The final eIDAS 2.0 proposal was published on June 3rd, 2021, aimed at amending various shortcomings and to establish a means for European Citizens to obtain an officially recognized digital identity with greater efficiency.
eIDAS 2.0 brings enormous opportunities with the introduction of the European Digital Identity Wallet (EUDI) - broadening the concept of identity to encompass physical services and transactions that are accessible from any location worldwide, whilst allowing the user to be in sole control over personal information and data.
In this article, we look at how digital identity verification plays a key role.
The Purpose and Benefits of eIDAS 2.0
The initial eIDAS regulation only applied to electronic identification and trust services for electronic transactions and the mutual recognition of secure electronic interaction between citizens, organizations, and public authorities. The purpose was, and remains to be, to increase the effectiveness of public and private online services, stressing the importance of the security of electronic services which include electronic signatures, seals, and time stamps.
One of the most significant modifications brought about by eIDAS 2.0 is the widening of the regulation's scope to embrace new types of electronic trust services. eIDAS 2.0 broadens the scope to include electronic registered delivery services, electronic certificates for authentication, and electronic seals for electronic documents.
The development of the "Qualified Trust Service Providers" (QTSPs) concept is another key transition brought about by the eIDAS 2.0 regulation. QTSPs play a big part in the updated regulation as they will be responsible for ensuring that the digital identities authorized align with the updated regulation. The eIDAS 2.0 regulation further defines qualified trust service (QTS) and Qualified Trust Service Provider (QTSP) in order to demonstrate compliance with the eIDAS high-level security standards and obligations. Qualified trust services can only be offered by a Qualified Trust Service Provider, such as GlobalSign.
QTSPs are obligated to meet a number of security prerequisites as specialist providers ensuring secure electronic transactions such as electronic signatures, digital certificates, or timestamping services. These prerequisites encompass robust cryptographic algorithms, authentication methods, individual transaction audit trails, and a secure system architecture.
A QTSP is a Trust Service Provider that has been granted qualified status and is overseen by its national supervisory body (SB).
eIDAS 2.0, aims to expand the concept of identity to encompass physical services that can be accessed from anywhere in the world. It will enable every European to have a set of digital identity credentials (such as identification cards, passports, professional certifications, and driving licenses), that are recognized across the EU - otherwise known as European Digital Identity (EUDI) Wallets. These ‘wallets’ are mobile applications or cloud services that collect and store digital credentials, allowing them to be utilized privately and securely for a variety of government and non-government use cases.
This development necessitates the establishment of a secure, trusted, and efficient identification process that offers customers a seamless experience when making purchases or enrolling, or utilizing services.
Secure Electronic Interactions Between Citizens, Businesses, and Public Authorities
The objective of eIDAS 2.0 is to fulfill the goal outlined in Europe's 'Path to digital decade' initiative, which aims to enable 80% of EU citizens to utilize a digital identification by 2030.
This includes the ability to authenticate their identity across borders, provide explicit consent for sharing specific personal information, and have clear knowledge of the recipients and purposes of their shared information. This legislative intervention introduces the concept of the EUDI wallet and brings about a transformation in the EU's digital identity framework.
Up until now, discussions surrounding the revision of the eIDAS framework have primarily concentrated on the potential risks and advantages for citizens and consumers. However, in order for the new European digital identity framework to thrive, it is vital that the implementation takes into account the distinct identification requirements of businesses as well.
Digital identity is a broad term that encompasses various identity solutions. Regardless of the specific type of identity solution, there are consistently three parties involved in all scenarios:
- the issuer or identity provider,
- the user (or identity holder),
- the relying party (who utilizes the identity provided by the issuer).
Having a digital identity, such as a digital ID card, enables individuals to establish their identity, but it does not provide information about their qualifications or credentials. However, accessing digital services often requires such attributes (a feature, characteristic or quality of a natural or legal person or an entity, in electronic form). As a result, additional attributes like medical certificates, professional qualifications, or driving licenses, which are associated with a digital identity and verified by a qualified trust service provider, have now become crucial components of digital identity systems - qualified trust services enable the provision of qualified electronic attestations of attributes (Annex V) linked to trusted sources and enforceable cross-border, in turn, supporting multiple use cases that rely on the requirement to verify identity attributes linked to a person with a high level of assurance.
Digital Identity Verification - How Sharing of Information Takes Place, with Explicit Consent
One of the key aspects of eIDAS 2.0 is that the user has sole control of all personal information. The EUDI Wallet has been developed with the aim of simplifying the process for individuals and businesses to access online services, carry out secure transactions, and navigate cross-border operations and travel. By storing and managing electronic identification and trust services like electronic signatures and certificates in one centralized location, users can conveniently access and utilize their data and certificates whenever needed.
The roles of the EUDI Wallet Ecosystem are described below:
Source: European Commission
This streamlined approach enhances user accessibility and facilitates the efficient utilization of these services.
Data Privacy
The EUDI Wallet will ensure that any information collected about its usage is strictly limited to what is essential for providing the wallet services. It will not merge personal identification data or any other personal data associated with the European Digital Identity Wallet with personal data obtained from other services provided by the issuer or unrelated third-party services, unless explicitly requested by the user. Privacy by design and selective disclosure of attributes will be enforced within the EUDI Wallet, prioritizing user privacy and data protection.
*Additional rules for the provision of electronic attestation of attributes services:
- Providers of qualified and non-qualified electronic attestation of attributes services shall not combine personal data relating to the provision of those services with personal data from any other services offered by them.
- Personal data relating to the provision of electronic attestation of attributes services shall be kept logically separate from other data held.
- Personal data relating to the provision of qualified electronic attestation of attributes services shall be kept physically and logically separate from any other data held.
- Providers of qualified electronic attestation of attributes’ services shall provide such services under a separate legal entity.
(*Article 45f)
Conclusion
eIDAS 2.0 sets forth standardized regulations for the provision of electronic identity (eID) and trust services within the internal market. These rules not only prioritize the preservation of trust but also emphasize users' control over their personal data. This signifies a significant advancement in privacy, security, and user autonomy, marking a substantial leap forward in safeguarding privacy rights and enhancing overall user control.
To learn more about new eIDAS 2.0 innovations on the horizon and how digitalization is driving the adoption of electronic signature services in both the EU and UK, read GlobalSign's eBook.
Solutions Which Meet the eIDAS Regulation
Here are GlobalSign we understand the importance of staying up to date with current regulations including eIDAS. There are a number of ways in which we can help organizations comply with the eIDAS regulation including authentication, timestamping, qualified signatures and seals – get in touch with our team today.
