EU: The eIDAS Regulation
Regulation (EU) No 910/2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (‘the eIDAS Regulation’) was adopted on 23 July 2014, entered into force on 17 September 2014 and became applicable from 1 July 2016. On 8 September 2015, the European Commission completed the adoption of all the implementing acts. In addition, as of 29 September 2018, all organisations delivering public digital services in any EU Member State must recognise electronic identification ('e-ID') from all other Member States and provide universal online access for EU citizens and organisations.
Building trust in the online environment is a cornerstone of economic development as it lays the foundations for electronic transactions that are necessary to foster efficient and trustworthy relationships between users and providers of public services. E-ID and trust services are considered key enablers for secure cross-border electronic transactions. However, as the eIDAS Regulation states in Recital 9, there is an electronic barrier that must be removed in order to allow users of electronic service providers to enjoy the benefits of the internal market: 'in most cases, citizens cannot use their electronic identification to authenticate themselves in another Member State because the national electronic identification schemes in their country are not recognised in other Member States.' For this reason, one of the aims of the eIDAS Regulation is to remove those barriers and to ensure that cross-border access to services is offered by Member States across the EU.
The use of e-ID and trust services can provide a wide range of benefits to organisations across different sectors. For example, application of e-ID and trust services can benefit:
- financial services (e.g. to leverage on-boarding opportunities);
- online retail (e.g. to carry out stronger identification checks, provide the possibility of eSignatures and eTimestamps, and to increase consumer trust through qualified website authentication certificates);
- transport (e.g. providing a means for safeguarding secure business processes whilst eliminating redundant steps); and
- professional services (e.g. using e-ID for a trusted verification of the identity of clients, to certify certain documents like sworn translations, or to send important documents through an electronic registered delivery service).
Thus, the purpose of the eIDAS Regulation is two-fold:
- to ensure that people and businesses can use their own national e-ID schemes to access public services in other EU Member States where e-ID schemes are also available; and
- to create a pan-European internal market for electronic trusted services by providing the necessary conditions for providing legal certainty (i.e. ensuring that these services will work across borders and have the same legal status as traditional paper-based processes).
Trust services are defined in Article 3 of the eIDAS Regulation. These are electronic services that are normally provided for remuneration, which consist of the creation, verification, validation, and preservation of specific trust services. There are five specific types of trust service covered by the eIDAS Regulation:
- electronic signatures;
- electronic seals;
- electronic time stamps;
- electronic registered delivery services; and
- website authentication certificates.
To say that a trust service is qualified means that a specific trust service meets the applicable requirements laid down both in the eIDAS Regulation and the European Commission implementing Decisions and Regulations.
The relevant implementing Regulation concerning trust services is:
- Commission Implementing Regulation (EU) 2015/806 on the form of the EU Trust Mark for Qualified Trust Services (the objective of which is to foster transparency and confidence in the market by clearly distinguishing between trusted services in general from qualified trusted services).
The relevant implementing Decisions for trust services are:
- Commission Implementing Decision (EU) 2015/1505 laying down technical specifications and formats relating to trusted lists (trusted lists are essential for ensuring certainty and to consolidate trust among the market operators);
- Commission Implementing Decision (EU) 2015/1506 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies (which facilitates cross-border transactions with public sector bodies in different Member States and introduces a method for the use of non-standardised formats); and
- Commission Implementing Decision (EU) 2016/650 laying down standards for the security assessment of qualified signature and seal creation devices.
Due to the fact that proper identification is required in order to consolidate trust, the European Commission also issued two implementing Regulations in this regard:
- Commission Implementing Regulation (EU) 2015/1502 on setting out minimum technical specifications and procedures for assurance levels for electronic identification (the aim of which is to enable EU citizens to achieve cross-border interaction by means of their own national e-ID); and
- Commission Implementing Regulation (EU) 2015/1501 on the interoperability framework (fostering practical connectivity and interoperability among Member States).
The implementing decisions concerning e-ID are:
- Commission Implementing Decision (EU) 2015/296 on procedural arrangements for cooperation between Member States on eID; and
- Commission Implementing Decision (EU) 2015/1984 defining the circumstances, formats and procedures of notification.