2017 will see the first use of digital identity schemes by the Member States within the European Union.
It is also a pivotal year in developing approved trust (meaning trustworthy) digital services in Europe. The transitional regime ended in July 2017.
This is a key step in implementing the European eIDAS Regulation on digital identification and trust services for digital transactions.
What's on this page?
This paper will discuss the details of the eIDAS Regulation on digital trustworthiness, the challenges of implementing and adopting it, and the arrival of cross-border digital identities.
This is an opportunity for us to take stock of the first achievements in implementing the eIDAS Regulation.
EIDAS: the digital trust Regulation
A World First
Thanks to the eIDAS Regulation, the European Union becomes the first global region to have a legal framework for transnational digital transactions to boost confidence in digital transactions.
This framework is a valuable asset for the economies of the 31 member countries of the European Union and the European Economic Area. However, the truth is …it still needs to be implemented effectively.
This is both a challenge and a promise in a market of more than 500 million citizens.
National digital identity
One of the most innovative and expected aspects of the Regulation is the possibility of accessing many services throughout Europe using the same national digital identity, whether public or private, provided that it has been officially recognized by the authorities of the country where it is currently in use.
It is recognized as part of an official national digital identity scheme in the country of origin. It provides a level of security equivalent to that required by the host country.
Put it this way:
Being able to authenticate using a public or private digital identity in its own country when accessing public administrations' online services across Europe marks a decisive step.
Here's the most important part.
A network of approved providers
Then, benefiting from common rules for the mutual recognition of digital signatures, stamps, or certificates by relying on a network of approved trustworthy providers reduces barriers to digital transactions and increases the adoption of new services across borders.
The eIDAS Digital Trust Regulation thus introduces benefits and advances at the national level for almost all Member States.
Let's find out potential improvements for countries:
- Strengthening national digital identities to be able to authenticate reliably and sign digitally,
- Modernizing how digital transactions are handled,
- Accelerating the deployment of usable digital services. This approach can also make it easier for digital infrastructures in the public and private sectors to work together.
- Establishing ways of demonstrating approved trustworthiness. These provide a guarantee for formal digital exchanges, which is essential for users to benefit fully from the services that are on offer.
The good news is that citizens and residents will now benefit from the easy recognition of the new European trust label set up by the Regulation to identify approved service providers.
This label increases the transparency of the market. It also indicates legal backing to ensure the maximum legal and technical security for the transactions or services being used.
The challenges of implementation and adoption
Needless to say that legislators have carefully planned the implementation phase of the Regulation.
Let's see what they have planned step by step.
The Regulation has been implemented gradually over almost five years (2014-2019).
- 2015 and 2016 were years of widening its scope and going into more detail. They have seen eight implementing acts to lay down important rules for applying the Regulation articles. The standardization work entrusted to CEN and ETSI under mandate M/460 has been speeded up to benefit from appropriate standards for the application of the new Regulation;
- Work in the years 2017 and 2018 is geared more towards the Regulation's operational implementation, in conjunction with the gradual arrival of notifications of national electronic identification schemes and the end of the transition period for trust services.
Initiated at the end of 2015, the work of the cooperation network among the Member States enters its decisive phase in 2017 with a discussion on the first pre-notified schemes.
These will contribute to the proper implementation of digital identity schemes and ensure that governance methods are equivalent and interoperable (meaning they can REALLY work together).
Simultaneously, the digital infrastructures and the communication nodes designed to support the way the interconnection mechanism works began a test period and pilot phases of interoperability between several countries.
Specific application building blocks to promote shared technical specifications are being proposed.
These include modules for authentication, as well as for signatures, billing, and electronic transmission. They can be easily integrated and used by governments to facilitate interoperability. Even instant translation has been provided so that a user can access another country's administration by reading the content in their own language.
For example, an Austrian driver who has been fined for speeding in the Netherlands can, using his digital identity, now consult detailed information on their fine in their native language and choose to pay or electronically challenge the fine following the Dutch procedures explained on the site.
Implementation has thus begun in the governmental and public sector.
Getting the private sector on board
But the other important concern is the private sector's adoption of the practices promoted by the Regulation.
The legislators give states the responsibility for setting up the means necessary for implementation while recognizing the importance of involving private sector companies in making a success of the challenge that the European digital market represents.
Faced with the growing diversity of digital practices in Europe, the European Commission seeks to encourage the private sector to adopt the eIDAS Regulation rules. Thus, the private sector will rely on these building blocks wherever strengthening the confidence-building framework is desired or beneficial.
To achieve this objective, the European Commission has several assets:
- First, there is traditional dissemination based on public procurement. On average, public expenditure represents between 45% and 50% of the EU's GDP, which is very high.
- Secondly, the EC can count on Public-Private Partnerships (PPPs) to disseminate good practices. There are many digital identity PPPs since, to achieve a critical mass of services, it has been necessary for many states to provide bridges linking identity providers and service providers or even infrastructures shared between the private and public sectors.
- Added to this is the sectoral approach. The aim is to work on sectoral initiatives, legislation, or projects based on the eIDAS Regulation mechanisms, either directly or indirectly.
This is already visible in the financial sector, with the authentication and authorization of remote payments (application of the revised directive on payment services) or, for example, the updating of the Know Your Customer (KYC) checks in the 4th Anti-Money Laundering Directive (4th AMLD).
- More broadly, these transformations can also be seen in the health sector (the eHealth Governance Initiative (eHGI) and other sectors where remote identification and secure authentication are important.
Cross-border digital identities
To be used within the Regulation framework, digital identities must be included in a national scheme, which must go through a notification process that takes a few months.
Where are we at the beginning of 2017 of this notification phase?
On the interoperability test front, progress is tangible in the first multi-country pilots.
In December 2016, Germany, the Netherlands, and Austria announced that they had successfully connected their digital identification and authentication infrastructures to access one of the countries' digital services through their operational cross-border connections.
The pilot test, carried out as part of the e-sense project, included access to the Dutch departments of agriculture and road transport and its local authorities.
The first pre-notification, which marks the notification process's start, took place on 20 February 2017. Therefore, the first Member State to take this step was Germany, with the pre-notification of its national identity card, which has 40 million registered citizens.
This is an important initial step, as five other cases of cross-border digital identities are expected before the end of 2017.
Another important issue concerning the arrival of these identities is confidence associated with the notified identification schemes.
Taking into account the more than 20 ID schemes that exist (but have not yet been notified) in EU countries in 2016, it can be estimated that more than 15 of them should be able to claim a substantial or high level of confidence, given that they already rely on identification requirements and the means of authentication corresponding to these levels.
These estimates now seem to be confirmed by the declarations of the Member States since, according to the minutes of the meeting of the cooperation network held at the end of 2016, 15 Member States out of 18 with draft notification in development have indicated their intention to notify claims of substantial or high levels of confidence.
From electronic signature to qualified digital trust
Following the Regulation, the scope of the certification services has expanded.
To date, 9 certified digital trust services are likely to be approved at the European level. In contrast, the 1999 Electronic Signature Directive provided for only one: a digital signature based on an approved certificate.
What are these trusted services?
First of all, the creation, verification, and validation of electronic signatures, stamps or timestamps, electronic registered post services, and approved certificates associated with these services.
- The electronic timestamp is a certification that data in electronic form exists at a given time.
- Electronic registered post-approved transmission of data between third parties electronically provides evidence of the transmitted data's processing.
Conservation services for these same approved services and certificates are also part of the Regulation.
Finally, the issuance, verification, and validation of approved certificates for the authentication of internet sites (certificates making it possible to establish the identity of a site's rightful owner unambiguously, be it a natural or legal person).
In this context, digital trust consolidation is based on additional strategic, organizational, and technical requirements.
Companies that want to have their digital trusted service approved are subject to a preliminary assessment and then, in the event of a decision to grant approved status, to continuous supervision over all their approved activities, notably on aspects of predictive risk analysis, the information system's security management and the management of digital certificates.
In return for meeting such requirements, measured periodically by a conformity assessment audit, the approval regime offers a presumption of reliability to satisfy the economic players' need for integrity and security.
What about existing service providers?
First of all, there is the transfer of service providers (about 150), already approved under the old electronic signature directive regime, due to switching to eIDAS before 1 July.
This movement is well underway since some 30 service providers were already approved under the new eIDAS scheme on 1 January 2017.
For new services, the emergence of this newly approved proposal will take time.
It is not only that the services are new and that they must find their markets, but also that their final status is still subject to the completion of standardization work.
This is the case, for example, for:
- the long-term conservation of signatures,
- the sending of electronic registered post,
- remote digital signatures.
Therefore, we must wait a little longer to appreciate these new services' true potential, but this one seems to go exactly the right direction.
2017 is a pivotal year for eIDAS
In a nutshell.
2017 marks a turning point in the implementation of the eIDAS Regulation thanks to this double implementation:
- The new approved trust service
- The notification of the first digital identification schemes.
These are significant advances that will allow economic players to gather the first fruits of the Regulation.
This stage should be seen as part of the European digital single market. A market that the European Commission believes can generate about 405 billion Euros per year, a considerable sum.
If for the user, the promises of simplicity, security, and interoperability can be achieved, it will be in return for a framework of digital trust, allowing users to free themselves from uncoordinated and separate infrastructures.
A word of caution here.
Of course, as we recommend our customers, complexity should be masked.
It's pretty obvious once you think about it. Communicating on the legal validity of the system and the extraordinary security effort implemented only generates mistrust.
The governance organization for the identification system, technicalities, and associated expertise should stay the backstage where it belongs.
eIDAS regulation and Thales
Digital trust is Thales' core business.
Aware of the digital single market's development potential and the risks of cybercrime, we naturally welcome the work done by legislators and the Member States to remove obstacles and place the ingredients to boost the digital transformation virtuous circle.
In this context, we have made our security experts available to Mandate M/460 to contribute to assessing security risks and developing a regulatory framework for the interoperability of systems.
We are continuing this work within CEN and ETSI's standardization groups supporting the Regulation implementation.
Our electronic identity solutions portfolio enables our clients, private companies, and government agencies to benefit from proven solutions compatible with the eIDAS Regulation and its associated implementing acts thanks to our expertise and field experience.
We provide secure means of identification (electronic identity documents, residents' cards, and social security cards) and approved signature creation devices certified under the Common Criteria procedure (EAL5+ as a minimum), the highest level of assurance defined by the Regulation.
Our Public Key Infrastructure (PKI) authentication solutions enable a user's digital identity to be validated in complete security on a public or private network. Thus, governments and trusted service providers can meet the Regulation requirements to establish secure, reliable, and secure cross-border transactions.
Now it's your turn
We look forward to your thoughts on eIDAS and its implementation challenges. Feel free to leave comments or ask any questions in the box below.