11/07/2024
Digital identity and trust services
New safety requirements Thanks to the revision of the European eIDAS regulation, a true digital identity will be established at the European level, including the creation of a digital wallet to prove identity, store official documents and introduce new trust services. The growing dematerialisation of exchanges, which gives everyone access to a wide range of goods and services, must go hand in hand with protecting users - citizens and businesses alike - against cybersecurity risks. It is only by providing a reliable, secure and harmonised framework for electronic identification and secure transactions that the EU will be able to meet the challenges of the "Digital Decade". With the revision of the eIDAS regulation, Europe is giving itself the means to achieve its ambitions. Why revise the eIDAS regulation? Regulation 910/2014 of 23 July 2014 (1), which essentially came into force on 1 July 2016, establishes a common framework for the mutual recognition of electronic means of identification and electronic signature systems to secure electronic transactions in the Union. After just a few years of application, the results are not up to the mark: a low number of notifications of electronic identification schemes, insufficient European interoperability and poor knowledge of the processes in place on the part of companies and individuals alike. Furthermore, while the needs of the private sector are growing, the eIDAS regulation still prioritises the needs of public service. It does not cover emerging uses in banking, finance, education, health, e-commerce, etc. The European Commission's "Digital Compass" plan proposes a new, more global trajectory. eIDAS 2: regulations tailored to a wide range of use cases The eIDAS 2 regulation should enable the development of new use cases. These include mobility (e.g., ticket verification, mobile driving licenses), employment (e.g., diploma certification), healthcare (e.g., electronic prescriptions) and online payments (e.g., strong authentication). In line with the real uses of individuals and businesses, the proposed regulation proposes an approach based on the following principles: large-scale experimentation and feedback to improve regulations and integrate them as effectively as possible within each member state. The test project, launched in April 2023, should continue until 2025, with an evaluation of project results and recommendations for implementing the regulations. What are the main benefits of eIDAS 2? From digital identity to the European digital identity wallet While eIDAS 1 has enabled the development of digital identity systems, notably with several levels of certification, elDAS 2 will go much further with the introduction of a Europe-wide framework for digital identity security. The European Digital Identity Wallet (EDIW) will enable people to:Prove their identity without resorting to national identity solutions alone. Store their data: the wallet can contain an electronic signature issued by a qualified service provider. Manage all their official documents in electronic format (e.g., driving licenses, medical prescriptions, university diplomas, residence permits). The data stored in the EDIW can be used for a wide range of services, such as car rental, airport check-in, university enrollment, apartment rental or opening a bank account. This digital identity wallet will be usable throughout the European Union, regardless of the country of issue. In addition, the major platforms will have to accept its use, notably to enable Internet users to prove their age. Digital identity service providers will be approved and monitored, and the EDIW will be supervised by a national trust authority, in France ANSSI.A digital wallet that creates value for EU businessesThis European framework should "create economic value by facilitating access to goods and services" and "significantly reduce the operational costs of electronic identification procedures" (2). Indeed, the system should facilitate the enrolment of new customers, while reducing the risks of cybercrime (identity theft, fraudulent payment, data theft). eIDAS 2 will thus support the digital transformation of small and medium-sized European businesses in complete security. Additionally, information from a single direction will reduce the administrative burden on public authorities and support the cross-border mobility of European citizens and businesses. Risks linked to the development of digital identity identified by the CNILWhile the digital identity wallet has various beneficial features, such as optional and free issuance, management left to the bearer, minimal use of data provided and easier access for citizens to their digital identity, the CNIL in France has warned against the risks posed by the proposal to create a "unique and permanent identifier" introduced by the European Commission. While this type of identifier facilitates the interoperability of national systems, it also gives rise to numerous risks of profiling, tracking of citizens and interconnection of files. The final version of the eIDAS 2 (3) regulation is silent on this point, even though many questions remain. What's new for trust services? Greater reliability of website authentication certificatesThe revision of eIDAS will enable authentication certificates to be issued on websites, reinforcing users' confidence in the quality of their content. Internet users will be able to rely more easily on authenticated sites, reducing the risk of fraud. The trust framework established by the revised version of the text includes some minimum safety obligations to be met along with rules for displaying data and other attested attributes. The obligation under French law to include certain legal notices on a website will probably have to be brought into line with these new obligations regarding the availability of qualified authentication certificates. New qualified trust servicesThe current list of trust services has been extended to include two new qualified trust services:the provision of electronic archiving services, defined as "a service ensuring the reception, storage, retrieval and deletion of electronic data and documents to guarantee their durability and legibility, as well as to preserve their integrity, confidentiality and proof of origin throughout the preservation period";the introduction of electronic registers, defined as "a sequence of electronic data records that should guarantee the integrity of these data and the accuracy of their chronological classification". Tougher requirements for advanced electronic signaturesThe revised text reinforces the security requirements and standards to be met by advanced signatures. These signatures must create an unambiguous link with the signatory, enable the signatory to be identified, and guarantee that the signed data has not been compromised. The means used to create these signatures must be under the sole control of the signing users (e.g., smartphone). Qualified remote signatures must meet the same requirements as those for advanced signatures but must be based on a certificate issued by a qualified trust service provider. While the eIDAS 2 regulation reinforces trust services, it should not be forgotten that these can be costly and complicated, and require the intervention of a qualified trusted third party. It is possible to argue that, if the European digital identity wallet proves effective, signatories could, in the future, be identified by this means alone in everyday transactions. The forthcoming entry of the revised regulation, and its first applications of digital identity in everyday life will, be a major step forward. This could lead to a merging of the notions of digital identity and digital authentication. To be continued... Key points: The new version of the eIDAS regulation, which will apply to entities will be published shortly in the OJEU. The amended regulation introduces the European digital identity wallet, which will enable users to prove their identity, store data and manage all their official documents. In terms of trust services, certificates for website authentication will be issued, new trust services will be introduced, and security requirements for advanced electronic signatures will be strengthened. Article published in Option Finance on 08/04/2024Regulation on electronic identification and trust services for electronic transactions within the internal market, or Electronic Identification and Trust Services Regulation, (eIDAS). Extract from the European Parliament's proposal for a regulation adopted
at first reading on February 29, 2024. The idea of creating a unique identifier appeared in the European Parliament's proposal of June 3, 2021, but is no longer expressly mentioned in the version finally voted on February 29, 2024. However, its use is not ruled out.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.