eIDAS: Standardising
Digital Identity in the EU

eIDAS in Brief

eIDAS (electronic IDentification, Authentication and trust Services) is an EU Regulation on electronic identification and trust services for electronic transactions that applies as law within the whole of the EU.

In support of the European Commission’s Digital Single Market (DSM) initiative, eIDAS aims to facilitate the smooth flow of commerce in the EU through harmonisation of law, transparency, security, technical neutrality, cooperation and interoperability.

In pursuit of these values, eIDAS:

• Standardises the use of electronic identification (eID)
• Defines a new class of “electronic trust services” (eTS)
• Clarifies and ensures the legal validity of electronic signatures
• Creates a European internal market within the EU for electronic trust services

These standards apply across borders as well as within individual Member States.

eIDAS, which began to take effect in 2016, repeals and replaces the Electronic Signatures Directive 1999/93/EC. eIDAS addresses the shortcomings of the 1999 Directive and expands its scope in a number of important ways, including a clear definition on the use of electronic identification. A Regulation (like eIDAS) is a legal act of the EU that becomes immediately enforceable as law in all Member States simultaneously. Regulations can be distinguished from Directives which, at least in principle, need to be transposed into national law. In 1972, the European Parliament passed the European Communities Act. Since then, in the event of a conflict between national law and EU law, the national courts must give priority to EU law.

Definitions

Before going further, a few basic definitions will help this discussion:

• Electronic identification/eID can refer to:
  • an electronic method that “can guarantee the unambiguous identification of a person” (1)
  • an individual’s electronically-stored identity data, the digital equivalent of their traditional, physical ID card
  • the act of identifying or authenticating oneself in a digital environment
• eID scheme: according to eIDAS, “a system for electronic identification under which electronic identification means are issued to natural or legal persons, or natural persons representing legal persons” (2); schemes have been developed by public organisations, private companies and public-private joint ventures
• eID means: “a material and/or immaterial unit containing person identification data and which is used for authentication for an online service” (3); a specific method for identifying oneself in a digital environment which conforms to an eID scheme and is issued to users by an eID provider; think of it as the citizen-/customer-facing component of an eID ecosystem; examples: the chip-based eID embedded in Germany’s National Identity Card, Belgium’s Itsme mobile app

Standardising eID in the EU

“eIDAS is primarily designed to tackle identification challenges experienced by digital public services. Member States are also encouraged to support the voluntary reuse of eIDAS-based eIDs by the private sector.” (4)

From a strictly legal standpoint, the eIDAS regulation ensures cross-border access to public services: people and organisations within one EU Member State shall be able to use their own eID means to access public services in other EU Member States (provided those public services offer secure login to their web services as an option to their own citizens).

For example, a French student who wants to attend university in Sweden will not be prevented from accessing and completing the online registration process if she doesn’t have Swedish BankID (the most widely used eID means in Sweden) to authenticate her identity. Under eIDAS, her FrenchConnect eID will be just as valid.

Note that the above example is not currently a reality and will only become so if and when the FrenchConnect eID scheme has been notified to the EU commission, the EU’s formal process for approving eID interoperability under eIDAS, as explained later in this article. As of this writing, twelve eID schemes have been notified, with others currently in the process, so the above scenario is already possible depending on the countries and eID means involved. You can check the status of notified schemes on the EC Europa site.

Two key points to note:

• eIDAS doesn’t mandate the use of eID, but rather enables and protects its use.
• By providing an EU-wide legal framework, the regulation has major implications for the use of eID in the private sector as well.

Goals of eIDAS for Public and Private Sectors

The eIDAS regulation will impact the private sector just as much as, if not more than, the public sector.

“The section of the eIDAS Regulation concerning electronic identification, coming into effect in September 2018, establishes a predictable regulatory environment to enable secure and seamless electronic interactions between businesses, citizens and public authorities. One of its  core objectives is to ensure that people and businesses can use their own national eIDs to access online public services in other EU countries, requiring the establishment of a mutually interoperable network of eID schemes in Europe.” (5)

Facilitating private sector commerce in the digital age is another major goal of the eIDAS regulation. In support of this aim, the European Commission offers online resources promoting the benefits of eID and trust services for businesses, including a guide on how to go about adopting these tools in their operations. (6)

Both public and private organisations (as well as joint public-private alliances) have been active in developing eID schemes, means and infrastructure, based on their varying mandates and motivations. The banking industry has been and continues to be particularly active. “Banks now collectively spend more than $1 billion per year funding the research and development of identity solutions, making them the world’s leading investors, over even national governments and police agencies“. (7)

Levels of Assurance

In order to legally guarantee interoperability between Member States, the eIDAS regulation clearly defines the standards that an eID scheme must meet. These standards in turn guide the technical and security specifications of eID means, as well as their use and acceptance.

To illustrate the value of having a common EU-wide legal framework, consider one of the key specifications: the levels of assurance (LoA). (8) Each eIDAS-compliant eID scheme is classified according to one or more of three different levels of assurance: Low, Substantial and High. “Levels of Assurance characterise the degree of confidence in the electronic identification credential used in establishing the identity of a person, providing assurance that the person claiming an identity is in fact the person to which the identity was assigned.” (9)

The three levels of assurance according to eIDAS are based on the ISO/IEC 2915 standard, which is the basis for many assurance frameworks throughout the world. (Low, Substantial and High correspond to ISO/IEC 2915 levels 2, 3 and 4, respectively.) Two key factors that help determine the degree of confidence each level offers are:

• Identity assurance at the time of registration: how rigorous was the process of identifying the person or entity when they applied for their eID?
• Authentication assurance: strength of the methods used at the time of authentication

In addition to identity assurance and authentication assurance, other important factors include “the reliability and quality of”: the procedures for issuing the eID means, the entity issuing the eID means and “any other body” that might be involved in applying for the issuance of the eID means. (10)

Using this framework, legislatures can then easily specify what assurance level an eID means must have for a given type of transaction. Private businesses may at their discretion require an even higher assurance level than the law may require if they decide their own business risk warrants it. The benefits of extra security, of course, must be weighed against the quality of the customer experience and the extra transaction costs for the business.

Formalising and Implementing eID Schemes: Notification and the eIDAS Network

Enabling interoperability of eID schemes of different Member States requires a method for managing and performing cross-border authentication, as well as a process for formalising eIDAS-approved eID schemes.

The process of formally approving an eID scheme is known as “notification”. Each Member State is responsible for notifying its own eID schemes, ensuring that they meet all the eIDAS security and quality requirements. (11) The process involves a peer review my Member States, and once the eID scheme has been officially added to the eIDAS Network (see below), EU Member States will be required to recognise it “no later than 12 months after the publication to the Official Journal of the European Union”. (12)

The technical infrastructure connecting the various eID schemes and means is known as the eIDAS Network. This network is based on a series of nodes (eIDAS-Nodes), which are implemented at the Member State level. In the context of an individual transaction, each node can both request and provide cross-border authentication.

Driving eID Adoption, Facilitating Commerce

New eID schemes are gradually being developed and added to the eIDAS network. But businesses don’t have to wait for notification in order to benefit from the advantages of electronic identification, including meeting compliance requirements (at the national level), managing business risk and enhancing the customer experience.

The impact of eIDAS on commerce becomes clear when you consider the implications of a clear legal definition of eID throughout the EU. The eIDAS regulation:

• provides legislatures in Member States with a common legal framework when drafting laws governing electronic identity…
• …which in turn creates a stronger incentive for the development of eID schemes and means within each Member State, and
• provides businesses a recognised legal basis for offering their customers eID as a method for verifying their identity and authenticating themselves in a digital environment and signing documents that meet the eIDAS standard for Advanced and Qualified electronic signatures. 

While the EC’s promotion of eIDAS stresses cross-border cooperation, note that electronic identification offers tremendous value even for businesses and customers within the same Member State. A good example is Sweden, one of a few Member States where electronic identification achieved wide adoption long before eIDAS.

Swedish BankID, an eID scheme and means developed by a group of large banks, was first issued in 2003. Recognised under Swedish law and widely trusted, BankID has 7.5 million regular users (73% of the population) who routinely use it to authenticate themselves online, authorise transactions and access public services.

BankID is also used for uniquely identifying the signatory when signing agreements. Although eID is not a mandatory element of a valid electronic signature, if signatories of a contract use BankID to uniquely identify themselves, the contract is considered to have been signed with an electronic signature on the advanced level, which has the equivalent legal effect of a handwritten signature in Sweden (i.e., a special legal effect). Due to the existing security infrastructure of BankID, there aren’t any types of contracts that require the use of a qualified electronic signature, which can only be obtained using an electronic signature solution fulfilling industry standards that are not technology-neutral.

Compliance and Customer Experience

To illustrate the importance of eIDAS for commerce, consider two big challenges facing today’s banking industry:

• Stricter compliance regulations
• Tighter competition

The Anti-Money Laundering Directive (AMLD) is a recent EU act affecting the banking and finance industry in particular. For example, new Know-Your-Customer (KYC) requirements now hold banks to a higher standard for identifying their customers. KYC includes verifying the identity of new customers and authenticating the identity of existing customers when accessing certain services.

At the same time, traditional banks are facing new competition from emerging players who are much better at offering the customer experience that today’s consumers expect: a digital experience, first and foremost.

The AMLD recognises multiple methods a bank can use to verify their customer’s identity, each involving trade-off’s such as time and expense to implement on the one hand versus the impact on the customer experience and brand. In-person ID check and eID are both compliant methods under the AMLD, but in terms of providing a modern customer experience, offering eID as a verification method is obviously preferable to requiring customers to pay a visit to a brick-and-mortar bank.

So what are the barriers to implementing eID? Institutional inertia and risk aversion probably top the list. Obtaining approval from internal legal counsel for new digital tools can be a formidable challenge. But not digitalising operations has risks of its own, especially in an increasingly competitive market.

One purpose of eIDAS is to help lower the barriers to digital commerce, which it does in this case by providing clear definitions and categories of electronic identification. The AMLD, in turn, refers to those definitions to specify the requirements for a compliant KYC check using eID. So a bank that wants to offer eID only needs to choose an eID means, with the required level of assurance, under a scheme that conforms to eIDAS. There’s no need to devote extensive legal and IT resources to ensure compliance.

Conclusion

The eIDAS regulation constitutes a major step towards the vision of a Single Digital Market in the EU, fostering and hastening digital transformation in the public and private sectors. It’s key to understand that unlike laws that mandate and restrict behaviour, eIDAS is about enablement, setting legally-recognised standards for digital commerce and public services. With an EU-wide legal framework in place, legislatures at the EU and Member State levels have a common reference for drafting laws, making it easier for private enterprises to roll out new digital tools and services.