eIDAS v2: Four New Trust Services
In November 2023, the Council of the European Union and European Parliament formalized a provisional agreement on how to update and modify the Electronic Identification, Authentication, and Trust Services (eIDAS) Regulation. Known colloquially as eIDAS 2.0, the new agreement paves the way for a comprehensive framework for European digital identity (eID). Once approved and enacted, these changes will extensively affect all EU citizens, residents, and businesses. Continue reading to learn more and find out how eIDAS 2.0 will affect individuals and businesses alike. Background: What is eIDAS? The proposed legislation amends the eIDAS regulation on the EU’s internal market, which was approved in 2014 and put in place incrementally between 2016 and 2018. This comprehensive regulation seeks to ensure safety in accessing public services and carrying out online transactions across EU borders. Until now, eIDAS has effectively overseen not only electronic archives and digital vaults, but also how trust service providers deliver electronic identification, electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services (ERDS), electronic documents, and website authentication certificates. These foundational instruments are essential for smoothly conducting secure electronic transactions. However, in June of 2021, the EU Commission decided to confront new technological challenges to online safety, and the Council began serious discussions about meeting these challenges in order to modernize the EU’s existing regulations, thereby improving the trust, security, and convenience of online dealings for all EU citizens. Changes Although the original eIDAS regulation applied to e-signatures, electronic seals, and electronic timestamps, as well as digital vaults and electronic archives, the updated eIDAS 2.0 will include e-registered delivery services, e-certificates for authentication, and electronic seals for electronic documents. In essence, it will oversee cross-border digital services such as authenticating and identifying individuals and websites. Additionally, it will reinforce security and privacy for electronic identities and trusted services by establishing a framework that will facilitate the creation of digital identities by means of European digital identity wallets. These identity wallets will enable individuals and businesses to create and use digital identities without any need for mandatory government verification. What is more, both digital identities and trust services will be enhanced by streamlining the interoperability structure of the member states’ national systems. Current and Updated Trust Services That Companies Need Some of the proposals from 2021 made the final cut, while others failed to survive scrutiny. Those that most profoundly affect EU individuals and organizations are the following. The European Digital Identity Wallet The approved proposal agreement requires member states to issue a European digital identity wallet (eID), which will technically cover what the regulation refers to and a bit clumsily as “electronic attestations of attributes”. Simply put, eID will store digital ID and biometric documents like mobile driver’s licences, diplomas, professional certifications, and documents for travel, healthcare, and banking. Electronic Archiving Services Digital vaults and the electronic archiving of electronic documents will be modernized by introducing the concept of “qualified electronic archiving services”, which aim to ensure that all electronic data and documents are created or maintained by a qualified trust service provider. Furthermore, the integrity and accuracy of their origin and legal features will be preserved throughout the conservation period. Finally, the new proposal mandates accurate recording of the date and time of the archiving process. To guarantee that the security and authenticity of electronic archiving will remain current with the evolving digital landscape, the proposal promotes using the digital identity wallet to establish trusted digital identities, which will be based on common technical standards adopted across the European Union. Electronic Signatures and Seals To ensure consistent certification practices across the EU, the proposal recommends additional Commission guidelines on certifying and recertifying qualified creation devices for signatures and seals. Furthermore, the proposal calls for cross-border recognition of qualified electronic signatures and seals. Currently, three types of eSignatures are included in eIDAS (Simple, Advanced, and Qualified). Qualified Electronic Signatures are as legally valid as handwritten signatures on paper and require certification by a Qualified Service Trust Provider (QSTP). QSTPs are subject to the most rigorous EU requirements and must undergo regular audits that guarantee their adherence to regulation standards. Finally, eIDAS introduces provisions for using electronic seals, which authenticate electronic documents with the same authority as traditional seals that authenticate the origin and integrity of official documents. Electronic Time Stamps Binding electronic data to other electronic data provides evidence of the time at which the data has existed. As with electronic signatures and seals, eIDAS 2.0 calls for cross-border recognition of the time stamps issued by each member state. Electronic Registered Delivery Services This trust service provides evidence that electronic data has been sent and received, thus offering assurance similar to registered mail in a traditional postal system. eIDAS 2.0 guarantees cross-border interoperability between qualified electronic registered delivery services. Website Authentication Services Falling under the rubric of a “qualified trust service”, website authentication links a website to the natural or legal person holding the certificate, thus ensuring that users can trust the website identity they are interacting with. Currently, websites are authenticated by root certificates controlled by certificate authorities. Article 45 of the new eIDAS 2.0 proposal will allow member states to insert new root certificates at their discretion. However, this has been highly criticized by cybersecurity experts and it remains to be seen whether or not these changes will ultimately be enacted into law. Understanding the Role of Electronic Ledgers in eIDAS Regulation Utilizing blockchain technology is becoming an integral part of regulatory frameworks. The recent inclusion of electronic ledger mechanisms within the revised eIDAS (Electronic Identification, Authentication and Trust Services) regulation marks a significant step towards more robust, secure, and efficient digital transactions across Europe. Staying abreast of these technological and regulatory changes is paramount for compliance officers. Let’s see how they can enhance trust services within the digital single market. Distributed Ledger Technology Distributed Ledger Technology (DLT) is a digital system for recording the transactions of