The Consolidated Public Sector Procurement Directive (2004/18/EC) and the new Utilities Sector Procurement Directive (2004/17/EC) establish a new framework for the utilisation of e-communication mechanisms in procurements in the public and utilities sectors.
This new framework has had relatively little examination in the legislative processes leading up to the adoption of the new Directives. However, the new rules relating to the use of e-commerce techniques in the new Directives will have a considerable impact on the way in which procurement personnel carry out procurement activities and will require considerable investment in new IT systems in order to comply with the new rules.
The general assumption amongst most procurement personnel (the author included) has been that the new Directives would simply legitimise the current practice, at least in the United Kingdom, in a wide range of procurement processes of the use of email and the submission of compact discs or DVD (“CDs”) for very extensive documentation. In fact, the e-communication requirements in the new Directives are much more extensive. The new requirements do not simply legitimise the transmission of tenders and other procurement documents by email or CD. The new Directives impose an extensive regulatory regime on the use of e-communication mechanisms in public and utilities sector procurements.
The extensiveness of this new regulatory regime is open to question. It has become relatively common practice over the last two to three years in regulated United Kingdom procurement processes, for a wide range of procurement communications to be transacted by email, including the submission of tenders in some instances. Where the documentation to be submitted is very extensive, submissions are often made by CD. The author is not aware of any problems that have arisen as a result of the transmission of procurement documentation by email and CD.
This article is limited in its scope to an examination of the new regulatory framework introduced by the new Directives relating to e-communication mechanisms. The new Directives legitimise a variety of other e-procurement activities, including the transmission of Contract Notices to the Official Journal by email, e-auctions and electronic catalogues in dynamic purchasing systems. The consideration of these activities is outside the scope of this article.
Common approach in public and utilities sectors
Both the new Consolidated Public Sector Procurement Directive (2004/18/EC) and the new Utilities Sector Procurement Directive (2004/17/EC) contain the same regulatory framework for e-communication mechanisms. The framework is set out in Article 42 and Annex 10 of the Public Sector Procurement Directive and Article 48 and Annex 24 of the Utilities Sector Procurement Directive. In this article, all references are to the Public Sector Procurement Directive, but they are equally applicable to the utilities sector procurements.
The relevant Recitals
The basic principle underlying the establishment of the new regulatory framework for e-communication mechanisms is set out in Recital 35. This Recital identifies that “new developments in information and communications technology” have occurred and refers to the “simplifications these can bring in terms of publicising contracts and the efficiency and transparency of procurement processes”. The Recital then goes on to set out a very general and laudable principle that “electronic means should be put on a par with traditional means of communication and information exchange”.
The extent to which e-communication mechanisms have in fact been put “on a par” with traditional communication techniques by the Directives is very questionable. The regime established by the Directives has imposed a range of additional security safeguards on e-communication mechanisms which do not apply to traditional techniques. Once these requirements become law following the implementation of the Directives into national law, there is a risk that the new regime will actually inhibit the use of e-communication mechanisms by contracting authorities.
The enhanced security safeguards for e-communication mechanisms are referred to in Recital 37. The Recital states relatively uncontentiously that the Electronic Signatures Directive (1999/93/EC) and the E-Commerce Directive should apply “to the transmission of information by electronic means” but then the Recital goes on to state that “public procurement procedures and the rules applicable to service contests require a level of security and confidentiality higher than that required by these Directives”. The Recital does not give any reasons why these higher standards are required, presumably the reasons relate to the requirement for higher probity standards in a regulated environment. However, the E-commerce Directive establishes the regulatory framework for all levels of e-commerce and so why there is a need for a more stringent regulatory regime in this context is unclear.
Recital 37 then states that “electronic signatures and in particular, advanced electronic signatures, should as far as possible be encouraged”. This article will examine later in brief outline the concept of electronic signatures. It is to be welcomed that the Directive intends to encourage the use of electronic signatures rather than to mandate the use of electronic signatures, as the use of electronic signatures adds cost overheads and complexities to communication mechanisms.
Article 42 and Annex 10
Article 42 sets out rules relating to communication generally in regulated procurement processes, not just the rules relating to e-communications mechanisms. This is a new provision in the Directives. It does not have an equivalent in the old Directives. Articles 42(2), some of Article 42(3) and all of Article 42(4) relate to all communication activities in procurement processes. Most of Article 42(3) and all of Article 42(5) apply specifically to tenders and requests to participate.
Articles 42(2) and 42(4)
Article 42(2) requires that the means of communication just be “generally available” and thus not restrict any “access to the tendering procedure” for any potential bidders. This means that the e-communication mechanisms must not be limited to certain classes of potential bidders and, presumably, that they are not so expensive or difficult to implement that only large-scale corporates would have the resources necessary to implement them.
Article 42(4) requires that “the tools used for communicating by electronic means, as well as their technical characteristics, must be non-discriminatory, generally available and interoperable with …. products in general use”.
Ordinary email packages, such as Microsoft Outlook, appear to comply with the Article 42(2) and Article 42(4) requirements. Microsoft Outlook is “generally available”, there is relatively little differential pricing for the package (although large scale and academic users can obtain significant discounts from Microsoft) and the products are in general use (and so the interoperability requirement would appear to be meaningless).
There is an issue with the requirement in Article 42(4) that the “technical characteristics” of the “tools” used for e-communication must be “generally available”. Of course, most email packages are proprietary products and their technical specifications are kept confidential by the software developer. (Open source software, such as Linux, is different in that the source code for this software is available to all licensees). However, in this context it is unlikely that the term “technical characteristics” of the e-communication tools would require the full availability of the technical specification or the source code of the software package. Instead, for the purposes of the Directive, it would appear to be sufficient for the IT standards which are utilised in the software packages, such as SMTP and POP3, to be “generally available”.
One potential scenario that may emerge as a result of the new regulatory regime is that contracting authorities will use normal email arrangements, such as Microsoft Outlook, for procurement communications other than tender submissions and requests to participate and require hard-copy submissions for tender submissions and requests to participate. This is because the regulatory requirements for tender submissions and requests to participate set out in Articles 42(3) and 42(5) are considerably more onerous than the general rules in Article 42(2) and 42(4). In the United Kingdom, the Office of Government Commerce has commenced the “eSource” initiative, with the intention of providing resources and materials in order for public bodies to carry out e-procurement activities.
Article 42(3) imposes a general requirement for all procurement communications that e-communication mechanisms and the storage of data “shall be carried out in such a way as to ensure that the integrity of data …. are preserved”. This requirement is problematical, as in theory there is a risk that email communications could be “hacked” by third parties during transmission and documents contained in the email could be modified before being on-transmitted to the intended recipient.
One reading of this provision is that the requirement on contracting authorities to ensure the integrity of data that is transmitted requires contracting authorities to use electronic signature technology, as this is capable of identifying when a document is modified in any way and thus the integrity of data is jeopardised.
However, this provision should be interpreted in the context of Recital 37 which states that the use of electronic signature technology is to be encouraged, rather than a requirement. It would therefore appear that a preferred construction of the provision is that it requires contracting authorities to take appropriate steps to secure the integrity of data that is transmitted and stored during the conduct of the procurement process, including using electronic signature technology where this is appropriate on the basis that the data involved is significant or where the risks of corruption of data are significant.
Article 42(3) also imposes requirements relating specifically to tenders and requests to participate. These require that the confidentiality of tenders is preserved and that their contents are only examined after the time limit for submission has expired. The requirement of confidentiality could, again, be regarded as imposing on contracting authorities a technological requirement, potentially for contracting authorities to require that all electronic transmissions of tenders and requests to participate are encrypted. This would give greater confidentiality protection for these transmissions than “open” or unencrypted transmissions.
On the basis that the Directive only intends that electronic transmissions should be “on a par” with other transmission technologies, there is a good argument that encryption is not required in all circumstances. The submission in hard copy of tender materials has a relatively low level of confidentiality protection. It would be relatively straightforward for someone with determination to intercept hard copy postal deliveries and to open up a paper envelope to gain access to the contents of tenders and requests to participate.
On this basis, contracting authorities should be regarded as having complied with this confidentiality requirement if they put reasonable steps in place such that email accounts can not be accessed by unauthorised personnel – perhaps by means of password protection. Also, the requirement in Article 42(3) that the contents of tenders and requests to participate are only examined after the time limit for submission has expired should be satisfied if contracting authorities can show that they have implemented administrative arrangements such that its procurement personnel will only access the relevant documentation after the time limits have expired. The Directives do not require that the contacting authority’s personnel are technologically unable to access the documentation until after the time limit for submission has expired.
For example, it would be possible for a contracting authority to set up an email account such as “firstname.lastname@example.org” which only the relevant procurement personnel would have the passwords to and that the procurement personnel would be under administrative instructions not to access the account until after relevant deadlines have expired. By setting up a dedicated email account the problem of an individual using the account on a day-to-day basis and potentially accidentally opening up tender submissions or requests to participate by mistake would be avoided.
Another alternative would be for the tenders themselves to be password protected by the bidders and the passwords to be provided upon the expiry of the relevant deadlines. In this way, the contracting authority would be prevented from accessing the relevant documentation by means of a technological restriction until after the deadline had expired.
Compliance with Article 42(5) raises considerably more challenges for contracting authorities. In the first place, its scope of application is open to some debate. It sets out a number of requirements relating to “devices” for the electronic transmission and receipt of tenders and requests to participate. This reference to “devices” appears to indicate that the drafters of the Directives thought that contracting authorities would use stand-alone “black-boxes” for these transmissions. This, of course, is not the case. The electronic transmission of procurement documentation is carried out by contracting authorities using desktop PCs and laptops in the same way as every other electronic transmission. It does not involve the use of separate “devices”. However, the Directive should probably be interpreted on the basis that these desktop PCs and laptops are the “devices” for the purpose of Article 42(5).
Article 42(5)(a) initially sets out a basis requirement of equal treatment and transparency, stating that “information regarding the specifications necessary for the electronic submission of tenders and requests to participate, including encryption, shall be available to interested parties”. This is straightforward and the provision does not mandate any particular information that is required to be provided to bidders. Also, it should be noted that the reference to encryption appears to be made on the basis that encryption is not a mandatory requirement of the electronic submission of tenders and requests to participate.
Article 42(5)(a) then cross refers out to Annex 10 and, again, refers to “devices” for the electronic receipt of tenders and requests to participate. This tends to reinforce the argument that the Commission considers that contracting authorities will use separate “black boxes” for dealing with tender receipts. It is perhaps an open issue whether Annex 10 only applies when separate “black-boxes” are used for tender receipt purposes, although perhaps the term could be regarded as applying to email servers. It could perhaps be argued that Annex 10 is not applicable if separate “devices” are not used for tender receipt purposes.
Annex 10 sets out eight requirements for “devices” used for tender receipt purposes and for the receipt of requests to participate. The drafting of Annex 10 is more prescriptive than Article 42. It is possible that Annex 10 had relatively little scrutiny during the legislative process and the drafting in Annex 10 is inadvertently prescriptive. For example, the pre-amble in Annex 10 states that the “devices” “must at least guarantee, through technical means and appropriate procedures” the matters set out in the Annex. This language and, in particular the use of the “and” in relation to “technical means and appropriate procedures” appears to have the effect that establishing administrative procedures governing the use of e-communications technology will not be sufficient to comply with the requirements of the Annex. The wording appears to suggest that there must be technological solutions to satisfy the requirements of the Annex.
The Annex 10 requirements are as follows:
1) Electronic signatures in procurement e-communications must comply with national provisions adopted pursuant to Directive 1999/93/EC (the Electronic Signatures Directive). This is relatively uncontroversial and if contracting authorities establish electronic signature arrangements for tender submissions and request to participate, they would have taken advantage of the protections and stipulations of the Electronic Signatures Directive in any event. It seems to be reasonably clear that this provision does not mandate contracting authorities to implement electronic signature arrangements for tender submissions (see the commentary on Article 42(5)(b) below). If a contracting authority decides to implement an electronic signature regime then it will comply with the relevant national legislation implementing the Directive.
2) The exact time and date of tender submissions, requests to participate and other procurement documentation “can be determined precisely”. This is an aspect where the Directive may have overstepped its intention that electronic communications in procurements should be treated “on a par” with other communication methods. When hard copy submissions are received, there is a high degree of trust in the administrative arrangements of contracting authorities that the time of receipt is accurately assessed and noted in the procurement records. In a hard copy situation this requires a significant degree of manual intervention. One reading of Annex 10 would require the “exact time and date” to be recorded automatically without any manual intervention. In fact, of course, every email system will record the time and date of email receipts, based on the internal clock of the computer of receipt. It is also, of course, a task of a few seconds to change the internal clock of a computer. There are services which can provide a secure time-stamp for the receipt of emails. A printout of email receipts from the computer receiving the procurement submissions, together with an acknowledgement from the procurement personnel supervising the submission process that the computer clock is accurate would provide a measure of evidence that this requirement has been complied with.
3) It must be reasonably ensured that, before the expiry of the relevant time limits, “no one can have access to data transmitted under these requirements”. Again, if there is a need for a technological solution in order to comply with this requirement then it will be very hard for contracting authorities to comply on the basis of standard office software technology. If the provision means that the computer systems themselves must prevent access until after the deadlines have expired then new technology will be required, with some sort of time lock to prevent any access to the relevant email account until the deadline has expired. However, the requirement can be satisfied relatively easily with a combination of technology and administrative arrangements. For example, if a separate email account is set up (as discussed above) for the submission of tenders and other procurement documentation, a password can be used so that only authorised personnel can access the account and they can be instructed not to access the account until the deadline has expired. The author proposes that this straightforward solution should be regarded as satisfying this requirement.
4) If the access prohibition is infringed, it may be reasonably ensured that the infringement is clearly detectable. On the most straight-forward level, if a “tenders” email account is set up then it will be apparent in the normal way if a submission has already been opened prior to the expiry of the relevant deadline, as when the email account is opened by the authorised personnel the email submission will already be shown to have been opened. As a matter of procurement practice, it will probably be advisable for procurement personnel to make a print out of the email inbox at the point of the expiry of the bidding timescales in order, although the ease with which emails that have been opened can be manipulated to show them as being unopened means that the evidential weight of such a print out would be limited. If more formal evidence is required, the email servers should be able to provide a log of when emails were first opened. Even normal email software packages will provide an improved track record of the procurement process and greater transparency as a result, as compared to conventional communication procedures.
5) Only authorised personnel may set or change the dates for the opening data received. This requirement again appears to confuse administrative processes and technological solutions. It is clearly a project requirement for deadlines to be established in accordance with the timescales set out in the Directive. In the author’s opinion it is not consistent with the “on a par” principle that e-communication mechanisms must include a facility so that there is a technological restriction on setting or changing the dates for opening data received. This is simply outside the scope of the communications technology. It was a mistake to include this requirement in Annex 10.
6) During the different stages of the contract award procedure …. “access to all data submitted, or to part thereof, must be possible only through simultaneous action by authorised personnel”.
7) “Simultaneous action by authorised persons must give access to data transmitted only after the prescribed date”.
It is not at all clear what is envisaged by these provisions. They may mean that access to data must be given by consent of all the authorised personnel, but it is still not clear why it has to be “simultaneous”. The provisions would seem to indicate that there must be at least two people present when tenders and requests to participate are opened and that these people must act “simultaneously” in order to gain access to the procurement documentation. However, if this means that at least two people have to simultaneously input a password in order to gain access to documentation then the requirement is inconsistent with the “on a par” principle. When hard copy procurement documentation is opened it is clearly good practice, although not a formal requirement, for more than one person to be present. In an e-communications environment it would still be adequate for one person to enter the necessary passwords to access the submissions and for this to be witnessed.
8) Data received and opened ….. “must remain accessible only to persons authorised to acquaint themselves therewith”. Again, this requirement goes beyond the legitimate requirements of the regulation of e-communications technology. The Directive can not realistically require that e-communications mechanisms will have to have systems built into them which will ensure that the information that is received through the use of the e-communications mechanisms will only be accessed by the authorised personnel. This goes well beyond the “on a par” principle. In practice, once the information has been received by a contracting authority it will be transmitted onwards to members of the contracting authority’s procurement project team, and their technical, financial and legal advisers. The information will be subject to confidentiality constraints and the project team will be bound by these constraints. It cannot be correct that the regulatory requirements for e-communications mechanisms are intended to impose technological restrictions on the dissemination of this information. The inclusion of this requirement was mistakenly included in Annex 10.
Article 42(5)(b) provides a discretionary option to Member States to require that electronic tenders are accompanied by an advanced electronic signature under the Electronic Signatures Directive. Advanced electronic signatures are based on a qualified certificate and are created by a secure-signature creation device. Under the Electronic Signatures Directive, Member States are required to ensure that advanced electronic signatures satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data; and are admissible as evidence in legal proceedings. As an example of the implementation approach in the Member States, the position of the United Kingdom government on the implementation of this provision is unclear. In the consultation document issued by the Office of Government Commerce relating to the implementation of the new directives there is no mention of this proposed approach to this provision (or to any other of the provisions relating to e-communications mechanisms).
The new regulatory regime relating to e-communications mechanisms in the new Directives will legitimise the use of these techniques in regulated procurement processes. This should have been a welcome development. However, the new regime has introduced as many questions as it has solved.
The basis of the new regime that e-communications mechanisms should be “on a par” with traditional communications mechanisms is laudable. If it had been carried through in the Directives then many of the problems would have been avoided.
Most of the difficulties arise in the drafting of the provisions in the Annexes. The author suspects that these Annexes had relatively little scrutiny during the legislative processes. (The author admits that he did not review the Annexes in any detail until after the adoption of the Directives. The author suspects that he was not alone in this approach).
Many of the problems in the Annexes stem from the fact that technological solutions are required for issues that are dealt with through administrative processes in traditional communications mechanisms. The same approach should have been adopted for e-communications mechanisms.
The net effect of the new regime is likely to be that contracting authorities will be hesitant about using e-communications mechanisms, particularly for the receipt of tenders and requests to participate, as the requirements of the regulatory regime for these activities are less than clear. This will be a retrograde step for a variety of contracting authorities that are currently using e-communications mechanisms with relatively few problems and amounts to something of an “own-goal” by the EU Commission.
 OJ L13 19.1.2000, p.12
 OJ L 178 17.7.2000, p.1
 Open source software is software where the source code to the software is made freely available to all licensees. For a useful introduction to open source software - see
 An explanation of internet transmission protocols is available at www.freesoft.org
 For an introduction to the legal requirement for digital signatures see “Internet Law and Regulation”, Graham Smith
 See “The Approach to Implementation of the New Public Sector Procurement Directive”, Office of Government Commerce, May 2004