2017 will see the first use of digital identity schemes by Member States within the European Union.
It is also a pivotal year in the development of approved trust (meaning trustworthy) digital services in Europe. The transitional regime ends in July 2017.
This is a key step in the effective implementation of the European eIDAS Regulation on digital identification and trust services for digital transactions.
What's in this page?
This paper will discuss the details of the eIDAS Regulation on digital trustworthiness, the challenges of implementing and adopting it and the arrival of cross-border digital identities.
This is an opportunity for us to take stock of the first achievements in the implementation of the eIDAS Regulation.
EIDAS: the digital trust Regulation
A World First
Thanks to the eIDAS Regulation the European Union becomes the first global region to have a legal framework for transnational digital transactions to boost confidence in digital transactions.
This framework is a valuable asset for the economies of the 31 member countries of the European Union and the European Economic Area, but the truth is …it still needs to be implemented effectively.
This is both a challenge and a promise in a market of more than 500 million citizens.
National digital identity
One of the most innovative and expected aspects of the Regulation is the possibility of accessing many services throughout Europe using the same national digital identity, whether public or private, provided that it has been officially recognized by the authorities of the country where it is currently in use.
That is, it is recognized as part of an official national digital identity scheme in the country of origin and provides a level of security equivalent to that required by the host country.
Put it this way:
Being able to authenticate using a public or private digital identity in its own country when accessing the online services of public administrations across Europe marks a decisive step.
Here's the most important part.
A network of approved providers
Then, benefiting from common rules for the mutual recognition of digital signatures, stamps or certificates by relying on a network of approved trustworthy providers reduces barriers to digital transactions and increases the adoption of new services across borders.
The eIDAS Digital Trust Regulation thus introduces benefits and advances at national level for almost all Member States.
Let's find out potential improvements for countries:
- Strengthening national digital identities in order to be able to authenticate reliably and sign digitally,
- Modernizing the way in which digital transactions are handled,
- Accelerating the deployment of usable digital services. This approach can also make it easier for the digital infrastructures in the public and private sectors to work together.
- Establishing ways of demonstrating approved trustworthiness. These provide a guarantee for formal digital exchanges, which is essential for users to benefit fully from the services that are on offer.
The good news is that citizens and residents will now be able to benefit from the easy recognition of the new European trust label set up by the Regulation to identify approved service providers.
This label increases the transparency of the market. It also indicates legal backing to ensure the maximum legal and technical security for the transactions or services being used.
The challenges of implementation and adoption
Needless to say that legislators have carefully planned the implementation phase of the Regulation.
Let's see what they have planned step by step.
The Regulation has been implemented gradually over almost five years (2014-2019).
- 2015 and 2016 were years of widening its scope and going into more detail. They have seen the publication of eight implementing acts in order to lay down important rules for the application of the articles of the Regulation. The standardization work entrusted to CEN and ETSI under mandate M/460 has been speeded up in order to benefit from appropriate standards for the application of the new Regulation;
- Work in the years 2017 and 2018 is geared more towards the operational implementation of the Regulation, in conjunction with the gradual arrival of notifications of national electronic identification schemes and the end of the transition period for trust services.
Initiated at the end of 2015, the work of the network of cooperation among Member States enters its decisive phase in 2017 with discussion on the first pre-notified schemes.
These will contribute to the proper implementation of digital identity schemes and will ensure that methods of governance are equivalent and interoperable (meaning they can REALLY work together).
Simultaneously, the digital infrastructures and, particularly, the communication nodes designed to support the way the interconnection mechanism works began a test period and pilot phases of interoperability between several countries.
Specific application building blocks to promote shared technical specifications are being proposed.
These include modules for authentication, as well as for signatures, billing and electronic transmission. They can be easily integrated and used by governments to facilitate interoperability. Even instant translation has been provided so that a user can access another country's administration by reading the content in their own language.
For example, an Austrian driver who has been fined for speeding in the Netherlands can, using his digital identity, now consult detailed information on their fine in their native language and choose to pay or electronically challenge the fine in accordance with the Dutch procedures explained on the site.
Implementation has thus begun in the governmental and public sector.
Getting the private sector on board
But the other important concern is the adoption by the private sector of the practices promoted by the Regulation.
The legislators give states the responsibility for setting up the means necessary for implementation, while recognizing the importance of involving private sector companies in making a success of the challenge that the European digital market represents.
Faced with the growing diversity of digital practices in Europe, the European Commission is seeking to encourage the private sector to adopt the rules in the eIDAS Regulation. The private sector will thus be able to rely on these building blocks wherever strengthening the confidence-building framework is desired or beneficial.
To achieve this objective, the European Commission has several assets:
- First there is traditional dissemination based on public procurement. Public expenditure represents, on average, between 45% and 50% of the EU's GDP, which is very high.
- Secondly, the EC can count on Public Private Partnerships (PPPs) to disseminate good practices. There are a large number of digital identity PPPs since, in order to achieve a critical mass of services, it has been necessary in many states to provide bridges linking identity providers and service providers or even infrastructures that are shared between the private and public sectors.
- Added to this is the sectoral approach. The aim is to work on sectoral initiatives, legislation or projects that can be based on the mechanisms of the eIDAS Regulation either directly or indirectly.
This is already visible in the financial sector, with the authentication and authorization of remote payments (application of the revised directive on payment services) or, for example, the updating of the Know Your Customer (KYC) checks in the 4th Anti-Money Laundering Directive (4th AMLD).
- More broadly these transformations can also be seen in the health sector (the eHealth Governance Initiative (eHGI) and other sectors where remote identification and secure authentication are important.
Cross-border digital identities
In order to be used within the framework of the Regulation, digital identities must be included in a national scheme, which must itself go through a notification process that takes a few months.
Where are we at the beginning of 2017 of this notification phase?
On the interoperability test front, progress is tangible in the first multi-country pilots.
In December 2016, Germany, the Netherlands and Austria announced that they had successfully connected their digital identification and authentication infrastructures to access the digital services of one of the countries through their operational cross-border connections.
The pilot test, carried out as part of the e-sense project, included access to the Dutch departments of agriculture and road transport and its local authorities.
The first pre-notification, which marks the start of the notification process, took place on 20 February 2017. The first Member State to take this step was therefore Germany with the pre-notification of its national identity card which has 40 million registered citizens.
This is an important initial step, as five other cases of cross-border digital identities are expected before the end of 2017.
Another important issue with respect to the arrival of these identities is the level of confidence associated with the notified identification schemes.
Taking into account the more than 20 ID schemes that exist (but have not yet been notified) in EU countries in 2016, it can be estimated that more than 15 of them should be able to claim a substantial or high level of confidence, given that they already rely on identification requirements and the means of authentication corresponding to these levels.
These estimates now seem to be confirmed by the declarations of the Member States since, according to the minutes of the meeting of the cooperation network held at the end of 2016, 15 Member States out of 18 with draft notification in development have indicated their intention to notify claims of substantial or high levels of confidence.
From electronic signature to qualified digital trust
Following the Regulation the scope of the certification services has expanded.
To date, 9 certified digital trust services are likely to be approved at European level, whereas the 1999 Electronic Signature Directive provided for only one: a digital signature based on an approved certificate.
What are these trusted services?
First of all, the creation, verification and validation of electronic signatures, stamps or timestamps, electronic registered post services and approved certificates associated with these services.
- The electronic timestamp is certification that data in electronic form exists at a given time.
- Electronic registered post approved for the transmission of data between third parties electronically provides evidence of the processing of the transmitted data.
Conservation services for these same approved services and certificates are also part of the Regulation.
Finally, the issuance, verification and validation of approved certificates for the authentication of internet sites (certificates making it possible to establish unambiguously the identity of a site's rightful owner, be it a natural or legal person).
In this context, the consolidation of digital trust is based on additional strategic, organizational and technical requirements that are demanding.
Companies that want to have their digital trusted service approved are subject to a preliminary assessment and then, in the event of a decision to grant approved status, to continuous supervision over all their approved activities, notably on aspects of predictive risk analysis, the information system's security management and the management of digital certificates.
In return for meeting such requirements, measured periodically by a conformity assessment audit, the approval regime offers a presumption of reliability to satisfy the economic players' need for integrity and security.
What about existing service providers?
First of all there is the transfer of service providers (about 150), already approved under the old electronic signature directive regime, who are due to switch to eIDAS before 1 July.
This movement is well under way since some 30 service providers were already approved under the new eIDAS scheme on 1 January 2017.
For new services, the emergence of this new approved proposal will take time.
It is not only that the services are new and that they must find their markets, but also that their final status is still subject to the completion of standardization work.
This is the case, for example, for:
- the long-term conservation of signatures,
- the sending of electronic registered post,
- remote digital signatures.
We must therefore wait a little longer to appreciate the true potential of these new services, but this one seems to be going in exactly the right direction.
2017 is a pivotal year for eIDAS
In a nutshell.
2017 marks a turning point in the implementation of the eIDAS Regulation thanks to this double implementation:
- The new approved trust service
- The notification of the first digital identification schemes.
These are significant advances that will allow economic players to be able to gather the first fruits of the Regulation.
This stage should be seen as part of the European digital single market. A market which the European commission believes has the potential to generate about 405 billion Euros per year, a considerable sum.
If, for the user, the promises of simplicity, security and interoperability can be achieved, it will be in return for a framework of digital trust allowing users to free themselves from uncoordinated and separate infrastructures.
A word of caution here.
Of course, as we recommend our customers, complexity should be masked.
It's pretty obvious once you think about it. Communicating on the legal validity of the system and the extraordinary security effort implemented only generates mistrust.
The governance organization for the identification system, technicalities and associated expertise should stay in the backstage where it belongs.
eIDAS regulation and Thales
Digital trust is Thales' core business.
Aware of the development potential of the digital single market, but also of the risks of cybercrime, we naturally welcome the work done by legislators and the Member States to remove obstacles and put in place the ingredients to boost the digital transformation virtuous circle.
In this context we have made our security experts available to Mandate M/460 to contribute to the assessment of security risks and the development of a regulatory framework for the interoperability of systems.
We are continuing this work within CEN and ETSI's standardization groups that are supporting the implementation of the Regulation.
Thanks to our expertise and field experience, our portfolio of electronic identity solutions enables our clients, private companies and government agencies to benefit from proven solutions that are compatible with the eIDAS Regulation and its associated implementing acts.
We provide secure means of identification (electronic identity documents, residents' cards and social security cards) as well as approved signature creation devices certified in accordance with the Common Criteria procedure (EAL5+ as a minimum), the highest level of assurance defined by the Regulation.
Our Public Key Infrastructure (PKI) authentication solutions enable a user's digital identity to be validated in complete security on a public or private network. Governments as well as trusted service providers can thus meet the requirements of the Regulation to establish secure, reliable and secure cross-border transactions.
Now it's your turn
We look forward to your thoughts on eIDAS and its implementation challenges. Feel free to leave a comments or ask any questions in the box below.