EU regulation on electronic identification and trust services eIDAS
On July 1st 2016, the electronic identification and trust services Regulation, more commonly known as eIDAS, will replace 17-year old eSignature Directive 1999/93/EC and become directly applicable in 28 EU Member States. This new regulation is meant to boost economic growth by encouraging trust in the digital world and the European Digital Single Market. Transparency and highest security standards are at the basis of creating such a trusted environment.
What is eIDAS?
Adopted in July 2014, EU regulation N°910/2014 on electronic identification (eID) and trust services (eTS) sets a milestone for access to public services and secure online transactions across EU State borders. At the core of the so-called eIDAS Regulation, electronic interactions between citizens, businesses (especially SMEs) and public authorities shall be facilitated in two ways:
Electronic Trust Services across borders, consisting of [acc. eIDAS Art. 3 (16)]:
In practical terms, this means more convenient and yet more secure cross-border electronic submission of tax declarations, online & mobile payment, use of e-healthcare services or public e-procurement, online opening of bank accounts or the launch of a business with all its requirements and implications – to name just a few.
The Timeline …
The following key dates give an overview of achieved milestones and what is next for the adoption and practical consequences of eIDAS.
Between June 2012 and July 2014, the Members of the European Parliament, the Commission and the Council reached an agreement on “eIDAS” and decided to adopt the new eIDAS Regulation (on April 3rd 2014 by the European Parliament and on July 23rd 2014 by the Council).
… of the Implementation
Now, mechanisms need to be put in place to make national eID systems comparable and interoperable. Since July 2015, Member States can notify their national eID system for inclusion in the EU eID system, provided they fulfill certain criteria. In the following, Member States will have to accept notified electronic identification of other States for their online public services accessible by means of a national eID.
Trust Service Providers will be organized in closed national “Trusted Lists” managed by a national supervision entity. These will leave no doubt as to the status of a service provider or service – qualified (appears on Trusted List) or not – and facilitate the validation of eSignatures, eSeals, etc. Users of a specific qualified trust service, whether citizen, business or public authority, will benefit from the associated legal effects only if the provider and service are listed as qualified on one of the national Trusted Lists. An EU Trust Mark can be used by Trust Service Providers to fortify confidence of users and enhance convenience.
Of major importance is the upcoming date of July 1st 2016, when the old eSignature Directive will be repealed and replaced with the new eIDAS Regulation directly applying to all 28 EU Member States.
However, a period for smooth transition has been granted, where Transitional Measures [acc. eIDAS Art. 51] are applicable:
The Remaining Challenges
Major challenges come from a large part of trust services previously regulated on national level because the EU eSignature Directive focused on certificates for electronic signatures only. This created systems with numerous differences in compliance requirements as well as legal status and validity of trust services.
For the future, common technical as well as data protection and privacy standards are key to ensure a transparent and sufficiently secure environment for online transactions across borders.
For the secure execution of their operations and services, Trust Service Providers can rely on cryptographic modules to be used as qualified electronic signature creation devices, such as smart cards or hardware security modules (HSMs). “Conformity of qualified electronic signature creation devices with [EU] requirements […] shall be certified by appropriate public or private bodies designated by Member States” [acc. eIDAS Art. 30 & 31). At this point in time, the definition of the detailed technical requirements is still in progress (see currently outlined requirements in information box below).
As a manufacturer of HSMs, Utimaco is at the forefront of both defining these technical requirements (by participating in the working group CEN TC 224 WG17) and thus achieving conformity with eIDAS requirements. The Common Criteria PP-5 certification (currently considered to be the certification required by eIDAS) for Utimaco SecurityServer 4.0 together with the hardware component Se-Series Gen2 anticipates the upcoming regulatory changes as well as related partner and customer requirements.
Requirements for qualified electronic signature creation devices [acc. eIDAS Annex II]
*eIDAS Regulation infographic 2016
* EU Digital Single Market – Trust Services and eID
* eIDAS Regulation (EU) N°910/2014
* “eIDAS as guideline for the development of a pan European eID framework in FutureID”
by Colette Cuijpers, Jessica Schroers (Radboud University/KU Leuven)