Understanding OAIS Compliant Archiving
Managing and preserving data for long-term access becomes crucial in the information age, where vast amounts of data are created daily. Understanding and implementing the Open Archival Information System (OAIS) and compliant archiving is fundamental in heavily regulated sectors. In this article, we will discuss the OAIS model, the importance of Archival Information Packages (AIP) in maintaining OAIS-compliant archives, and general archival information pertinent to ensuring the longevity and accessibility of digital records. What is OAIS? This International Standard establishes the reference model for an open archival information system (OAIS), defining it as an organisation dedicated to preserving information for a specified community. It emphasises collaboration in standard development but doesn’t imply unrestricted access. The Standard provides a framework for understanding archival concepts, enables non-archival organisations to engage in preservation, facilitates comparisons of archive architectures, and guides the development of Long-Term Preservation strategies. It also supports consensus on digital information preservation, encourages a larger market, and directs the creation of OAIS-related standards. Detailed scope and application information is available in subclauses 1.1 and 1.2 of the accompanying CCSDS publication. The OAIS Model The OAIS model outlines several key concepts and roles. It broadly defines ‘archival information’, including data preserved by the archive and the metadata necessary to understand the data (context and structure). At its core, the OAIS model lays out six primary responsibilities. [ADD IMAGE OF OAIS MODEL] The Ingest Functional Entity, labelled ‘Ingest,’ manages the acceptance of Submission Information Packages (SIPs) from Producers, conducts quality assurance, and creates Archival Information Packages (AIPs) adhering to the Archive’s standards. Its functions ensure the seamless preparation and storage of content within the Archive. The Archival Storage Functional Entity, identified as ‘Archival Storage,’ is responsible for storing, maintaining, and retrieving Archival Information Packages (AIPs). Its functions encompass receiving AIPs from Ingest, adding them to permanent storage, managing the storage hierarchy, refreshing storage media, conducting error checks, ensuring disaster recovery, and delivering AIPs for Access orders. The Data Management Functional Entity, denoted as ‘Data Management,’ is responsible for populating, maintaining, and accessing Descriptive Information and administrative data within the Archive. Its functions encompass administering the Archive database, performing updates, executing queries, and generating reports from the data management data. The Administration Functional Entity, labelled ‘Administration,’ manages the overall operation of the Archive system, including negotiating submission agreements, auditing submissions, maintaining system configuration, conducting engineering for improvement, monitoring inventory, and providing customer support. It is also responsible for establishing and maintaining Archive standards and policies. The Preservation Planning Functional Entity, labelled ‘Preservation Planning,’ safeguards long-term accessibility and comprehension of OAIS-stored information. Its functions include evaluating Archive contents, recommending updates and migrations, developing standards, providing risk analysis reports, monitoring technology changes, and designing Information Package templates. Additionally, it contributes to the Administration’s migration goals through detailed plans and prototypes. The Access Functional Entity, identified as ‘Access,’ facilitates Consumers in discovering, describing, locating, and accessing information within the OAIS. Its functions include receiving and processing Consumer requests, implementing access controls, coordinating request execution, generating responses such as Dissemination Information Packages, query responses, and reports, and delivering these responses to Consumers. By fulfilling these responsibilities, an organisation can be considered OAIS compliant. Such compliance indicates to stakeholders that the organisation has a robust system for reliably preserving digital information. Why You Need an AIP to Have an OAIS-Compliant Archive Key to the OAIS model is the concept of the Archival Information Package (AIP). An AIP is a compilation of a data object, its descriptive metadata, and any other materials necessary to preserve its information content sustainably. It encapsulates everything needed to manage, reference, and understand the dataset. The importance of AIPs in OAIS-compliant archiving can’t be overstressed — they form the backbone of the archiving system, ensuring that data remains authentic, reliable, and usable. What OAIS (With AIP) Compliant Means Being OAIS compliant means adhering to standards for how data and metadata are packaged and maintained. The compliance ensures that the data is stored in a consistent, sustainable format that future technologies can access and understand. This involves documenting the data’s provenance, creation methods, and change history, among other critical metadata. General Archival Information Apart from understanding the OAIS model and the significance of AIPs, grasping additional archival information is essential for professionals responsible for digital preservations. This extra information is critical for the following points: Sustainability and Scalability: The archive system must grow and adapt to technological changes without compromising the integrity of the stored data. Legal and Ethical Considerations: Archivists must comply with copyright, privacy laws, and ethical data usage and access standards. Preservation Methods: It is critical to be familiar with various preservation strategies, such as using trusted digital repositories, periodic media refreshments, and technology migration. Conclusion Being versed in OAIS-compliant archiving is paramount to ensuring the long-term preservation and accessibility of digital information. By leveraging the OAIS model and solidifying OAIS-compliant archives, data managers and archivists can safeguard the information’s lifespan amid ever-evolving technological landscapes. OAIS compliance is a technical achievement and a commitment to preserving the past and ensuring the future’s intellectual heritage. Remember: Understand and implement the OAIS model to ensure data preservation. Ensure OAIS compliance for long-term data integrity and accessibility. Keep general archival information to remain compliant with evolving standards. By arming your archival practices with OAIS compliance, you are taking a significant step towards responsible and sustainable data management.
eIDAS 2.0: Upcoming Changes to Digital ID
In November 2023, the Council of the European Union and European Parliament formalized a provisional agreement on how to update and modify the Electronic Identification, Authentication, and Trust Services (eIDAS) Regulation. Known colloquially as eIDAS 2.0, the new agreement paves the way for a comprehensive framework for European digital identity (eID). Once approved and enacted, these changes will extensively affect all EU citizens, residents, and businesses. Continue reading to learn more and find out how eIDAS 2.0 will affect individuals and businesses alike. Background: What is eIDAS? The proposed legislation amends the eIDAS regulation on the EU’s internal market, which was approved in 2014 and put in place incrementally between 2016 and 2018. This comprehensive regulation seeks to ensure safety in accessing public services and carrying out online transactions across EU borders. Until now, eIDAS has effectively overseen not only electronic archives and digital vaults, but also how trust service providers deliver electronic identification, electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services (ERDS), electronic documents, and website authentication certificates. These foundational instruments are essential for smoothly conducting secure electronic transactions. However, in June of 2021, the EU Commission decided to confront new technological challenges to online safety, and the Council began serious discussions about meeting these challenges in order to modernize the EU’s existing regulations, thereby improving the trust, security, and convenience of online dealings for all EU citizens. Changes Although the original eIDAS regulation applied to e-signatures, electronic seals, and electronic timestamps, as well as digital vaults and electronic archives, the updated eIDAS 2.0 will include e-registered delivery services, e-certificates for authentication, and electronic seals for electronic documents. In essence, it will oversee cross-border digital services such as authenticating and identifying individuals and websites. Additionally, it will reinforce security and privacy for electronic identities and trusted services by establishing a framework that will facilitate the creation of digital identities by means of European digital identity wallets. These identity wallets will enable individuals and businesses to create and use digital identities without any need for mandatory government verification. What is more, both digital identities and trust services will be enhanced by streamlining the interoperability structure of the member states’ national systems. Current and Updated Trust Services That Companies Need Some of the proposals from 2021 made the final cut, while others failed to survive scrutiny. Those that most profoundly affect EU individuals and organizations are the following. The European Digital Identity Wallet The approved proposal agreement requires member states to issue a European digital identity wallet (eID), which will technically cover what the regulation refers to and a bit clumsily as “electronic attestations of attributes”. Simply put, eID will store digital ID and biometric documents like mobile driver’s licences, diplomas, professional certifications, and documents for travel, healthcare, and banking. Electronic Archiving Services Digital vaults and the electronic archiving of electronic documents will be modernized by introducing the concept of “qualified electronic archiving services”, which aim to ensure that all electronic data and documents are created or maintained by a qualified trust service provider. Furthermore, the integrity and accuracy of their origin and legal features will be preserved throughout the conservation period. Finally, the new proposal mandates accurate recording of the date and time of the archiving process. To guarantee that the security and authenticity of electronic archiving will remain current with the evolving digital landscape, the proposal promotes using the digital identity wallet to establish trusted digital identities, which will be based on common technical standards adopted across the European Union. Electronic Signatures and Seals To ensure consistent certification practices across the EU, the proposal recommends additional Commission guidelines on certifying and recertifying qualified creation devices for signatures and seals. Furthermore, the proposal calls for cross-border recognition of qualified electronic signatures and seals. Currently, three types of eSignatures are included in eIDAS (Simple, Advanced, and Qualified). Qualified Electronic Signatures are as legally valid as handwritten signatures on paper, and they require certification by a Qualified Service Trust Provider (QSTP). QSTPs are subject to the most rigorous EU requirements and must undergo regular audits that guarantee their adherence to regulation standards. Finally, eIDAS introduces provisions for using electronic seals, which authenticate electronic documents with the same authority as traditional seals that authenticate the origin and integrity of official documents. Electronic Time Stamps Binding electronic data to other electronic data provides evidence of the time at which the data has existed. As with electronic signatures and seals, eIDAS 2.0 calls for cross-border recognition of the time stamps issued by each member state. Electronic Registered Delivery Services This trust service provides evidence that electronic data has been sent and received, thus offering assurance similar to registered mail in a traditional postal system. eIDAS 2.0 guarantees cross-border interoperability between qualified electronic registered delivery services. Website Authentication Services Falling under the rubric of a “qualified trust service”, website authentication links a website to the natural or legal person holding the certificate, thus ensuring that users can trust the website identity they are interacting with. Currently, websites are authenticated by root certificates controlled by certificate authorities. Article 45 of the new eIDAS 2.0 proposal will allow member states to insert new root certificates at their discretion. However, this has been highly criticized by cybersecurity experts and it remains to be seen whether or not these changes will ultimately be enacted into law. The Doubt about Electronic Ledgers At first, the ITRE Committee adopted a version of the eIDAS 2 proposal that excludes the Section on Electronic Ledgers as a regulated trust service. This was deeply concerning as electronic ledgers play a significant role in trust services nowadays. The initial reason for excluding electronic ledgers was purely to maintain technological neutrality. As a fact, the committee overlooked that electronic ledgers are inherently neutral, representing a generic category rather than a specific implementation. You might be wondering what they are meant for. Electronic ledgers are secure and transparent databases that
eIDAS: Promoting Interoperability and Security Across the EU
Considering all the business happening within and throughout Europe, secure electronic transactions across borders are essential. EIDAS (Electronic Identification, Authentication, and Trust Services) comes in here. The eIDAS Regulation was adopted by the European Union (EU) to promote interoperability among the 27 member states. Its main aim is to ensure cross-border recognition of electronic identification schemes while providing high trust and security in electronic transactions. We’ll discuss why eIDAS was created and how it benefits businesses and consumers. Why was eIDAS Created? eIDAS results from a growing demand for secure, cross-border electronic transactions. The initiative was created to ensure that all other member states recognise the electronic identification schemes of EU member states. This means that a business in one EU country can now authenticate its customers using its national electronic identification system, and other EU countries will recognise this authentication. As a result, eIDAS has increased trust, security, and interoperability between countries, making it easier and more efficient for businesses to carry out transactions in other member states. Implementing eIDAS Standards Implementing eIDAS standards can be a complex and time-consuming task. Suppose your organization has yet to gain experience with electronic identification. In that case, you must learn about the regulation’s requirements, the different types of electronic identification available, and the technological infrastructure needed to support them. However, third-party providers have already undergone the certification process and have the necessary infrastructure and expertise to start working immediately. This means that by using a third-party provider, your company can save time and resources and focus on your core business. Lower Costs Implementing eIDAS standards requires a significant investment in technological infrastructure, including the hardware and software necessary to support electronic identification and trust services. The certification process can also be costly, requiring external auditors to evaluate your organization’s compliance with the regulation’s requirements. However, third-party providers have already invested, and you can take advantage of their existing infrastructure without bearing the costs of implementing everything in-house. Lower Risk Implementing eIDAS standards can be risky, particularly if you need more expertise to comply fully with the regulation’s requirements. Failing to comply with eIDAS standards can expose your organization to data breaches, legal liability, and reputational damage. However, using a third-party provider with experience and certification in electronic identification and trust services can lower this risk. These providers are subject to regular audits, ensuring they are always up to date with the latest requirements and adhere to the best security and data protection practices. More Options Many types of electronic identification are available, from simple username and password combinations to biometric authentication such as fingerprint or face recognition. However, implementing eIDAS standards in-house may limit your options regarding the types of electronic identification you can use. Third-party providers, on the other hand, have a broader range of electronic identification and trust services available. This means you can choose the options that best suit your organization’s needs without investing in them upfront. eIDAS certification – Advanced and Qualified To implement the eIDAS standards within your organization, you must ask for or work with a third-party provider who has received the advanced or qualified certification. Trusted Lists hold details about providers of certificates for electronic signatures, requiring providers of qualified certificates to be compulsory entries. Each Member State oversees and releases these lists, and users can explore them through the Trusted List Browser. We’ll break down the differences between advanced and qualified so you can compare. 1. Advanced Electronic Signature The certificate for an advanced electronic signature may or may not be qualified. The private key related to the certificate is not mandatory to be stored on a qualified electronic signature creation device (QSCD). Advanced electronic signatures can be created using Trust Service Providers (TSP) certificates. 2. Qualified Electronic Signature A qualified electronic signature requires a qualified certificate. The private key related to the qualified certificate must be stored on a ‘qualified electronic signature creation device’ (QSCD). According to eIDAS Regulation, a qualified electronic signature explicitly holds the equivalent legal effect of a handwritten signature. Providers of qualified certificates for electronic signatures are mandatorily listed in the corresponding national Trusted List, as per eIDAS legal obligations. eIDAS in Europe The implementation of eIDAS has brought many benefits to businesses, such as reduced administrative burden and more efficient business processes. For instance, a business can now electronically sign contracts with other businesses, consumers or public administration without physical documents. This has led to a significant reduction in costs, increased profits, and safer electronic transactions, which have led to greater consumer trust and potential consumer base. Another benefit of eIDAS is the availability of trusted services validated and approved by a member state supervisor. These services include electronic signatures, seals, time-stamping, and website authentication. eIDAS ensures that these trusted services comply with the regulations’ requirements, providing high security and reliability to businesses and consumers all over Europe. Service providers who comply with the eIDAS regulation can offer their trust services cross-border, eliminating businesses needing to sign multiple contracts to operate in different countries. eIDAS also protects the privacy of EU citizens who participate in cross-border transactions. The regulation sets strict rules on how personal data is handled and processed, ensuring citizens’ rights are respected and protected across the EU. The regulation provides transparency and control over the use of personal data, giving citizens confidence in the security and safety of their information. Rules of E-Signature in Business Deals Outside Europe The e-sign act applies to all business dealings outside of Europe and requires that the consumer provides their consent before any electronic communication or transaction. The consent must be in writing and meet specific requirements, such as the consumer being informed of any right or option to have the record provided or made available on paper or in a non-electronic form. The right to withdraw consent, including any conditions, consequences, and fees in the event of such withdrawal, must
Start your digital archiving strategy here [Whitepaper]
A digital archiving strategy is used to store, organize, manage, protect, and share a company’s digital documents, with rules defined by the business itself. It is an essential alternative to keep all digitized data in order, available, and accessible according to to access control specifications. This service has become indispensable nowadays, because of the sheer volume of digital documents, data, images, etc. To take advantage of all the benefits of this service, it is essential to implement some specific best practices that require special attention. With that in mind, we have created a list with the main points of attention to take care of your digital archive in the most practical and efficient way possible. Check out! Why rely on a digital archive in your business? The continuous updates of IT systems and the continuous adoption of new technology are points that motivate the use of such a service. However, having an archive is even more interesting thanks to the benefits obtained. Here’s why it’s worth resorting to this type of system! How to improve your Digital Archiving Strategy in 3 Steps? Use your archiving solution for as many purposes as possible A good archiving solution can be used for several use cases, and not just for archiving documents. Instead of being a cost, e.g. purely for compliance reasons, it will allow you to have a positive ROI and help you realize perpetual cost savings. A good archiving solution can be used for: Archiving customer correspondence (e.g. MiFID II compliance) Archiving documents for compliance reasons, e.g. managing retention periods Decommissioning or retiring applications of which you need to keep the documents and data for compliance reasons (and offering a view on that information) Long-Term preservation of signatures and seals 2. Invest in a cloud solution Your archiving solution will in many cases be used for safeguarding your company’s vital records, (and if you aren’t doing it, you should be thinking of at least having a copy of your vital records in the archiving solution). Consequently, it’s not a good idea to have that solution in the same location or data center as your operational systems. In case of a calamity, your company’s vital records will be safe if they are stored in a cloud archiving solution. Also, the security of cloud providers outranks the security that most companies can implement. Keep your solution “in shape” Your archiving solution should evolve with the needs of your user group, i.e. the data should be exposed via the proper channels and displayed in line with the requirements of your users. Bonus Tip: Use a Trusted Digital Archiving Solution Docbyte is an ideal solution for your business to have a robust and fully protected digital archive. The various modules cover everything from the need for digitization, ingest, classification, preservation, signatures validation, etc. to the performance of audits. As a result, this is an efficient, safe, and highly strategic archiving solution. In today’s business environment, digital is everywhere; digital communication through email or (enterprise) social networks is increasing, financial solutions are more and more digitized, and medical patient files are digitized and accessible to all professionals and patients. This results in an increasing amount of digital information and documents that need to be managed. To manage these new corporate assets, companies usually rely on document management and EIM systems, or other platforms. However, the legal value of the information is still at risk and enforces companies to keep the paper burden. Discover the key principles and opportunities of eIDAS and read about the qualified archiving requirements in the free whitepaper below: