic signatures (paras 20-21)
The final section of Regulation 22 establishes the rules for electronic signatures, namely the need to comply with certain standards set out in Article 1(2) of Commission Decision 2011/130/EU and how contracting authorities much ensure economic operators can have generate the certificates that constitute the electronic signatures.