In November 2023, the Council of the European Union and European Parliament formalized a provisional agreement on how to update and modify the Electronic Identification, Authentication, and Trust Services (eIDAS) Regulation. Known colloquially as eIDAS 2.0, the new agreement paves the way for a comprehensive framework for European digital identity (eID).
Once approved and enacted, these changes will extensively affect all EU citizens, residents, and businesses. Continue reading to learn more and find out how eIDAS 2.0 will affect individuals and businesses alike.
Background: What is eIDAS?
The proposed legislation amends the eIDAS regulation on the EU’s internal market, which was approved in 2014 and put in place incrementally between 2016 and 2018. This comprehensive regulation seeks to ensure safety in accessing public services and carrying out online transactions across EU borders.
Until now, eIDAS has effectively overseen not only electronic archives and digital vaults, but also how trust service providers deliver electronic identification, electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services (ERDS), electronic documents, and website authentication certificates. These foundational instruments are essential for smoothly conducting secure electronic transactions.
However, in June of 2021, the EU Commission decided to confront new technological challenges to online safety, and the Council began serious discussions about meeting these challenges in order to modernize the EU’s existing regulations, thereby improving the trust, security, and convenience of online dealings for all EU citizens.
Changes
Although the original eIDAS regulation applied to e-signatures, electronic seals, and electronic timestamps, as well as digital vaults and electronic archives, the updated eIDAS 2.0 will include e-registered delivery services, e-certificates for authentication, and electronic seals for electronic documents. In essence, it will oversee cross-border digital services such as authenticating and identifying individuals and websites.
Additionally, it will reinforce security and privacy for electronic identities and trusted services by establishing a framework that will facilitate the creation of digital identities by means of European digital identity wallets. These identity wallets will enable individuals and businesses to create and use digital identities without any need for mandatory government verification.
What is more, both digital identities and trust services will be enhanced by streamlining the interoperability structure of the member states’ national systems.
Current and Updated Trust Services That Companies Need
Some of the proposals from 2021 made the final cut, while others failed to survive scrutiny. Those that most profoundly affect EU individuals and organizations are the following.
The European Digital Identity Wallet
The approved proposal agreement requires member states to issue a European digital identity wallet (eID), which will technically cover what the regulation refers to and a bit clumsily as “electronic attestations of attributes”. Simply put, eID will store digital ID and biometric documents like mobile driver’s licences, diplomas, professional certifications, and documents for travel, healthcare, and banking.
Electronic Archiving Services
Digital vaults and the electronic archiving of electronic documents will be modernized by introducing the concept of “qualified electronic archiving services”, which aim to ensure that all electronic data and documents are created or maintained by a qualified trust service provider.
Furthermore, the integrity and accuracy of their origin and legal features will be preserved throughout the conservation period. Finally, the new proposal mandates accurate recording of the date and time of the archiving process.
To guarantee that the security and authenticity of electronic archiving will remain current with the evolving digital landscape, the proposal promotes using the digital identity wallet to establish trusted digital identities, which will be based on common technical standards adopted across the European Union.
Electronic Signatures and Seals
To ensure consistent certification practices across the EU, the proposal recommends additional Commission guidelines on certifying and recertifying qualified creation devices for signatures and seals. Furthermore, the proposal calls for cross-border recognition of qualified electronic signatures and seals.
Currently, three types of eSignatures are included in eIDAS (Simple, Advanced, and Qualified). Qualified Electronic Signatures are as legally valid as handwritten signatures on paper and require certification by a Qualified Service Trust Provider (QSTP). QSTPs are subject to the most rigorous EU requirements and must undergo regular audits that guarantee their adherence to regulation standards.
Finally, eIDAS introduces provisions for using electronic seals, which authenticate electronic documents with the same authority as traditional seals that authenticate the origin and integrity of official documents.
Electronic Time Stamps
Binding electronic data to other electronic data provides evidence of the time at which the data has existed. As with electronic signatures and seals, eIDAS 2.0 calls for cross-border recognition of the time stamps issued by each member state.
Electronic Registered Delivery Services
This trust service provides evidence that electronic data has been sent and received, thus offering assurance similar to registered mail in a traditional postal system. eIDAS 2.0 guarantees cross-border interoperability between qualified electronic registered delivery services.
Website Authentication Services
Falling under the rubric of a “qualified trust service”, website authentication links a website to the natural or legal person holding the certificate, thus ensuring that users can trust the website identity they are interacting with. Currently, websites are authenticated by root certificates controlled by certificate authorities.
Article 45 of the new eIDAS 2.0 proposal will allow member states to insert new root certificates at their discretion. However, this has been highly criticized by cybersecurity experts and it remains to be seen whether or not these changes will ultimately be enacted into law.
Understanding the Role of Electronic Ledgers in eIDAS Regulation
Utilizing blockchain technology is becoming an integral part of regulatory frameworks. The recent inclusion of electronic ledger mechanisms within the revised eIDAS (Electronic Identification, Authentication and Trust Services) regulation marks a significant step towards more robust, secure, and efficient digital transactions across Europe.
Staying abreast of these technological and regulatory changes is paramount for compliance officers. Let’s see how they can enhance trust services within the digital single market.
Distributed Ledger Technology
Distributed Ledger Technology (DLT) is a digital system for recording the transactions of assets where the transactions and their details are recorded in multiple places simultaneously. Unlike traditional databases, DLT has no central data store or administration functionality. Here’s why it’s groundbreaking in the context of compliance and regulation:
Transparency and Efficiency: Every participant within the DLT network has access to all transactions, ensuring unparalleled transparency. This open visibility promotes trust among users and can dramatically reduce the time required to trace and verify transactional histories, thus delivering efficiency gains.
Reducing Duplication: With DLT, the duplication of effort commonly seen in traditional business networks is negated. Each transaction is once recorded on a shared ledger that is accessible by all participants – thus minimizing the room for discrepancies and errors.
Immutable Records
One of the standout features of blockchain, an implementation of DLT, is the immutability of records. Once an entry has been made to the ledger, it cannot be altered or deleted by any single party:
Trust and Integrity: Compliance officers can appreciate that this characteristic guarantees the integrity of electronic records, which is critical for meeting stringent regulatory standards.
Error Handling: In the rare event of an error, the incorrect entry cannot be erased. Instead, a new transaction must be logged to counteract the mistake, and both transactions are transparently visible to all parties. This evidentiary trail maintains the ledger’s integrity and ensures compliance with audit trails.
Smart Contracts
Smart contracts are self-executing contracts where the terms of the agreement between the buyer and the seller are directly written into lines of code. These contracts are stored and replicated on the blockchain, and the execution of contract terms is supervised automatically.
Automation and Compliance: With smart contracts, compliance officers can leverage the technology to automate and enforce legal and regulatory obligations without intermediaries, thereby reducing costs and streamlining operations.
Versatility of Application: Whether it is the transfer of corporate bonds or defining the terms for an insurance payout, intelligent contracts can simplify complex transactions and their associated compliance requirements.
The Implication for eIDAS
With embedding electronic ledger principles within eIDAS and the other regulations regarding trust services and the digital identity wallet, compliance officers are now at the forefront of overseeing sensitive data such as customer information and contracts within digital trust services.
This reinforces a higher standard of transaction record integrity, improved compliance mechanisms, and automation potential—all conducive to a resilient and innovative digital market.