eIDAS stands for electronic identification, authentication, and trust services and refers to a European Union (EU) regulation that governs electronic transactions in the EU member states.
The two primary objectives of the eIDAS regulation include:
By providing legal certainty to electronic identification and trust services, eIDAS aims to build trust and confidence in electronic transactions and promote their usage.
eIDAS was initially introduced in 2014 as “Regulation 910/2014” and was later enforced across the EU from July 1, 2016, repealing the old eSignatures Directive.
Previously, identity verification mandated the physical attendance of customers in the commercial office, store, or branch of the organization they were transacting with. The entire process was paper-driven, requiring in-person meetings, signatures, physical stamps, and documents. This inevitably led to long waiting periods and process delays, leaving customers frustrated.
The eIDAS regulation was introduced to remove these process barriers and make the transactional experience friction-free for both customers and organizations. eIDAS provided the framework to use reliable digital identification mechanisms that allow users to verify their identities digitally, removing the need for in-person verification. The digital identification mechanisms provided by eIDAS are as secure as physical verification, with the highest level of security and legality confirmed by a Conformity Assessment Body.
By creating a flexible and secure online environment for user verification, eIDAS accelerates the transactional process and improves user experience while reducing cost and workload for organizations.
To help EU member states recognize electronic identification and trust services as legal equivalents to physical or paper-based services, eIDAS defines the standards for the provisioning and effectiveness of various trust services, such as electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services, and certificate services for website authentication.
The trust services covered under the eIDAS regulation include:
Here are the definitions of the trust services covered under the eIDAS regulation:
1. Electronic Signature: Data in electronic form that is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.
eIDAS classifies electronic signatures into three types with increasing levels of security:
2. Electronic Seals (eSeals): These are data in electronic form that validate the origin and integrity of other logically associated data. They are equivalent to physical stamps used in business invoices and contracts. A Qualified Electronic Seal is created using a qualified certificate for the electronic seal that is stored on a qualified signature creation device (QSCD).
3. Electronic Timestamp (eTimestamp): This is a piece of electronic data that binds other electronic data to a particular time providing evidence that the document existed at that time and has not been altered since. It can be used with a Qualified Electronic Signature to prove exactly when exactly the document was signed, making it easier to track documents.
4. Electronic Registered Delivery Services (ERDS): These services provide a secure infrastructure for the electronic transfer of data between two transacting parties or systems, with evidence, such as proof of sending and receipt. This builds accountability and minimizes the risk of data getting stolen, lost, or altered.
5. Qualified Website Authentication Certificate (QWAC): These certificates are used to validate the identity of websites. They help authenticate the entity that owns the website and verify the website’s legitimacy. A QWAC provides users with confidence that the website they are interacting with is trustworthy, which helps protect them from phishing sites and online scams.
Trust Service Providers (TSPs) provide electronic trust services. These are Certificate Authorities (CAs) that create digital certificates for electronic transactions such as e-signatures. Qualified Trust Service Providers (QTSPs) are those that are qualified by the Member State’s supervisory body and are listed in the EU Trust List. Only QTSPs can offer services, such as Qualified Electronic Signatures required to authenticate highly secure transactions.
In complying with eIDAS, organizations and citizens can benefit in many ways, including:
By establishing uniform standards for the use of trust services across the EU, eIDAS makes electronic services more transparent and establishes a Digital Single Market (DSM) in the EU that permits trust services complying with the regulation to be circulated freely in the internal market.
The eIDAS regulation is applicable in all EU member states. Any individual, business, or public authority transacting electronically in the EU needs to comply with the eIDAS Regulation.
As all European organizations are expected to comply with eIDAS, any organization that has a European presence or conducts business with an organization within the EU will have to comply with eIDAS. The United Kingdom has also adopted eIDAS into its legal system, although with a few amendments.
In June 2021, the European Commission proposed an update to the eIDAS regulation of 2014. The revision, popularly known as eIDAS 2.0, builds on the original regulation and aims to improve the security and reliability of identification and trust services to ensure the regulation is implemented consistently across all member states, in both public and private sectors.
At the heart of the eIDAS regulation is the concept of a digital wallet. A European Digital Identity (EUDI) Wallet is a mobile application or a cloud service that allows all EU citizens and businesses to store and manage their digital identity credentials and use them securely and privately for several government and private services.
Unlike eIDAS 1.0, which called for persistent, rigid IDs, the revised proposal focuses on end-users and employs self-sovereign identity (SSI) to give users more ownership and control over their identification information. This means users have the control to only share information that’s necessary for a particular transaction instead of revealing all available information. For instance, if someone needs to prove their age to avail a service, they will be allowed only to share this information and not other personal details, such as their home address, driver’s license number, etc.
Another significant change introduced by the eIDAS 2.0 regulation is the expansion of the scope of the regulation by including three new types of electronic trust services: Electronic archiving services, electronic ledgers, and the management of remote electronic signature and seal creation devices.
eIDAS 2.0 also aims to remove the complexities and barriers that the earlier regulation posed for the private sector by providing more detailed technical and operational requirements and guidelines around employing electronic identification and trust services. This will help reduce online fraud, protect privacy rights, and increase transparency.
eIDAS 2.0 is expected to be enforced starting in September 2023, when all EU member states are required to ensure digital identity wallets are available to all EU citizens, residents, and businesses. Currently, only 14 European member states have electronic ID schemes covering 59% of citizens. With eIDAS 2.0, the European Commission expects 80% of EU citizens to use a digital ID by 2030.
The eIDAS regulation lays a strong foundation and clear legal framework for people, businesses, and public administrations to securely and conveniently carry out regular online activities, such as filing tax returns, getting a driver’s license, applying for university, opening a bank account, setting up a business in another member state, and more. When implemented, eIDAS 2.0 will be a game-changer for both the public and the private sector by serving as a key enabler for secure digital transactions.