Three Assumptions Regarding the eIDAS Amendment

Regulation as a brake on progress? In the case of the eIDAS Regulation, this narrative does not apply at all. That is because the European Union created the instruments back in 2014 to bring about a sustainable push for digitalisation in the EU. Citizens, business and administration alike can benefit from “Electronic Identification, Authentication and Trust Services” (eIDAS), particularly because secure digital identities and trust services make completely digital transactions and workflows possible.

A look at the practical situation shows that eIDAS is already working: Qualified Website Certificates (QWACs) are bringing Europe a big step closer to open banking. And thanks to the qualified electronic signature, German doctors will soon be able to process important documents on their PCs without media interruptions. However, even though the past one and a half years in particular have revealed an enormous need for more eIDAS trust services, the regulation has not yet been implemented across the board. 

This is another reason why the European Commission has drafted an amendment to its Regulation (EU) No. 910/2014. Stipulating the introduction of a European digital identity in addition to new regulations on trust services, this amendment would require every EU member state to provide natural persons and legal entities with an “EUID” wallet (European Digital Identity Wallet) by the end of 2023. This is intended to bundle important evidence on smartphones and make it usable across borders. Without a doubt, the Commission’s proposals are ambitious. Its significance for the European trust space would be immense. 

Assumption 1: eIDAS Amendment Would Consolidate the Digital Sovereignty of the European Union 

“Digital sovereignty" is likely to become a key concept in the next few years. The principle: While a society should benefit from the advantages of digitalisation, it must always remain self-determined. 

At present, however, EU citizens get these identities from the companies through which they book services online, or – via single sign-ons – from the big American tech companies. The EUID wallet introduced in the proposed amendment is intended to do away with such dependencies. The concept: The wallet brings important documents such as the personal ID or driving licence to the smartphone. Citizens can then use them to identify and authenticate themselves online. What this also means: All personal data is only stored in a secure environment on the smartphone, so citizens retain control over it at all times. 

Strengthening the Trust Space Equals Strengthening Digital Sovereignty

According to the Commission’s proposal, both the administration and many sectors of the private sector will have to offer identification and authentication using the EUID wallet. This commitment is of central importance to Nguyen: “The eIDAS Regulation has created a common trust space – the basis for a digitally sovereign EU. This trust space would automatically play a bigger role through the EUID – because you have to use it.” However, Nguyen also points out the primary need for a reliable core identity as an anchor in order for their to be security and trust in European wallets. “The wallet should be based on a derivation of the sovereign identity of a Member State”, says the D-TRUST CEO. “Germany already has the right technology here with the Smart-eID.”

Assumption 2: The eIDAS Amendment Would Promote the Acceptance of Sovereign Digital Identities

This is single-handedly due to the cumbersome nature of the currently dominant digital identities – the username-password combinations. “Whenever we book a new service online, the first order of business is the tiresome process of registration”, says Nguyen. “And then when we want to log in again weeks later, most of us probably click directly on ‘Forgot password’ – and registration then actually starts all over again.” With a wallet solution, such processes would be a thing of the past.

Private Sector Can Promote Widespread Use

No less essential for broad social acceptance of the solution is the provision envisaged in the Commission draft of obligating many companies to integrate the EUID wallet as a means of identification and authentication. “Experience with the online ID card shows that offers available in the public sector are practical and most certainly used,” Nguyen explains. “Naturally, however, it is only used very infrequently. A sovereign identity can only have a sustainable effect if it finds its way into the private sector, as citizens will interact with it far more often this way.”

In fact, companies and public authorities themselves benefit from a sovereign wallet. “One reason is because there is no need for cumbersome identification”, says Nguyen. He points to the banking sector: “Whenever a new customer wants to open an account, an extensive KYC process is first initiated. This would no longer be at all necessary with the wallet, since a carefully verified identity would be available immediately.” The Europe-wide usability of the EUID is likely to be lucrative as well. For example, a service provider could easily identify every EU citizen – and thereby tap into new customers. In addition, decentralised storage of personal data on smartphones reduces the risk of data theft and GDPR violations.  

However, according to the eIDAS amendment, companies are not only to integrate consumers’ wallets into their services but also receive their own. “That’s logical”, according to Nguyen, “After all, digital processes take place to a large extent between legal entities”. When contact authorities, a simple identification process would be an enormous relief. Likewise, it is currently a significant challenge to validate legal entities across borders. The differences in national law are very great. This is an area where the EUid wallet could help – as a door opener for businesses.

Assumption 3: The eIDAS Amendment Would Strengthen Trust Services Sustainably

There are amendments where, symbolically, no stone is left unturned. This is not at all the case with the revision of the eIDAS Regulation, especially with regard to trust services. “The European Commission is clearly committed to trust centre services in its draft,” Nguyen notes. 

User-friendly Visualisation of QWACs

More than anything, this is shown by the requirement that browsers are to display qualified website certificates (QWACs) in a user-friendly manner. This is a measure that is entirely in the spirit of data and consumer protection and creates transparency. Nguyen regards this as being a big political step as well. According to the D-TRUST managing director, “The Commission has deliberately turned against the market power of non-European digital groups here, which, after all, have their own ecosystems”. “It is simply not enough if the user only sees that a connection is encrypted in the browser. Encrypted does not necessarily mean secure – more differentiating features are needed, especially with regard to the identity of the digital counterpart. With a QWAC, everyone recognises that the website owner has gone through a rigorous public vetting process.” 

New eIDAS Trust Services

The Commission’s commitment to trust services is also evident in the proposed introduction of new tools, including qualified electronic archiving services, electronic transaction registers and electronic attribute confirmations. The latter are particularly interesting to Nguyen and almost as important as the confirmation of identities. “It is with their digital identity that people prove who they are. In many processes, however, it is much more interesting whether someone is acting in a certain role. Does the person represent a company in a legally binding way? Or are they even a managing director? A member of an association? Such statements would be possible via attribute confirmation.” 

More Uniform Certification of Trust Service Providers

Whether they are new or tried and tested, trust services are basically only as good as the qualified trust service providers (QTSP) behind them. Indeed, the level of their quality still varies too greatly from Member State to Member State at present. There are too many differences of approach pursued by the inspection bodies. Not even the supervisory bodies regulate the inspection bodies in a uniform fashion. “This leads to certain technologies being approved in some states, while they would not be eIDAS-compliant in Germany at all,” Nguyen explains. The problem is that it would still be possible to offer these technologies in Germany, resulting in a market distortion. That is why, in its draft eIDAS amendment, the Commission advocates greater harmonisation of the requirements for certifying QTSPs via implementing acts. “This is an important measure, provided that a minimum standard is agreed upon”, says Nguyen. 

Linking Digital Identity and Trust Services More Closely

The Commission’s draft amendment promises to strengthen the link between the two eIDAS pillars of digital identity and trust services as well. For instance, it is planned to provide the EUID wallet with an electronic signature in addition to identity verification. “When I have an identity verified by a QTSP in the wallet, I can actually use it directly for a qualified electronic signature.” The would omit the often time-consuming process of identity verification for signatures. It would also be possible to include verification-specific signatures, thereby allowing a natural person to sign as a member of a professional group or even on behalf of the employer. 

The EU Parliament and the Council of the European Union still have to vote on the Commission’s proposal. And, of course, many points still need to be fleshed out. Nevertheless, the two institutions would by no means put the brakes on progress following a positive vote.