EIDAS

Last updated
The EU trust mark for qualified trust services EU trust mark logo eIDAS.png
The EU trust mark for qualified trust services
The EU digital single market and the facilitation of public services across borders E-SENS architecture.jpg
The EU digital single market and the facilitation of public services across borders

eIDAS (for "electronic IDentification, Authentication and trust Services") is an EU regulation with the stated purpose of governing "electronic identification and trust services for electronic transactions". It passed in 2014 and its provisions came into effect between 2016 and 2018. [1] [2]

Contents

Description

eIDAS oversees electronic identification and trust services for electronic transactions in the European Union's internal market. It regulates electronic signatures, electronic transactions, involved bodies, and their embedding processes to provide a safe way for users to conduct business online like electronic funds transfer or transactions with public services. Both the signatory and the recipient can have more convenience and security. Instead of relying on traditional methods, such as mail or facsimile, or appearing in person to submit paper-based documents, they may now perform transactions across borders, like "1-Click" technology. [2] [3]

eIDAS has created standards for which electronic signatures, qualified digital certificates, electronic seals, timestamps, and other proof for authentication mechanisms enable electronic transactions, with the same legal standing as transactions that are performed on paper. [4]

The regulation came into effect in July 2015, as a means to facilitate secure and seamless electronic transactions within the European Union. Member states are required to recognise electronic signatures that meet the standards of eIDAS. [2] [5]

Timeline

The law was established in EU Regulation 910/2014 of 23 July 2014 on electronic identification and repealed 1999/93/EC from 13 December 1999. [1] [2]

It entered into force on 17 September 2014 and applies from 1 July 2016 except for certain articles, which are listed in its Article 52. [6] All organizations delivering public digital services in an EU member state must recognize electronic identification from all EU member states from September 29, 2018. It applied to all countries in the European Single Market. [7] [8]

In July 2024, the first eIDAS-Testbed was launched by the go.eIDAS-Association with a number of German tech firms and foundations to issue PID-Credentials to Architecture and Reference Framework (ARF)-compliant wallets. [9]

eIDAS is a result of the European Commission's focus on Europe's Digital Agenda. With the commission's oversight, eIDAS was implemented to spur digital growth within the EU. [10]

The intent of eIDAS is to drive innovation. By adhering to the guidelines set for technology under eIDAS, organisations are pushed towards using higher levels of information security and innovation. Additionally, eIDAS focuses on the following: [5] [11]

Regulated aspects in electronic transactions

The Regulation provides the regulatory environment for the following important aspects related to electronic transactions: [2]

The eIDAS Regulation evolved from Directive 1999/93/EC, which set a goal that EU member states were expected to achieve in regards to electronic signing. Smaller European countries were among the first to start adopting digital signatures and identification, for example the first Estonian digital signature was given in 2002 and the first Latvian digital signature was given in 2006. Their experience has been used to develop a now EU-wide regulation, that became binding as law throughout the EU since the first of July, 2016. [15] Directive 1999/93/EC made EU member states responsible for creating laws that would allow them to meet the goal of creating an electronic signing system within the EU. The directive also allowed each member state to interpret the law and impose restrictions, thus preventing real interoperability, and leading toward a fragmented scenario. [16] In contrast with the 1999 directive, eIDAS ensures mutual recognition of the eID for authentication among member states, [17] thus achieving the goal of the Digital Single Market.

eIDAS provides a tiered approach of legal value. It requires that no electronic signature can be denied legal effect or admissibility in court solely for not being an advanced or qualified electronic signature. [18] Qualified electronic signatures must be given the same legal effect as handwritten signatures. [19]

For electronic seals (legal entities' version of signatures), probative value is explicitly addressed, as seals should enjoy the presumption of integrity and the correctness of the origin of the attached data. [20]

In June 2021, the Commission proposed an amendment and published a recommendation. [21] [22] [23]

Controversy

In 2023, a proposed change to the law was scrutinized as it would potentially enable EU governments to perform man-in-the-middle attacks, including encrypted communications. [24] The proposal was condemned by groups of cyber security researchers, NGOs, and civil society, as a threat to human rights, privacy, and dignity. [25] [26] [27] [28] The proposal worked via the same mechanism as a 2019 attempt at mass surveillance in Kazakhstan.

At the core of this controversy is the second paragraph of the amendment to the article 45, which states: [29]

"Qualified certificates for website authentication referred to in paragraph 1 shall be recognised by web-browsers. [...] Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph 1, with the exception of enterprises, considered to be microenterprises and small enterprises in accordance with Commission Recommendation 2003/361/EC in the first 5 years of operating as providers of web-browsing services."

Critics claimed that allowing certification authorities (CA) to issue certificates without going through auditing and vetting procedures put in place by browser vendors can jeopardize the security of the Internet as a whole and open the door for man-in-the-middle attacks. [30] [31] This would possibly allow government mandated CAs to issue certificates for any domain name and use it for impersonation, and most critically, without browsers being able to remove them as trustworthy. [30] This is considered particularly concerning in countries with weaker rule of law, where state and state-connected actors would be able to use the law to spy on their own citizens for political repression and personal gain. There was additional concern that this allow private actors with state connections to gain access to and misuse the power for their own purposes. [25] [27]

In the final draft, however, provisions were made to enable browser vendors to continue to implement security provisions that in practice would make this type of interception difficult to perform without being discovered. [32] Specifically, the final draft text states that:

By way of derogation to paragraph 1 and only in case of substantiated concerns related to breaches of security or loss of integrity of an identified certificate or set of certificates, web-browsers may take precautionary measures in relation to that certificate or set of certificates.

which has been interpreted as allowing browser vendors to continue to use mechanisms such as certificate transparency to maintain browser security. [32] The statement of the European Commission on amendment of the article 45 clarifies this statement and denotes that through an agreement with browser vendors, no restriction are imposed on browsers' "own security policies". [33]

Design requirements

Database information has to be linked to some kind of identity number. To certify that a person has the right to access some personal information involves several steps.

eIDAS has as minimum identity concept, the name and birth date. But in order to access more sensitive information, some kind of certification is needed that identity numbers issued by two countries refer to the same person. [34]

Vulnerabilities

In October 2019, two security flaws in eIDAS-Node (a sample implementation of the eID eIDAS Profile provided by the European Commission [35] ) were discovered by security researchers; both vulnerabilities were patched for version 2.3.1 of eIDAS-Node. [36]

European Self-Sovereign Identity Framework

The European Union started[ when? ] creating an eIDAS compatible European Self-Sovereign Identity Framework (ESSIF),[ citation needed ] but in many countries, users need to be Google or Apple customers to use eIDAS services.

EUTL

The European Union Trusted Lists (EUTL) is a public list of over 200 active and legacy Trust Service Providers (TSPs) that are specifically accredited to deliver the highest levels of compliance with the EU eIDAS electronic signature regulation. [37]

See also

Related Research Articles

<i>Official Journal of the European Union</i> Official gazette of the European Union

The Official Journal of the European Union is the official gazette of record for the European Union (EU). It is published every working day in all of the official languages of the member states of the EU. Only legal acts published in the Official Journal are binding.

An electronic signature, or e-signature, is data that is logically associated with other data and which is used by the signatory to sign the associated data. This type of signature has the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation under which it was created.

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

XAdES is a set of extensions to XML-DSig recommendation making it suitable for advanced electronic signatures. W3C and ETSI maintain and update XAdES together.

Worldwide, legislation concerning the effect and validity of electronic signatures, including, but not limited to, cryptographic digital signatures, includes:

<span class="mw-page-title-main">Estonian identity card</span> National identity card of Estonia

The Estonian identity card is a mandatory identity document for citizens of Estonia. In addition to regular identification of a person, an ID-card can also be used for establishing one's identity in electronic environment and for giving one's digital signature. Within Europe as well as French overseas territories, Georgia and Tunisia the Estonian ID-card can be used by the citizens of Estonia as a travel document.

The Revised Payment Services Directive (PSD2, Directive (EU) 2015/2366, which replaced the Payment Services Directive (PSD), Directive 2007/64/EC) is an EU Directive, administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). The PSD's purpose was to increase pan-European competition and participation in the payments industry also from non-banks, and to provide for a level playing field by harmonizing consumer protection and the rights and obligations of payment providers and users. The key objectives of the PSD2 directive are creating a more integrated European payments market, making payments more secure and protecting consumers.

CAdES is a set of extensions to Cryptographic Message Syntax (CMS) signed data making it suitable for advanced electronic signatures.

PAdES is a set of restrictions and extensions to PDF and ISO 32000-1 making it suitable for advanced electronic signatures (AdES). This is published by ETSI as EN 319 142.

Electronic signature allows users to electronically perform the actions for which they previously had to give a signature on paper. Estonia's digital signature system is the foundation for some of its most popular e-services including registering a company online, e-banks, the e-voting system and electronic tax filing – essentially any services that require signatures to prove their validity.

An advanced electronic signature is an electronic signature that has met the requirements set forth under EU Regulation No 910/2014 (eIDAS-regulation) on electronic identification and trust services for electronic transactions in the European Single Market.

A qualified electronic signature is an electronic signature that is compliant with EU Regulation No 910/2014 for electronic transactions within the internal European market. It enables to verify the authorship of a declaration in electronic data exchange over long periods of time. Qualified electronic signatures can be considered as a digital equivalent to handwritten signatures.

A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are qualified certificate authorities required in the European Union and in Switzerland in the context of regulated electronic signing procedures.

In the context of Regulation (EU) No 910/2014 (eIDAS), a qualified digital certificate is a public key certificate issued by a trust service provider which has government-issued qualifications. The certificate is designed to ensure the authenticity and data integrity of an electronic signature and its accompanying message and/or attached data.

A secure signature creation device (SSCD) is a specific type of computer hardware or software that is used in creating an electronic signature. To be put into service as a secure signature creation device, the device must meet the rigorous requirements laid out under Annex II of Regulation (EU) No 910/2014 (eIDAS), where it is referred to as a qualified (electronic) signature creation device (QSCD). Using secure signature creation devices helps in facilitating online business processes that save time and money with transactions made within the public and private sectors.

<span class="mw-page-title-main">Banking as a service</span>

Banking as a service (BaaS) is the provision of banking products to non-bank third parties through APIs.

Associated Signature Containers (ASiC) specifies the use of container structures to bind together one or more signed objects with either advanced electronic signatures or timestamp tokens into one single digital container.

<span class="mw-page-title-main">Qualified website authentication certificate</span>

A qualified website authentication certificate is a qualified digital certificate under the trust services defined in the European Union eIDAS Regulation.

An electronic seal is a piece of data attached to an electronic document or other data, which ensures data origin and integrity. The term is used in the EU Regulation No 910/2014 for electronic transactions within the internal European market.

References

  1. 1 2 Turner, Dawn. "Understanding eIDAS". Cryptomathic. Retrieved 12 April 2016.
  2. 1 2 3 4 5 "Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC". EUR-Lex. The European Parliament and the Council of the European Union. Retrieved 18 March 2016.
  3. van Zijp, Jacques. "Is the EU ready for eIDAS?". Secure Identity Alliance. Archived from the original on 22 November 2016. Retrieved 18 March 2016.
  4. Turner, Dawn M. "eIDAS from Directive to Regulation - Legal Aspects". Cryptomathic. Retrieved 18 March 2016.
  5. 1 2 Bender, Jens. "eIDAS Regulation: EID - Opportunities and Risks" (PDF). Bunde.de. Fraunhofer-Gesellschaft. Retrieved 18 March 2016.
  6. eIDAS in force, applies and exceptions on Europa.eu
  7. Info on eIDAS, Connectis.
  8. Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014
  9. "eIDAS-Testbed successfully launched". www.eid.as. Retrieved 2024-06-19.
  10. "A Digital Agenda For Europe". EUR-Lex. The European Commission. Retrieved 18 March 2016.
  11. J.A., Ashiq. "The eIDAS Agenda: Innovation, Interoperability and Transparency". Cryptomathic. Retrieved 18 March 2016.
  12. "European Digital Identity Wallet | Shaping Europe's digital future". digital-strategy.ec.europa.eu. 2022-06-13. Retrieved 2024-01-27.
  13. "Towards principles and guidance for eID interoperability on online platforms" (PDF). Europa.eu. European Commission. Archived (PDF) from the original on 24 June 2019. Retrieved 29 August 2021.
  14. Turner, Dawn M. "The Difference Between an Electronic Signature and a Digital Signature". Cryptomathic. Retrieved 21 April 2016.
  15. "Regulations, Directives and other acts". Europa.eu. The European Union. Archived from the original on 12 December 2013. Retrieved 18 March 2016.
  16. "Understanding eIDAS – All you ever wanted to know about the new EU Electronic Signature Regulation". Legal Technology. Archived from the original on 17 January 2018. Retrieved 1 March 2016.
  17. "A Big Step Toward the European Digital Single Market" (PDF). Inside Magazine. Archived from the original (PDF) on 27 March 2019. Retrieved 27 March 2019.
  18. Articles 25 (1) and definitions in article 3 (10) to 3 (12)
  19. Article 25 (2)
  20. Article 35 (2)
  21. "Commission proposes a trusted and secure Digital Identity for all Europeans" (Press release). European Commission. 3 June 2021.
  22. Procedure 2021/0136/COD on EUR-Lex, Procedure 2021/0136(COD) on the ŒIL
  23. Commission Recommendation (EU) 2021/946 of 3 June 2021 on a common Union Toolbox for a coordinated approach towards a European Digital Identity Framework on EUR-Lex
  24. https://blog.mozilla.org/netpolicy/files/2023/11/eIDAS-Industry-Letter.pdf [ bare URL PDF ]
  25. 1 2 https://last-chance-for-eidas.org/ [ bare URL ]
  26. "EIDAS letter.PDF".
  27. 1 2 "Civil Society Experts Voice Concern as New EU Digital Identity Regulation Finalized".
  28. "EU's Digital Identity Framework Endangers Browser Security". 15 December 2021.
  29. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity, 2021, retrieved 2024-10-20
  30. 1 2 Claburn, Thomas (2023-11-08). "Bad eIDAS: Europe ready to intercept, spy on your encrypted HTTPS connections". The Register. Retrieved 2024-10-20.
  31. "EIDAS Letter 2022". 2 March 2022.
  32. 1 2 Hoepman, Jaap-Henk (2023-11-20). "Some observations on the final text of the European Digital Identity framework (eIDAS)". blog.xot.nl. Retrieved 2023-11-25.
  33. "Texts adopted - European Digital Identity Framework - Thursday, 29 February 2024". www.europarl.europa.eu. Retrieved 2024-10-20.
  34. Hur skapar du en koppling mellan svenska och utländska eID:n? Archived 2018-10-06 at the Wayback Machine (in Swedish. Title translation: How to connect Swedish and foreign eID?)
  35. "eIDAS-Node integration package". European Commission . Archived from the original on 10 June 2019. Retrieved 29 October 2019. The eIDAS-Node software contains the necessary modules to help Member States to communicate with other eIDAS-compliant counterparts in a centralised or distributed fashion.
  36. Cimpanu, Catalin (29 October 2019). "Major vulnerability patched in the EU's eIDAS authentication system". ZDNet . Archived from the original on 29 October 2019. Retrieved 29 October 2019. Vulnerability would have allowed attackers to pose as any EU citizen or business.
  37. https://helpx.adobe.com/document-cloud/kb/european-union-trust-lists.html [ bare URL ]