The eIDAS regulation provides a legal and technical framework on electronic identification and trust services for electronic transactions in the internal market to enable secure and seamless electronic interactions between businesses, citizens and public authorities. These frameworks provide significant benefits to organisations and end users. eIDAS has been around in the EU since 2014 and has been evolving ever since. Most recently, the European Commission ran an open consultation, from 24 July to 2 October 2020, to collect feedback on drivers and barriers to the development and uptake of eID and trust services in Europe, and on the impacts of the options for delivering an EU digital identity. For this article, we´ve interviewed Wim Coulier, Jérôme Bordier and Guillaume Forget, three eIDAS experts, who have something to say about this.
“We love eIDAS. It has proven to be a real success, especially for TSPs. Today qualification is the rule and finally we can compare two TSPs to each other. But the digital world keeps evolving so the regulation must do too.”
– Jérôme Bordier, Director of SEALWeb
Based on the interviews we defined 3 important gaps in the regulation that request some changes:
1. What about the Private sector?
The arrival of the eIDAS regulation has certainly been a big step forward in terms of harmonization, interoperability and creating mutual recognition of electronic identity schemes (eIDs) among Member States. And although many opinions differ widely, we´ll probably still need the government for a long time to be the authentic source for an official identity (eID). So that´s a good thing it´s regulated.
But we see an important movement in many countries where more and more national eID schemes are being led by the private sector (eg: SPID in Italy, itsme® in Belgium,…). This shows that not only the public sector but also the private sector plays a key role in constructing a Europe in which national eID schemes are recognized across borders. And that might be precisely what is missing in eIDAS; a regulated framework for the private identity issuers.
Wim Coulier, eIDAS expert for Itsme® claims:
“I believe the eIDAS regulation is missing certification and the different assurance levels for the private sector like we have assurance levels low, substantial and high for the public sector. Issuing an identity is something that can be perfectly done too by private companies who are certified just like they would be certified for other trust services.”
2. Auditing is not clearly consistent
The problem today is not that there is a lack of expertise. The problem lies in the audit procedures. The way a TSP is audited in the Netherlands for example is not necessarily the same in Italy or another country. Meaning that two TSP´s can be audited in a totally different way but still have the same outcome. This is inconsistent with the reason why the regulation was established: to create harmonization, transparency, interoperability. The experts agreed that there is a need to create a homogenous procedure for auditing and qualification everywhere in the European Union, everywhere applied with the same transparency and with the same clarity.
“A measure that could be introduced would be to limit the power of the local supervisory body, but maybe have a global taskforce at the European Commission. So that the rules that are actually set on a central level would be enforced in the same way throughout all EU member states. It is done in other industries, like the Pharma industry, so why not here?”
adds Guillaume Forget, Managing Director at Cryptomathic.
3. Need for certification of electronic signature creation services
Today, you can be audited to become a Qualified Trust service provider for validation services, the creation of electronic signatures & website certificates, timestamps, preservation services and registered delivery services.
But if we want anybody to feel confident to make the switch to digital signatures, we need to prove that a digital signature is reliable. That is why we need an official creation service for electronic signatures to be included in the eIDAS regulation.
Jérôme Bordier, states:
“In the list of services, that precisely was written for the regulation, it should have been clearly stated that an electronic signature service can be qualified.”
For now, we´ll have to wait and see what the European Commission will do with the recommendations. The experts unanimously agree that there will be a new version of the eIDAS regulation in the future. The main question is when. Connective is already looking forward to this!
About the experts
Wim is eIDAS expert for Belgian Mobile ID, the company that is behind the innovative identity initiative in Belgium called ‘itsme®’. Wim has significant experience implementing large projects and programs. He has proven strength in business and IT alignment, ability to combine technical knowledge with helicopter view. He also has a very strong expertise on Trust Services (PKI certificates, electronic signatures, eID, eIDAS regulation,…).
Jérôme BORDIER is Director and founder of SEALWeb. Jérôme is a recognized expert on the subjects of digital identity, electronic signature, digital contract management and digital trust services. He is also General Secretary of the ClubPSCo association (www.clubpsco.fr), an institutional organization that brings together more than 30 French providers of eIDAS-qualified trust services, and an expert on these subjects with ENISA (European CyberSecurity Agency).
Guillaume is Managing Director at Cryptomathic GmbH, where he leads the German subsidiary operations. Guillaume is also a global eSignature evangelist and is responsible for the eSignature domain where he drives Cryptomathic´s initiatives around eIDAS remote signing and what you see is what you sign. Guillaume has more than 15 years of experience in deploying and integration signature technology and services at the highest assurance level.