eIDAS 2.0: Upcoming Changes to Digital ID 

In November 2023, the Council of the European Union and European Parliament formalized a provisional agreement on how to update and modify the Electronic Identification, Authentication, and Trust Services (eIDAS) Regulation. Known colloquially as eIDAS 2.0, the new agreement paves the way for a comprehensive framework for European digital identity (eID). Once approved and enacted, these changes will extensively affect all EU citizens, residents, and businesses. Continue reading to learn more and find out how eIDAS 2.0 will affect individuals and businesses alike.

Background: What is eIDAS?

The proposed legislation amends the eIDAS regulation on the EU’s internal market, which was approved in 2014 and put in place incrementally between 2016 and 2018. This comprehensive regulation seeks to ensure safety in accessing public services and carrying out online transactions across EU borders. Until now, eIDAS has effectively overseen not only electronic archives and digital vaults, but also how trust service providers deliver electronic identification, electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services (ERDS), electronic documents, and website authentication certificates. These foundational instruments are essential for smoothly conducting secure electronic transactions.

However, in June of 2021, the EU Commission decided to confront new technological challenges to online safety, and the Council began serious discussions about meeting these challenges in order to modernize the EU’s existing regulations, thereby improving the trust, security, and convenience of online dealings for all EU citizens. 

Changes

Although the original eIDAS regulation applied to e-signatures, electronic seals, and electronic timestamps, as well as digital vaults and electronic archives, the updated eIDAS 2.0 will include e-registered delivery services, e-certificates for authentication, and electronic seals for electronic documents. In essence, it will oversee cross-border digital services such as authenticating and identifying individuals and websites. 

Additionally, it will reinforce security and privacy for electronic identities and trusted services by establishing a framework that will facilitate the creation of digital identities by means of European digital identity wallets. These identity wallets will enable individuals and businesses to create and use digital identities without any need for mandatory government verification. What is more, both digital identities and trust services will be enhanced by streamlining the interoperability structure of the member states’ national systems.

Current and Updated Trust Services That Companies Need

Some of the proposals from 2021 made the final cut, while others failed to survive scrutiny. Those that most profoundly affect EU individuals and organizations are the following.

The European Digital Identity Wallet 

The approved proposal agreement requires member states to issue a European digital identity wallet (eID), which will technically cover what the regulation refers to and a bit clumsily as “electronic attestations of attributes”. Simply put, eID will store digital ID and biometric documents like mobile driver’s licences, diplomas, professional certifications, and documents for travel, healthcare, and banking. 

Electronic Archiving Services 

Digital vaults and the electronic archiving of electronic documents will be modernized by introducing the concept of “qualified electronic archiving services”, which aim to ensure that all electronic data and documents are created or maintained by a qualified trust service provider. Furthermore, the integrity and accuracy of their origin and legal features will be preserved throughout the conservation period. Finally, the new proposal mandates accurate recording of the date and time of the archiving process. 

To guarantee that the security and authenticity of electronic archiving will remain current with the evolving digital landscape, the proposal promotes using the digital identity wallet to establish trusted digital identities, which will be based on common technical standards adopted across the European Union.

Electronic Signatures and Seals

To ensure consistent certification practices across the EU, the proposal recommends additional Commission guidelines on certifying and recertifying qualified creation devices for signatures and seals. Furthermore, the proposal calls for cross-border recognition of qualified electronic signatures and seals.

Currently, three types of eSignatures are included in eIDAS (Simple, Advanced, and Qualified). Qualified Electronic Signatures are as legally valid as handwritten signatures on paper, and they require certification by a Qualified Service Trust Provider (QSTP). QSTPs are subject to the most rigorous EU requirements and must undergo regular audits that guarantee their adherence to regulation standards. 

Finally, eIDAS introduces provisions for using electronic seals, which authenticate electronic documents with the same authority as traditional seals that authenticate the origin and integrity of official documents. 

Electronic Time Stamps

Binding electronic data to other electronic data provides evidence of the time at which the data has existed. As with electronic signatures and seals, eIDAS 2.0 calls for cross-border recognition of the time stamps issued by each member state.

Electronic Registered Delivery Services

This trust service provides evidence that electronic data has been sent and received, thus offering assurance similar to registered mail in a traditional postal system. eIDAS 2.0 guarantees cross-border interoperability between qualified electronic registered delivery services.

Website Authentication Services

Falling under the rubric of a “qualified trust service”, website authentication links a website to the natural or legal person holding the certificate, thus ensuring that users can trust the website identity they are interacting with. Currently, websites are authenticated by root certificates controlled by certificate authorities. 

Article 45 of the new eIDAS 2.0 proposal will allow member states to insert new root certificates at their discretion. However, this has been highly criticized by cybersecurity experts and it remains to be seen whether or not these changes will ultimately be enacted into law.

The Doubt about Electronic Ledgers

At first, the ITRE Committee adopted a version of the eIDAS 2 proposal that excludes the Section on Electronic Ledgers as a regulated trust service. This was deeply concerning as electronic ledgers play a significant role in trust services nowadays. The initial reason for excluding electronic ledgers was purely to maintain technological neutrality. As a fact, the committee overlooked that electronic ledgers are inherently neutral, representing a generic category rather than a specific implementation. 

You might be wondering what they are meant for. Electronic ledgers are secure and transparent databases that store financial and other data types. The ledger records information in a way that eliminates the possibility of fraud or other errors from taking place.

In response, a coalition of prominent stakeholders united to express grave concerns and call upon Members of Parliament to reinstate these crucial provisions to eIDAS 2.0. Contrary to misconceptions, electronic ledgers do not compromise technological neutrality; instead, they ensure the regulation remains adaptable to future developments. Recognizing the significance of electronic ledgers, they support the creation of robust European digital infrastructures, addressing cyber threats and meeting societal demands for enhanced digital trust, catalysing European innovation and supporting the continent’s digital identity framework.

What’s Next

The current text of the legislative act has been submitted to a meticulous legal and linguistic review before it is expected to be formally adopted by the Council and the European Parliament, most likely in March or April of 2024. Only then will the official version of the legislative act be made available to the public upon being published in the EU’s Official Journal.

Twenty days following its publication in the Official Journal, the amendments to eIDAS will enter into force and Member States will have to provide EU Digital Identity Wallets within 24 months.