eIDAS new rules for eID and Trust Services

Date: 
21.06.2016

The Regulation (EU) N°910/2014 on electronic identification and trust services for electronic transactions in the internal market provides a legal framework to enable secure and seamless electronic interactions between businesses, citizens and public authorities. eIDAS ensures that people and businesses can use their own national eIDs to access public services in other EU countries where eIDs are available. Furthermore, it ensures that electronic Trust Services, namely electronic signatures, electronic seals, time stamp, electronic delivery service and website authentication, will be recognised across borders and have the same legal status as traditional paper based processes. Only by providing certainty on the legal validity of all these services, businesses and citizens will use the digital interactions as their natural way of interaction.

 

eIDAS and electronic Identification

 

Electronic identification (eID) is one of the tools to ensure secure access to online services and to carry out electronic transactions in a safer way. The eIDAS Regulation removes existing barriers to the cross-border use of electronic identification means used in the Member States. This means that EU citizens will be able to use the eID means they use at national level also to access public services across borders in other Member States, provided the following conditions are met:

1. The electronic identification mean is issued under an electronic identification scheme that is included in the list published by the European Commission in the Official Journal of the European Union. An electronic identification scheme specifies assurance levels: low, substantial and/or high for electronic identification means issued under that scheme.

2. The assurance level of the electronic identification means corresponds to an assurance level equal to or higher than the assurance level required by the relevant public sector body to access that service online, provided that the assurance level of that electronic identification means corresponds to the assurance level substantial or high. Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 sets out minimum technical specifications and procedures for assurance levels for electronic identification means. Member States remain free to recognise electronic identification means having lower identity assurance levels.

Since 29 September 2015 EU Member States may notify and recognise, on a voluntary basis, national eID means. As of 29 September 2018 the recognition of notified eID will become mandatory. However, Member States are not obliged to notify their electronic identification schemes to the Commission. The choice to notify all, some or none of the electronic identification schemes used at national level is up to Member States.

The technical specifications for the eIDAS interoperability framework have been developed by the European Commission  together with the Member States in order to ensure the interoperability of the electronic identification schemes which Member States notify to the Commission.

The sample implementation of this technical specifications has been released by the CEF eID team. The solution is primarily based on the following software components:

  • A package for Member States to become eIDAS enabled. This package includes the necessary modules to communicate with other eIDAS enabled Member States in a centralised or distributed fashion.
  • Additional tools for setting up a demo environment for testing purposes.

 

How does e-SENS eID comply to eIDAS?

The goal of the e-SENS eID building block is to ensure cross border recognition and e-identification validation that meets the requirements set for eGovernment applications in different domains. Thus e-SENS permits businesses, citizens and government employees to use the presently widespread (national) electronic identities in cross-border public and private services. The solution includes the know-how gained in STORK and ensures achieving compliance with the eIDAS Regulation. Furthermore, e-SENS works on an adaptor solution to achieve interoperability of existing STORK/e-SENS infrastructure with eIDAS nodes. This will enable countries with STORK 2.0 infrastructure currently linked to eID services to connect to the eIDAS network. The connector consists of a regular eIDAS node and a plugin that is able to convert in both ways the authentication requests and responses from eIDAS format to STORK 2.0 format. The plugin will also handle mappings of attributes between the STORK 2.0 SAML profile and the eIDAS node SAML profile. This solution will provide a smooth migration path from STORK to eIDAS and sustainability of STORK-enabled services.

 

eIDAS and Trust Services

 

eIDAS regulation introduces a new legal framework for electronic signatures and seals.

From  1 July 2016, the rules on trust services under the eIDAS applies directly in the 28 Member States. eIDAS repealed the Electronic Signature Directive (Directive 1999/93/EC), which had been in place for 15 years. Moreover, it automatically replaced any inconsistent national laws in Europe.

What changed on 1st July 2016?

  • eSignature can only be used by a natural person to "sign", i.e. mainly to express consent on the data the eSignature is put.
  • Legal persons is able to use certificates for eSeals (whose aim is not to sign but to ensure the integrity and origin of data), therefore certificates for eSignatures are be issued to legal persons anymore and existing qualified eSignatures certificates issued to legal persons are not used to create a legally valid (qualified) eSignature.
  • All Member States need to have in place a supervisory body in order to allow market players to become compliant with eIDAS in due time.
  • A national Trusted List is published and maintained in line with the Commission Implementing Decision (EU) 2015/1505. A provider/service will be qualified when it appears in the Trusted Lists. To prove this status the EU trust mark logo can be used so potential users are sure the online transactions will be carried out in a safe, convenient and secure way.
  • Public sector bodies are able to recognise the formats of advanced eSignatures and eSeals (according to the Commission Implementing Decision (EU) 2015/1506) whenever they require an advanced eSignature or eSeal.
  • Voluntary use of EU Trust mark is available. The trust mark clearly differentiates qualified trust services from other trust services; the aim is to foster confidence in and of essential online services, for users to fully benefit and consciously rely on electronic services. The trust mark is defined in Commission implementing Regulation (EU) 2015/806.

 

What are the trust services under eIDAS?

1. eSignature delivers a way to sign documents in the online world.

2. Electronic seals - these can only be issued to and used by legal persons to ensure origin and integrity of data / documents. An eSeal is therefore NOT an eSignature of the legal person.

3. Time Stamping - electronic time stamps are issued to ensure the correctness of the time linked to data / documents.

4. Validation is an ancillary service to eSignatures and eSeals. It is the process confirming the validity of a (qualified) eSignature or eSeal. Such a process entails the verification that the requirements of the Regulation are met by a (qualified) eSignature or eSeal in order to confirm its validity. The Regulation also covers the verification and validation of certificates for website authentication.

5. Preservation of eSignatures, eSeals or certificates related to trust services - it aims at guaranteeing the trustworthiness of a qualified electronic signature or qualified electronic seal through time. Preservation is different from electronic archiving, which is not a trust service under eIDAS. Electronic archiving remains of the competence of Member States.

6. Electronic registered delivery services are a secure channel for the transmission of documents bringing evidence of (the time of) sending and receiving the message. Nevertheless, the Regulation does not assimilate (qualified) electronic registered delivery services to registered postal mails (registered items) defined under the Postal Directive. Member States remain free to establish such equivalence at national level.

7. Website authentication - certificates for website authentication are issued to ensure that users are reassured that behind the website there is a legal person on which trustworthy information is provided.

 

How does e-SENS eSignature comply to eIDAS? The e-Signature BB of the e-SENS project aims to establish cross-border interoperable components for a secure authentication infrastructure in different domains. Its main purpose is to bind an eDocument to an entity so that legal value is associated, as well as validate an eSignature.

The eSignature BB and its components follow legal and interoperability frameworks and prove that real-life interoperability is possible. The e-SENS eSignature building block is based on and will support eIDAS as a policy basis. It supports the eIDAS Trust List Decision (EU) 2015/150 and the eIDAS Format Decision (EU) 2015/1506, thus allowing to create and validate eSignatures defined in this interoperability framework. Given the similarity of eSignatures and eSeals from a technical viewpoint, the e-Signature BB also facilitates interoperability for eSeals.

 

e-IDAS implementing acts:

 

Commission Implementing Regulation (EU) 2015/806 of 22 May 2015 on the form of the EU Trust Mark for Qualified Trust Services
Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists
Commission Implementing Decision (EU) 2015/1506 of 8 September 2015 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies
Commission Implementing Decision (EU)2016/650 of 25 April 2016 laying down standards for the security assessment of qualified signature and seal creation devices
Commission Implementing Decision (EU) 2015/296 of 24 February 2015 on procedural arrangements for MS cooperation on eID
Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework
Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means
Commission Implementing Decision (EU) 2015/1984 of 3 November 2015 defining the circumstances, formats and procedures of notification