EU regulation on electronic identification and trust services eIDAS
On July 1st 2016, the electronic identification and trust services Regulation, more commonly known as eIDAS, will replace 17-year old eSignature Directive 1999/93/EC and become directly applicable in 28 EU Member States. This new regulation is meant to boost economic growth by encouraging trust in the digital world and the European Digital Single Market. Transparency and highest security standards are at the basis of creating such a trusted environment.
What is eIDAS?
Adopted in July 2014, EU regulation N°910/2014 on electronic identification (eID) and trust services (eTS) sets a milestone for access to public services and secure online transactions across EU State borders. At the core of the so-called eIDAS Regulation, electronic interactions between citizens, businesses (especially SMEs) and public authorities shall be facilitated in two ways:
- National identity cards shall provide access to public services in other eID-enabled EU countries, using mechanisms to make national eID systems comparable and interoperable across borders.
- eTS such as electronic (remote) signatures & electronic seals, time-stamping, electronic documents and website authentication will work across countries and be accorded the same legal status and validity as paper-based interactions.
Electronic Trust Services across borders, consisting of [acc. eIDAS Art. 3 (16)]:
- “the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to these services, or
- the creation, verification and validation of certificates for website authentication; or
- the preservation of electronic signatures, seals or certificates related to these services. ”
In practical terms, this means more convenient and yet more secure cross-border electronic submission of tax declarations, online & mobile payment, use of e-healthcare services or public e-procurement, online opening of bank accounts or the launch of a business with all its requirements and implications – to name just a few.
The Timeline …
The following key dates give an overview of achieved milestones and what is next for the adoption and practical consequences of eIDAS.
Between June 2012 and July 2014, the Members of the European Parliament, the Commission and the Council reached an agreement on “eIDAS” and decided to adopt the new eIDAS Regulation (on April 3rd 2014 by the European Parliament and on July 23rd 2014 by the Council).
… of the Implementation
Now, mechanisms need to be put in place to make national eID systems comparable and interoperable. Since July 2015, Member States can notify their national eID system for inclusion in the EU eID system, provided they fulfill certain criteria. In the following, Member States will have to accept notified electronic identification of other States for their online public services accessible by means of a national eID.
Trust Service Providers will be organized in closed national “Trusted Lists” managed by a national supervision entity. These will leave no doubt as to the status of a service provider or service – qualified (appears on Trusted List) or not – and facilitate the validation of eSignatures, eSeals, etc. Users of a specific qualified trust service, whether citizen, business or public authority, will benefit from the associated legal effects only if the provider and service are listed as qualified on one of the national Trusted Lists. An EU Trust Mark can be used by Trust Service Providers to fortify confidence of users and enhance convenience.
Of major importance is the upcoming date of July 1st 2016, when the old eSignature Directive will be repealed and replaced with the new eIDAS Regulation directly applying to all 28 EU Member States.
However, a period for smooth transition has been granted, where Transitional Measures [acc. eIDAS Art. 51] are applicable:
- Certificates issued to natural persons under the eSignature Directive remain valid until expiry and
- Certification Service Providers are allowed a 1 year time frame to submit a conformity assessment report and as consequence are considered as qualified Trust Service Providers under the new eIDAS regulation.
The Remaining Challenges
Major challenges come from a large part of trust services previously regulated on national level because the EU eSignature Directive focused on certificates for electronic signatures only. This created systems with numerous differences in compliance requirements as well as legal status and validity of trust services.
For the future, common technical as well as data protection and privacy standards are key to ensure a transparent and sufficiently secure environment for online transactions across borders.
For the secure execution of their operations and services, Trust Service Providers can rely on cryptographic modules to be used as qualified electronic signature creation devices, such as smart cards or hardware security modules (HSMs). “Conformity of qualified electronic signature creation devices with [EU] requirements […] shall be certified by appropriate public or private bodies designated by Member States” [acc. eIDAS Art. 30 & 31). At this point in time, the definition of the detailed technical requirements is still in progress (see currently outlined requirements in information box below).
As a manufacturer of HSMs, Utimaco is at the forefront of both defining these technical requirements (by participating in the working group CEN TC 224 WG17) and thus achieving conformity with eIDAS requirements. The Common Criteria PP-5 certification (currently considered to be the certification required by eIDAS) for Utimaco SecurityServer 4.0 together with the hardware component Se-Series Gen2 anticipates the upcoming regulatory changes as well as related partner and customer requirements.