Register
Test Utimaco's SecurityServer with our free simulator. Register here.

ANY QUESTIONS? CONTACT US. hsm@utimaco.com

Demystifying eIDAS – Key Dates & Challenges Highlighted

May 30, 2016

EU regulation on electronic identification and trust services eIDAS

On July 1st 2016, the electronic identification and trust services Regulation, more commonly known as eIDAS, will replace 17-year old eSignature Directive 1999/93/EC and become directly applicable in 28 EU Member States. This new regulation is meant to boost economic growth by encouraging trust in the digital world and the European Digital Single Market. Transparency and highest security standards are at the basis of creating such a trusted environment.


What is eIDAS?

Adopted in July 2014, EU regulation N°910/2014 on electronic identification (eID) and trust services (eTS) sets a milestone for access to public services and secure online transactions across EU State borders. At the core of the so-called eIDAS Regulation, electronic interactions between citizens, businesses (especially SMEs) and public authorities shall be facilitated in two ways:

  • National identity cards shall provide access to public services in other eID-enabled EU countries, using mechanisms to make national eID systems comparable and interoperable across borders.
  • eTS such as electronic (remote) signatures & electronic seals, time-stamping, electronic documents and website authentication will work across countries and be accorded the same legal status and validity as paper-based interactions.


_________________________________________________________________________________________________________________________________________________
Electronic Trust Services across borders, consisting of [acc. eIDAS Art. 3 (16)]:

  • “the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to these services, or
  • the creation, verification and validation of certificates for website authentication; or
  • the preservation of electronic signatures, seals or certificates related to these services. ”

_________________________________________________________________________________________________________________________________________________


The Motivation

In practical terms, this means more convenient and yet more secure cross-border electronic submission of tax declarations, online & mobile payment, use of e-healthcare services or public e-procurement, online opening of bank accounts or the launch of a business with all its requirements and implications – to name just a few.


The Timeline …

The following key dates give an overview of achieved milestones and what is next for the adoption and practical consequences of eIDAS.
Between June 2012 and July 2014, the Members of the European Parliament, the Commission and the Council reached an agreement on “eIDAS” and decided to adopt the new eIDAS Regulation (on April 3rd 2014 by the European Parliament and on July 23rd 2014 by the Council).


… of the Implementation

Now, mechanisms need to be put in place to make national eID systems comparable and interoperable. Since July 2015, Member States can notify their national eID system for inclusion in the EU eID system, provided they fulfill certain criteria. In the following, Member States will have to accept notified electronic identification of other States for their online public services accessible by means of a national eID.
Trust Service Providers will be organized in closed national “Trusted Lists” managed by a national supervision entity. These will leave no doubt as to the status of a service provider or service – qualified (appears on Trusted List) or not – and facilitate the validation of eSignatures, eSeals, etc. Users of a specific qualified trust service, whether citizen, business or public authority, will benefit from the associated legal effects only if the provider and service are listed as qualified on one of the national Trusted Lists. An EU Trust Mark can be used by Trust Service Providers to fortify confidence of users and enhance convenience.
Of major importance is the upcoming date of July 1st 2016, when the old eSignature Directive will be repealed and replaced with the new eIDAS Regulation directly applying to all 28 EU Member States.
However, a period for smooth transition has been granted, where Transitional Measures [acc. eIDAS Art. 51] are applicable:

  • Certificates issued to natural persons under the eSignature Directive remain valid until expiry and
  • Certification Service Providers are allowed a 1 year time frame to submit a conformity assessment report and as consequence are considered as qualified Trust Service Providers under the new eIDAS regulation.


The Remaining Challenges

Major challenges come from a large part of trust services previously regulated on national level because the EU eSignature Directive focused on certificates for electronic signatures only. This created systems with numerous differences in compliance requirements as well as legal status and validity of trust services.
For the future, common technical as well as data protection and privacy standards are key to ensure a transparent and sufficiently secure environment for online transactions across borders.
For the secure execution of their operations and services, Trust Service Providers can rely on cryptographic modules to be used as qualified electronic signature creation devices, such as smart cards or hardware security modules (HSMs). “Conformity of qualified electronic signature creation devices with [EU] requirements […] shall be certified by appropriate public or private bodies designated by Member States” [acc. eIDAS Art. 30 & 31). At this point in time, the definition of the detailed technical requirements is still in progress (see currently outlined requirements in information box below).
As a manufacturer of HSMs, Utimaco is at the forefront of both defining these technical requirements (by participating in the working group CEN TC 224 WG17) and thus achieving conformity with eIDAS requirements. The Common Criteria PP-5 certification (currently considered to be the certification required by eIDAS) for Utimaco SecurityServer 4.0 together with the hardware component Se-Series Gen2 anticipates the upcoming regulatory changes as well as related partner and customer requirements.

 

_________________________________________________________________________________________________________________________________________________

Requirements for qualified electronic signature creation devices [acc. eIDAS Annex II]

  1. Qualified electronic signature creation devices shall ensure, by appropriate technical and procedural means, that at least:
    (a)    the confidentiality of the electronic signature creation data used for electronic signature creation is reasonably assured;
    (b)    the electronic signature creation data used for electronic signature creation can practically occur only once;
    (c)    the electronic signature creation data used for electronic signature creation cannot, with reasonable assurance, be derived and the electronic signature is reliably protected against forgery using currently available technology;
    (d)    the electronic signature creation data used for electronic signature creation can be reliably protected by the legitimate signatory against use by others.
  2. Qualified electronic signature creation devices shall not alter the data to be signed or prevent such data from being presented to the signatory prior to signing.
  3. Generating or managing electronic signature creation data on behalf of the signatory may only be done by a qualified trust service provider.
  4. Without prejudice to point (d) of point 1, qualified trust service providers managing electronic signature creation data on behalf of the signatory may duplicate the electronic signature creation data only for back-up purposes provided the following requirements are met:
    (a)    the security of the duplicated datasets must be at the same level as for the original datasets;
    (b)    the number of duplicated datasets shall not exceed the minimum needed to ensure continuity of the service.

_________________________________________________________________________________________________________________________________________________

eIDAS

Sources:

*eIDAS Regulation infographic 2016
* EU Digital Single Market – Trust Services and eID
* eIDAS Regulation (EU) N°910/2014
* “eIDAS as guideline for the development of a pan European eID framework in FutureID
by Colette Cuijpers, Jessica Schroers (Radboud University/KU Leuven)