ISSUED BY | CONSOLIDATED UP TO |
---|---|
Royal Decree 69/2008 | Royal Decree 6/2022 |
Chapter One
Definitions and General Provisions
Article 1
In the application of the provisions of this law, the following words and phrases have the meaning assigned to each of them, unless the context requires otherwise:
Government: The units of the administrative apparatus of the state and their equivalent.
Minister: The Minister of National Economy.
Competent authority: The Information Technology Authority.
Electronic transaction: Any procedure or contract concluded or executed wholly or partially using electronic messages.
Electronic: Any means relating to modern technology and having electrical, digital, magnetic, wireless, optical, electromagnetic, optic, or any similar capabilities.
Electronic message: Electronic information sent using electronic means irrespective of the means of retrieval at the place at which it is received.
Electronic communication: Sending and receiving electronic messages.
Electronic record: A contract, record, or information message generated, stored, retrieved, copied, sent, communicated, or received using electronic means on a tangible medium or any other medium and is retrievable in a perceivable form.
Electronic information: Information or data exchanged electronically in the form of text, codes, sounds, shapes, images, maps, computer software, or other databases.
Exchange of electronic data: Transfer of information from one person to another using an agreed upon standard to structure the information.
Automated electronic intermediary: An electronic programme or system for a computer or any other electronic means used for the purpose of executing an action or responding to an action for the purpose of generating, sending, or receiving an information message without the involvement of a natural person.
Computer programme: A collection of electronic information or instructions used directly or indirectly in an electronic information processing system for the purpose of obtaining specific outcomes.
Network intermediary: A natural or legal person who, on behalf of another person, sends, receives, adopts, or retains an electronic transaction or performs services relating to such transaction.
Information processing system: An electronic system for handling information and data by carrying out automated processing of them for creating, sending, receiving, storing, displaying, programming, or analysing such information and data.
Originator: Any person who sends an electronic message, or on whose behalf one is sent based on a valid authorisation.
Addressee: The natural or legal person who is intended by the originator of the electronic message to have his message sent to.
Signatory: The person that holds, from the competent authority, his own electronic signature creation tool, and signs on his own behalf or on behalf of a person that has authorised him or a person he represents.
Signature creation tool: A tool used to create an electronic signature such as a pre-defined programming or an electronic device.
Electronic signature: The signature on an electronic message or transaction in the form of letters, numbers, codes, signs, or others, and that has a unique character capable of identifying the signatory and distinguishing him from others.
Authentication procedures: Procedures intended to verify that an electronic message originates from a specific person and to detect any error or modification in the contents, in sending, or in storing an electronic message or an electronic record within a specific period of time. This includes any procedure that uses algorithms, codes, words, identification numbers, encryption; procedures for reply or acknowledgement of receipt; and other similar information protection means.
Certification service provider: Any person or entity approved or licensed to issue electronic certificates or any other services relating to them and to electronic signatures.
Certificate: An electronic certificate issued by the certification service provider confirming the link between a signatory and the data of an electronic signature.
Relying party: A person who acts relying on a certificate or an electronic signature.
Processing personal data: Any procedure or a group of procedures performed on personal data using automated and other means, or its collection, recording, organising, storage, alteration, adaptation, retrieval, consultation, or disclosure by transmission, dissemination, or otherwise making it available, aligning it, combining it, blocking it, erasing it, or cancelling it.
Encryption: The process of converting simple text, a text document, or an electronic message into unknown or scattered codes that are impossible to read or understand without restoring it to its original form.
Article 2
This law aims to:
1. Facilitate electronic transactions through reliable electronic messages or records.
2. Remove any obstacles or challenges facing electronic transactions resulting from uncertainty regarding the requirements of writing and signature, and promote the development of the legal infrastructure for implementing electronic transactions in a guaranteed manner.
3. Facilitate the transmission of electronic documents and subsequent amendments.
4. Reduce incidents of the forgery of electronic communications and subsequent amendments as well as the opportunities for fraud in electronic transactions.
5. Establish unified principles for the rules, regulations, and standards relating to the authentication and integrity of electronic communications and records.
6. Promote public confidence in the integrity and validity of electronic transactions, communications, and records.
7. Develop electronic transactions at the national, Gulf, and Arab levels through the use of electronic signature.
Article 3
The provisions of this law apply to electronic transactions, records, and signatures, and it also applies to any electronic information message.
This law does not apply to the following:
(a) Transactions and matters relating to the Personal Status Law such as marriage, divorce, bequests, and gifts.
(b) Court procedures, judicial service of documents, summon orders, search orders, arrest orders, and court judgments.
(c) Any document required by law to be attested by the Public Notary.
Article 4
1. The provisions of this law apply to transactions conducted between parties who agree to conduct their transactions by electronic means. It is permitted to infer the consent of a person from his conduct. In regard to the government, its consent to electronic transactions must be explicit.
2. Parties involved in the creation, transmission, receipt, storage, or processing of electronic records may agree to transact in a manner that is different from the rules provided in chapters two to four of this law.
3. Any agreement between the parties to conclude a specific transaction by electronic means shall not be binding to any of them in regard to the conclusion of other transactions by the same means.
Article 5
The competent authority shall establish, operate, and develop the electronic payment gateway, and shall specify its working system in coordination with the Central Bank of Oman.[1]
Article 6
The network intermediary and the certification service provider shall each provide, at its own expense, all the technical components such as devices, equipment, systems, and programmes that enable security entities to access its system in realisation of the requirements of national security, provided that providing the service coincides with providing the technical components required taking into account technical advancements. The Ministry of Finance shall provide all connection requirements to link the devices used by security entities to realise the objectives of national security with the systems used by each of the network intermediary and the certification service provider in accordance with what the National Security Council decides. Each of the network intermediary and the certification service provider shall, in the case of changing their systems, bear the costs for updating and connecting the devices used by these entities that are affected by the change, as stipulated by the decisions issued by the competent authority and applicable laws.
Chapter Two
Legal Effects Resulting from Electronic Messages
and the Requirements of Electronic Transactions
Article 7
The electronic message has legal effect and is deemed valid and enforceable in the same manner as a written document if the conditions stipulated in this law and the regulations and decisions issued in the implementation of its provisions are taken into account in its creation and adoption.
Article 8
1. Where any law requires the retention of a document, record, information, or data for any reason, this is met by the retention of the document, record, information, or data in an electronic form, if the following conditions are observed:
(a) The document, record, information, or data is retained electronically in the format in which it was originally generated, sent, or received, or in a format which can be demonstrated to represent accurately the document, record, information, or data originally generated, sent, or received.
(b) The document, record, information, or data is preserved in a manner that allows it to be accessible, usable, and subsequently referenced.
(c) The document, record, information, or data is retained in a manner that enables the identification of the origin and destination of the electronic message, and the date and time when it was sent or received.
2. Nothing in this article affects the following:
(a) Any other law that explicitly stipulates retaining the document, record, information, or data in an electronic format in accordance with a specific electronic system, by following specific procedures or by retaining or sending it by a specific electronic intermediary.
(b) Any additional requirements that the government prescribes for retaining electronic records subject to its competence.
Article 9
If the law requires writing any document, record, transaction, information, or statement, or provides specific consequences if this does not take place, providing any of them in an electronic form meets the condition of writing if the conditions stipulated in the previous paragraph are observed.
Article 10
If the law requires submitting the original message, record, or document, or provides specific consequences if this is not complied with, the electronic message, electronic record, or electronic document is deemed original if a mechanism is used that permits presenting the information desired to be submitted in a perceivable form and provides a reliable assurance as to the integrity of the information provided in any of this.
Article 11
1. In implementing the rules of evidence in any legal proceedings, the fact that the electronic message is not provided in its original form shall not preclude its admissibility, if the message is the best reasonably acceptable evidence obtainable by the person submitting it.
This message shall be given due evidential weight, taking into account the following:
(a) The extent of the reliability of the manner in which one or more of the execution, entry, generation, processing, storing, submission, or communication processes have been carried out.
(b) The extent of the reliability of the manner in which the integrity of the information has been maintained.
(c) The extent of the reliability of the source of the information if known.
(d) The extent of the reliability of the manner in which the identity of the originator is verified, if relevant.
(e) Any other relevant factor.
2. Unless the contrary is proved, the electronic signature is deemed protected if it satisfies the conditions provided in article 22 of this law, and that it is intended to sign or authenticate the electronic message on which it is placed or to which it relates, that it has not changed since being originated, and that this signature is reliable.
Chapter Three
Electronic Transactions and the Conclusion of Contracts
Article 12
1. For the purposes of contracting, it is permitted to express offer and acceptance using electronic messages, and such expression is deemed binding on all parties when made in accordance with the provisions of this law.
2. The contract does not lose its validity or enforceability merely because it is concluded using one or more electronic messages.
Article 13
1. It is permitted for a contract to be concluded between automated electronic intermediaries encompassing two or more electronic information systems which are prepared and pre-programmed to carry out such tasks. The contract shall be valid and effective notwithstanding the lack of personal or direct intervention of any natural person in the process of concluding the contract.
2. It is permitted to conclude a contract between an automated information system, owned by a natural or legal person, and a natural or legal person if the latter knows or should have known that such system would undertake the task of concluding the contract.
The electronic contract shall have the same legal effect relating to contracts concluded by ordinary means with respect to proof, validity, enforceability, and other provisions.
Article 14
Liability of Network Intermediary:
1. The network intermediary shall not be held accountable for civil or criminal matters in regard to any information provided in the form of electronic records—relating to others—if the network intermediary is not the source of such information, and his role is limited to merely providing access to it, and this if the liability is established on the basis of:
(a) Creating, publishing, transmitting, or disseminating this information or any data contained in it.
(b) Infringing any right relating to such information.
2. The following is required for the network intermediary to be absolved of liability in accordance with the provisions of this article:
(a) He must not know of any facts or circumstances that may indicate in the ordinary course of matters the existence of civil or criminal liability.
(b) He immediately undertakes—in the case of his knowledge of the foregoing—removing the information from any information system under his control, and suspending the ability to access or display such information.
3. This article does not impose on the network intermediary any legal obligation relating to the surveillance of any information provided in the form of electronic networks relating to others if his role is limited to merely providing access to such records.
4. The provisions of this article do not prejudice the following:
(a) Any obligations arising from any contract.
(b) Obligations imposed by any legislation relating to providing telecommunication services.
(c) Obligations imposed by any other legislation or an enforceable court judgement relating to limiting, preventing, or removing any information provided in the form of electronic records or preventing access to them.
5. In the implementation of the provisions of this article, providing access to any information relating to others means making available the technical means that enable access to the information provided in the form of electronic records relating to others, transmitting them, or merely improving the effectiveness of the transmission. This includes automatic, transient, or temporary storage of such information for the purpose of access. In the application of this article, "others" means any person that the network intermediary does not have actual control over.
Article 15
1. An electronic message is deemed issued by the originator in the following cases:
(a) If the originator is the one who issued it himself.
(b) As between the originator and the addressee, an electronic message is deemed issued by the originator if it is sent by:
(i) A person who has authority to act on behalf of the originator in respect of the relevant electronic message.
(ii) If it is sent in accordance with an automated information system programmed by the originator, or on his behalf, to operate automatically.
2. The addressee may regard that the electronic message is issued by the originator and act on the basis of this assumption in the following cases:
(a) If the addressee properly applied a procedure previously agreed to by the originator to ascertain whether the electronic message was issued by the originator.
(b) If the electronic message as received by the addressee resulted from the actions of a person whose relationship with the originator or with any agent of the originator enabled that person to legitimately gain access to a method used by the originator to identify that the electronic message belongs to him.
This clause does not apply as of:
1. The time when the addressee has received notice from the originator that the electronic message is not issued by him, and the addressee had reasonable time to act accordingly.
2. The time when the addressee knew or should have known, had he exercised reasonable care or used any agreed procedure, that the electronic message was not from the originator.
This clause does not apply if it is unacceptable for the addressee to regard that the electronic message is of the originator or acts on the basis of this assumption.
The addressee may regard each electronic message received as a separate message and act on that assumption alone, except if he knew or should have known, had he exercised reasonable care or used any agreed procedure, that the electronic message is a duplicate.
Article 16
If the originator has requested or has agreed with the addressee, at or before sending an electronic message, or through that electronic message, that a receipt of the electronic message must be acknowledged, the provisions of article 15 of this law apply, taking into the account the following:
1. Where the originator has stated that the electronic message is conditional on receipt of the acknowledgement, the electronic message is treated, in regard to the arising of rights and obligations between the originator and the addressee, as though it has never been sent, until the acknowledgement is received.
2. Where the originator requests that the receipt of the electronic message is acknowledged, but does not state that the electronic message is conditional on receipt of the acknowledgement within a specific or agreed upon time, or if he does not specify a specific or agreed upon time, the originator may give notice to the addressee stating that no acknowledgement has been received and specifying a reasonable time by which the acknowledgement must be received, and if the acknowledgement is not received within the time specified or agreed, he may, upon notice to the addressee, treat the electronic message as though it had never been sent.
3. Where the originator receives the addressee's acknowledgement of receipt, it is presumed—unless otherwise established—that the related electronic message was received by the addressee. That presumption does not imply that the content of the electronic message of the originator corresponds to the content of the electronic message received by the addressee.
4. Where the originator has not agreed with the addressee that the acknowledgement is done in a certain form or a specific method, it is permitted to make the acknowledgement of receipt by any communication from the addressee, whether by electronic means, automatic means, or any other means, or by any conduct by the addressee sufficient to confirm to the originator that the electronic message has been received.
5. Where the acknowledgement received by the originator states that the related electronic message met the technical requirements, either agreed upon or set forth in the applicable standards, it is presumed—unless otherwise established—that those requirements have been met.
Article 17
Unless otherwise agreed between the originator and the addressee:
(a) An electronic message is deemed dispatched when it enters an information system outside the control of the originator or the person who sent the message on his behalf.
(b) The time of receipt of an electronic message is determined as follows:
1. If the addressee has designated an information system for the purpose of receiving the electronic message, receipt occurs at the time when the electronic message enters the designated information system, and if the electronic message is sent to an information system of the addressee that is not the designated information system for the receipt of the electronic message—the time when the electronic message is retrieved by the addressee.
2. If the addressee has not designated an information system, receipt occurs when the electronic message enters an information system of the addressee.
(c) An electronic message is deemed to be dispatched at the place where the originator has his place of business, and is received at the place where the addressee has his place of business, even if the place where the information system is located is different from the place where the electronic message is supposed to have been delivered.
(d) If the originator or the addressee has more than one place of business, reference is to be made to the location closest to the underlying transaction, or, if there is no underlying transaction, the principal place of business. If the originator or the addressee does not have a place of business, reference is to be made to his habitual residence.
Chapter Four
Mechanisms for Protecting Electronic Transactions
Article 18
Encryption shall be used as a mechanism for the protection of electronic transactions with the objective of protecting the confidentiality of information or data contained in the electronic message, the verification of the identity of the originator, and the prevention of others from intercepting electronic information or messages for the purpose of preventing their delivery to the addressee or distorting them.
Article 19
Any of the following mechanisms shall be used for protecting information systems:
(a) Encryption by public key.
(b) Firewalls.
(c) Information filters.
(d) Denial of service prevention mechanisms.
(e) Data and file encryption technologies.
(f) Backup copies protection procedures.
(g) Anti-malware and anti-virus software.
(h) Any other mechanism permitted by the competent authority.
Article 20
With the exception of encryption keys specified by the National Security Council, the employee designated by the competent authority may ask the owner of any encryption key to enable him to inspect the necessary information relating to that key, and the owner of a such key shall deliver it to the employee.
Article 21
1. If specific authentication procedures agreed upon between the parties are applied to an electronic record to verify that it has not been altered from a specific time, this record shall be treated as a protected electronic record from that time until the time the verification takes place.
2. If there is no agreement between the parties, authentication procedures are deemed acceptable in accordance with clause 1 of this article and article 22 of this law, taking into consideration the circumstances relating to the transacting parties, in particular:
(a) The nature of the transaction.
(b) The knowledge and expertise of the parties.
(c) The volume of similar transactions to which any or all of the parties are associated.
(b) The existence of alternative procedures.
(e) The cost of alternative procedures.
(f) The procedures generally used for similar types of transactions.
Article 22
An electronic signature is deemed protected and reliable if the following is satisfied:
(a) The signature creation tool, within the context in which it is used, is restricted to the signatory and no other person.
(b) The signature creation tool was, at the time of signing, under the control of the signatory and of no other person.
(c) Any alternation to the electronic signature, made after the time of signing, is detectable.
(d) Any change in the information associated with the signature that occurs after the time of signing is detectable.
However, any interested party may establish in any way the reliability or non-reliability of the electronic signature.
Article 23
1. A person is entitled to rely on the electronic signature or certificate to the extent that such reliance is reasonable.
2. When the relying party received an electronic signature supported by a certificate, this party is deemed to have verified the validity and enforceability of the certificate, and that he only relies on the certificate in accordance with its conditions.
3. To determine whether an electronic signature or certificate is reliable, the following must be observed:
(a) The nature of the transaction to be supported by an electronic signature or certificate.
(b) The value or significance of the transaction, if known.
(c) Whether the party relying on the electronic signature or certificate has taken appropriate steps to verify the reliability of the electronic signature or certificate.
(d) Any prior agreement or transaction between the originator and the relying party.
(e) Any other relevant factor.
Article 24
1. The signatory shall, when using a signature creation tool to create a signature that has legal effect, observe the following:
(a) Exercise reasonable care to avoid unauthorised use of his signature creation tool.
(b) Without delay, utilise means made available to him by the certification service provider, or otherwise use reasonable efforts to notify any person expected to rely on or to provide services in support of the electronic signature, in the following cases:
(i) If the signatory knows that the signature creation tool has been compromised.
(ii) If the circumstances known to the signatory give rise to a substantial risk that the signature creation tool may have been compromised.
(c) Where a certificate is used to support the electronic signature, exercise reasonable care to ensure the accuracy and completeness of all material information made by the signatory that is relevant to the certificate throughout its validity period or that is to be included in the certificate.
Chapter Five
Competent Authority
Article 25
The competent authority shall undertake the following competences:
(a) Issuing the licences for the practice of certification services in accordance with the provisions and conditions provided in this law and the regulations and decisions issued in its implementation.
(b) Determining the fees for obtaining the licence.
(c) Importing or licensing the import of encryption tools required for the purposes of certification or those used by government entities with the exception of security entities.
(d) Exercising control, supervision, and inspection of the activities of certification service providers and verifying that they use secure physical components and programmes against interference and misuse, and that they comply with the standards of performance prescribed for ensuring confidentiality and security of electronic signatures and certificates.
(e) Setting standards for certification service providers.
(f) Determining the qualifications and expertise required to be obtained by the employees of certification service providers.
(g) Determining the conditions to which certification service providers are subject.
(h) Facilitating the establishment of any electronic systems by a certification service provider either alone or with other certification service providers.
Article 26
The competent authority may undertake the procedures it deems appropriate to control and supervise the extent of the compliance of certification service providers with the provisions of this law. This authority may access any electronic computer system, or any device, data, or material relating to this system, for the purpose of conducting inspection and control, and it may issue an order to any competent person to provide it reasonable technical assistance and other assistance as it deems necessary, and such person shall perform this order.
Article 27
The minister may request from the Minister of Justice to grant judicial enforcement status to the employees of the authority in accordance with the provisions of the Criminal Procedures Law.
Article 28
1. The application for the licence to provide certification services shall be submitted to the competent authority on the form prepared for this purpose.
2. It is not permitted to issue a licence to provide certification services unless the applicant meets the conditions specified by the competent authority and issued by a decision by the minister.
3. The licence is personal, non-transferable, and issued for a period of five years subject to renewal.
Article 29
The competent authority may invalidate the licence, after conducting the necessary investigation of the certification service provider in the following cases:
(a) If he submits incorrect information relating to the application for granting or renewing the licence.
(b) If he does not comply with the controls and conditions specified for granting the licence.
(c) If he violates any of the obligations provided in article 34 of this law, or the executive regulations or decisions issued in the implementation of its provisions.
The certification service provider whose licence is invalidated shall hand over the licence to the competent authority immediately upon the issuance of the invalidation decision.
Article 30
The competent authority may, if it has an acceptable reason for invalidating the licence, issue an order to suspend its validity until the completion of the investigation it orders, provided that the suspension period does not exceed ten days.
In the case of necessity, it is permitted to renew the period for a period not exceeding another ten days, provided that the certification service provider is notified before the renewal to submit the reasons that he may have against this. The certification service provider shall not issue any certificates during the suspension period.
Article 31
1. Upon the suspension or invalidation of the licence of the certification service provider, the competent authority shall announce this in the database it maintains.
2. The database that contains the suspension or invalidation announcement must be available on a website on the internet accessible 24 hours.
3. The competent authority may, if it deems this necessary, publish the contents of the database by other electronic means as it deems appropriate.
Article 32
Those concerned may file a grievance to the minister against licence rejection, suspension, or invalidation decisions. The minister may invalidate or modify the decision subject of the grievance if justifications are found for this. The executive regulation shall specify the timings and procedures for filing the grievance and ruling on it.
Chapter Six
Provisions Relating to the Certificates and Certification Services
Article 33
The certificate must state:
(a) The identity of the certification service provider.
(b) That the signatory had control, at the relevant time, of the signature creation tool referred to in the certificate.
(c) That the signature creation tool was correct and valid at the date the certificate was issued.
(d) Any limitations on the scope or value for which the certificate may be used.
(e) Any limitations on the scope or extent of liability accepted by the certification service provider towards any person.
(f) Any other information specified by the competent authority.
Article 34
The certification service provider shall obtain a licence for this from the competent authority and shall abide by the following:
(a) Act in accordance with the data provided with respect to his practices.
(b) Verify the accuracy and completeness of all material data included in the certificate during its period of validity.
(c) Provide accessible means and enable the relying party to ascertain the following:
(i) The identity of the certification service provider.
(ii) That the persons identified in the certificate had control, at the relevant time, of the signature creation tool referred to in the certificate.
(iii) The method used to identify the signatory.
(iv) Any limitations on the purpose or value for which the signature creation tool or certificate may be used.
(v) The validity of the signature creation tool and that it has not been exposed to anything suspicious.
(vi) The appropriate means of reporting the invalidation.
(d) That the website provides a means to enable him to submit a report in the case of a breach of the signature creation tool, and to guarantee providing a service to invalidate the signature usable in a timely manner.
(e) That he uses in performing his services trustworthy systems, procedures, and human resources taking into account the following factors:
(i) Financial and human resources.
(ii) Trustworthy computer devices and software.
(iii) Procedures of the certificates and applications for obtaining services and retention of records.
(iv) Availability of information of signatures identified in certificates and availability of information to parties potentially relying on certification services.
(v) Regularity and extent of the audit by an independent entity.
Article 35
1. If damage occurs as a result of the invalidity of the certificate or because it is defective due to a mistake or negligence of the certification service provider, he shall be liable for the resulting damage whether with respect to the party that he contracted with to provide the certificate, or to any person who had reasonably relied on the certificate.
2. The certification service provider shall not be liable for any damage if it is established that he did not commit any mistake or negligence, or if the damage was caused by a reason outside his control.
Article 36
The certification service provider shall:
1. Immediately suspend the certificate upon the request of its owner or if he finds or has grounds to believe that:
(a) The certificate has been delivered on the basis of erroneous or falsified information.
(b) The signature tool was compromised.
(c) The certificate has been used for fraudulent purposes.
(d) The information included in the certificate has changed.
2. Immediately notify the owner of the certificate upon the suspension of the certificate and the reasons for this action.
3. Immediately lift the suspension if the owner of the certificate revokes the suspension request or upon the verification of the validity of the information included in the certificate and the legitimacy of its use.
4. The owner of the certificate or any third party with interest may object to the suspension decision issued by the certification service provider.
Article 37
The certification service provider shall immediately invalidate the certificate in the following cases:
(a) If the owner of the certificate requests its invalidation.
(b) If he becomes aware of the death of the person, or the dissolution or liquidation of the legal person, owning the certificate.
(c) If he verifies, after a thorough examination, the validity of the grounds upon which he suspended the certificate.
Article 38
The certification service provider shall be liable for the damage resulting from his failure to take the procedures for suspending or invalidating the certificate in accordance with the provisions of articles 36 and 37 of this law.
Article 39
The certification service provider shall undertake the responsibility of depositing all public keys issued in accordance with the provisions of this law and maintaining a database on a computer that contains all public keys in a manner that makes the database and public keys available to any member of the public.
Article 40
No person shall publish a certificate that refers to a certification service provider identified in the certificate if that person knows:
(a) That the certification service provider named in the certificate did not issue it.
(b) That the signatory whose name is included in the certificate has not accepted it.
(b) That the certificate has been suspended or invalidated.
Publication is permitted if this is for the purpose of verifying the electronic signature before such suspension or invalidation.
Article 41
1. A certification service provider wishing to suspend his activities shall notify the competent authority of this at least three months before the date of the suspension of the activity.
2. The certification service provider may assign some of his activity to another certification service provider, provided that:
(a) The owners of valid certificates are informed of his intention to assign the certificates to another certification service provide at least one month before the expected date of the assignment.
(b) The owners of the certificates are informed of their right to refuse the expected assignment and the deadlines and mechanisms of refusal. The certificates whose owners express their refusal of the assignment in writing or electronically shall be invalidated by that deadline.
3. In the case of the death, bankruptcy, or liquidation of the certification service provider, his successors or liquidators shall be subject to clause 2 of this article, provided that the whole activity is assigned within three months at most.
4. In all cases of suspension of the activity, the personal information remaining under the control of the certification service provider shall be destroyed in the presence of a representative of the competent authority.
Article 42
1. In determining the validity and effectiveness of the certification or electronic signature, no regard shall be had to the location where the certificate or electronic signature is issued, or the jurisdiction of the place of business of the certificate or electronic signature issuer.
2. Certificates issued by a foreign certification service provider are deemed equivalent to certificates issued by certification service providers working by virtue of this law if the practices of the foreign certification service providers meet a standard of reliability no less than the standard required by certification service providers subject to the provisions of this law taking into account recognised international standards.
3. It is not permitted to recognise certificates issued by a foreign certification service provider except by a decision by the minister.
4. In determining the effectiveness of a certificate or electronic signature, agreements between the parties regarding a transaction in which such signature or certificate is used or regarding the requirement of the use of a certain certification service provider, a certain category of certification service providers, or a certain type of certificates in regard to electronic messages or signatures provided to them shall be recognised, provided that such agreement is not in violation of the applicable laws in the Sultanate.
Chapter Seven[2]
(Repealed)
Chapter Eight
Government Use of Electronic Records and Signatures
Article 50
The government may perform the following tasks using electronic records and signatures:
(a) Acceptance of the filing, submission, creation, or retention of documents.
(b) Issuance of any permission, licence, decision, or approval.
(c) Acceptance of fees or any payments.
(d) Floating tenders and receiving bids relating to government procurement.
Article 51
The government may, if it decides to electronically perform any of the tasks mentioned in the previous article, specify:
(a) The mechanism and form in which such records are created, filed, retained, submitted, or issued.
(b) The manner, form, mechanism, and procedures by which tenders are floated, bids are received, and government procurement is completed.
(c) The type of the required electronic signature including the requirement of the originator to use another protected electronic signature.
(d) The manner and form in which such electronic signature is affixed to the record, and the standard that the certification service provider, to whom the records are submitted for filing or retention, must meet.
(e) The appropriate control operations and procedures to verify the safety, security, and confidentiality of electronic records, payments, or fees.
(f) Any other specifications, conditions, or provisions for sending paper documents, if that is required in regard to the electronic records of payments and fees.
Chapter Nine
Punishments
Article 52
Without prejudice to any punishment more server stipulated in the Omani Penal Law or any other law, the following shall be punished with imprisonment for a period not exceeding two years, and a fine not exceeding 5,000 (five thousand) Rial Omani, or one of those two punishments:
1. Deliberately makes an unauthorised modification in the contents of any computer with the intention of weakening its effectiveness; preventing or obstructing access to any programme or data saved on it; weakening the effectiveness of such programme; or weakening the reliability of such data, if the modification is done using any of the following means:
(a) The deletion of any programme or data saved on the computer.
(b) The addition of any programme or data to the contents of the computer.
(c) Any act that contributes to making such modification.
2. Breaches a computer, a network of computers, a website on the internet, or an internet network, and this results in:
(a) Disabling the operation system of the computer or the network of computers.
(b) Destruction of the programmes of the computer or computers and the information they contain.
(c) Theft of information.
(d) Use of the information contained in the output of the computer for unlawful purposes.
(c) Entry of incorrect information.
3. Enters, using fraud, into an information system or a database with the purpose of tampering with electronic signatures.
4. Illegally discloses the keys for the decryption or decrypts information deposited with him.
5. Illegally uses personal encryption elements relating to the signature of another.
6. Breaches or obstructs encrypted information or data, or deliberately decrypts them without a legal basis, and the punishment shall be doubled if the information or data relates to a state secret.
7. Deliberately discloses encrypted information or data using any means outside the circumstances authorised by law.
8. Deliberately creates or publishes a certificate, or provides incorrect electronic information, for an unlawful purpose.
9. Provides incorrect information about his identity or his authorisation to a certification service provider for the purpose of requesting the issuance, invalidation, or suspension of a certificate.
10. Deliberately discloses—without a legal basis—confidential information that he accesses using the authorities available to him by virtue of this law or any other law.
11. Practises the activity of a certification service provider without a licence.
12. Illegally uses a signature creation tool relating to the signature of another person.
13. Illegally enters into a computer with the intention of committing a crime or facilitating the committing of a crime, whether by him or by another person.
14. Forges an electronic record or an electronic signature, or uses any of this with his knowledge of their forgery.
15. Deliberately publishes, facilitates the publication of, uses, or decrypts an electronic record or an electronic signature using unlawful means. The punishment shall be doubled if the perpetrator of the crime is a custodian of that record or signature by virtue of his profession or office.
Article 53
Without prejudice to any punishment more severe stipulated in the Omani Penal Law or any other law, the following shall be punished with imprisonment for a period not exceeding one year, and a fine not exceeding 1,500 (one thousand five hundred) Rial Omani, or one of those two punishments:
1. Whoever manufactures, possesses, or obtains an electronic system or programme to create an electronic signature without the explicit permission of the owner of such signature.
2. Every holder of an encryption key who refuses to hand it over to the employee specified by the competent authority after disclosing his identity.
3. Every certification service provider, or any of his employees, who refuses to provide facilities to the competent authority, or any of its employees, to carry out the control, supervision, or inspection of any computer system, data device, or any other material connected with the computer system in the headquarters of the certification service provider.
Article 54
In the case of conviction by virtue of the provisions of this law, the court shall rule, in addition to any other punishment, the confiscation of the tools used in committing the crime.
[1] Amended by Royal Decree 98/2010.
[2] Chapter seven was repealed by Royal Decree 6/2022.
You do not have a valid subscription to view this content, please view our pricing page to subscribe or login if you already have a new paid account.