eIDAS
eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. It was established in EU Regulation 910/2014 of 23 July 2014 on electronic identification and repeals directive 1999/93/EC from 13 December 1999.[1][2]
It entered into force on 17 September 2014 and applies from 1 July 2016 except for certain articles, which are listed in its Article 52.[3] All organizations delivering public digital services in an EU member state must recognize electronic identification from all EU member states from September 29, 2018.[4][5]
Description
eIDAS oversees electronic identification and trust services for electronic transactions in the European Union's internal market. It regulates electronic signatures, electronic transactions, involved bodies, and their embedding processes to provide a safe way for users to conduct business online like electronic funds transfer or transactions with public services. Both the signatory and the recipient can have more convenience and security. Instead of relying on traditional methods, such as mail or facsimile, or appearing in person to submit paper-based documents, they may now perform transactions across borders, like "1-Click" technology.[2][6]
eIDAS has created standards for which electronic signatures, qualified digital certificates, electronic seals, timestamps, and other proof for authentication mechanisms enable electronic transactions, with the same legal standing as transactions that are performed on paper.[7]
The regulation came into effect in July 2014, as a means to facilitate secure and seamless electronic transactions within the European Union. Member states are required to recognise electronic signatures that meet the standards of eIDAS.[2][8]
Vision
eIDAS is a result of the European Commission's focus on Europe's Digital Agenda. With the Commission's oversight, eIDAS was implemented to spur digital growth within the EU.[9]
The intent of eIDAS is to drive innovation. By adhering to the guidelines set for technology under eIDAS, organisations are pushed towards using higher levels of information security and innovation. Additionally, eIDAS focuses on the following:[8][10]
- Interoperability: Member states are required to create a common framework that will recognize eIDs from other member states and ensure its authenticity and security. That makes it easy for users to conduct business across borders.
- Transparency: eIDAS provides a clear and accessible list of trusted services that may be used within the centralised signing framework. That allows security stakeholders the ability to engage in dialogue about the best technologies and tools for securing digital signatures.
Regulated aspects in electronic transactions
The Regulation provides the regulatory environment for the following important aspects related to electronic transactions:[2]
- Advanced electronic signature: An electronic signature is considered advanced if it meets certain requirements:
- It provides unique identifying information that links it to its signatory.
- The signatory has sole control of the data used to create the electronic signature.
- It must be capable of identifying if the data accompanying the message has been tampered with after being signed. If the signed data has changed, the signature is marked invalid.
- There is a certificate for electronic signature, electronic proof that confirms the identity of the signatory and links the electronic signature validation data to that person.
- Advanced electronic signatures can be technically implemented, following the XAdES, PAdES, CAdES or ASiC Baseline Profile (Associated Signature Containers) standard for digital signatures, specified by the ETSI.[11]
- Qualified electronic signature, an advanced electronic signature that is created by a qualified electronic signature creation device based on a qualified certificate for electronic signatures.
- Qualified digital certificate for electronic signature, a certificate that attests to a qualified electronic signature's authenticity that has been issued by a qualified trust service provider.
- Qualified website authentication certificate, a qualified digital certificate under the trust services defined in the eIDAS Regulation.
- Trust service, an electronic service that creates, validates, and verifies electronic signatures, time stamps, seals, and certificates. Also, a trust service may provide website authentication and preservation of created electronic signatures, certificates, and seals. It is handled by a trust service provider.
Evolution and legal implications
The eIDAS Regulation evolved from Directive 1999/93/EC, which set a goal that EU member states were expected to achieve in regards to electronic signing. Smaller European countries were one of the first to start adopting digital signatures and identification, for example the first Estonian digital signature was given in 2002 and the first Latvian digital signature was given in 2006. Their experience has been used to develop a now EU-wide regulation, that became binding as law throughout the EU since the first of July, 2016.[12] The directive made EU member states responsible for creating laws that would allow them to meet the goal of creating an electronic signing system within the EU. The directive also allowed each member state to interpret the law and impose restrictions, thus preventing real interoperability, and leading toward a fragmented scenario.[13] In contrast with this directive, eIDAS ensures mutual recognition of the eID for authentication among member states,[14] thus achieving the goal of the Digital Single Market.
eIDAS provides a tiered approach of legal value. It requires for no electronic signature to be denied legal effect or admissibility in court solely because it is not an advanced or qualified electronic signature.[15] Qualified electronic signatures must be given the same legal effect as handwritten signatures.[16]
For electronic seals (legal entities' version of signatures), probative value is explicitly addressed, as seals should enjoy the presumption of integrity and the correctness of the origin of the attached data.[17]
Identity number
Database information has to be linked to some kind of identity number. To certify that a person has the right to access some personal information involves several steps.
- Connecting a person to a number, which can be done through methods developed in one country, such as digital certificates.
- Connecting a number to specific information, done in databases.
- For eIDAS it is needed to connect the number used by a country having information, to the number used by the country issuing the digital certificates.
eIDAS has as minimum identity concept, the name and birth date. But in order to access more sensitive information, some kind of certification is needed that identity numbers issued by two countries refer to the same person.[18]
Vulnerabilities
On October, 2019, two security flaws in eIDAS-Node (a sample implementation of the eID eIDAS Profile provided by the European Commission[19]) were discovered by security researchers; both vulnerabilities were patched for version 2.3.1 of eIDAS-Node.[20]
European Self-Sovereign Identity Framework
The European Union is creating an eIDAS compatible European Self-Sovereign Identity Framework (ESSIF).
References
- Turner, Dawn. "Understanding eIDAS". Cryptomathic. Retrieved 12 April 2016.
- "Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC". EUR-Lex. The European Parliament and the Council of the European Union. Retrieved 18 March 2016.
- eIDAS in force, applies and exceptions on Europa.eu
- Info on eIDAS, Connectis.
- Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014
- van Zijp, Jacques. "Is the EU ready for eIDAS?". Secure Identity Alliance. Archived from the original on 22 November 2016. Retrieved 18 March 2016.
- Turner, Dawn M. "eIDAS from Directive to Regulation - Legal Aspects". Cryptomathic. Retrieved 18 March 2016.
- Bender, Jens. "eIDAS Regulation: EID - Opportunities and Risks" (PDF). Bunde.de. Fraunhofer-Gesellschaft. Retrieved 18 March 2016.
- "A Digital Agenda For Europe". EUR-Lex. The European Commission. Retrieved 18 March 2016.
- J.A., Ashiq. "The eIDAS Agenda: Innovation, Interoperability and Transparency". Cryptomathic. Retrieved 18 March 2016.
- Turner, Dawn M. "The Difference Between an Electronic Signature and a Digital Signature". Cryptomathic. Retrieved 21 April 2016.
- "Regulations, Directives and other acts". Europa.eu. The European Union. Archived from the original on 12 December 2013. Retrieved 18 March 2016.
- "Understanding eIDAS – All you ever wanted to know about the new EU Electronic Signature Regulation". Legal Technology. Retrieved 1 March 2016.
- "A Big Step Toward the European Digital Single Market" (PDF). Inside Magazine. Retrieved 27 March 2019.
- Articles 25 (1) and definitions in article 3 (10) to 3 (12)
- Article 25 (2)
- Article 35 (2)
- Hur skapar du en koppling mellan svenska och utländska eID:n? (in Swedish. Title translation: How to connect Swedish and foreign eID?)
- "eIDAS-Node integration package". European Commission. Archived from the original (html) on 10 June 2019. Retrieved 29 October 2019.
The eIDAS-Node software contains the necessary modules to help Member States to communicate with other eIDAS-compliant counterparts in a centralised or distributed fashion.
- Cimpanu, Catalin (29 October 2019). "Major vulnerability patched in the EU's eIDAS authentication system". ZDNet. Archived from the original (html) on 29 October 2019. Retrieved 29 October 2019.
Vulnerability would have allowed attackers to pose as any EU citizen or business.