Proposal to amend the eIDAS regulation: New horizon for the European electronic identification

Written By

gianmarco rinaldi Module
Gian Marco Rinaldi

Counsel
Italy

As a Counsel in our Tech & Comms Group in Milan, I have extensive experience of drafting and negotiating outsourcing and IT agreements for national and international companies.

marta breschi Module
Marta Breschi

Associate
Italy

I am a lawyer in our Information Technology and Intellectual Property department.

The European Commission published the Proposal for a Regulation amending Regulation eIDAS on 3 June 2021 (“Proposal”)[1]. The proposed amendments will strengthen the Single Market by allowing citizens, other residents as defined by national law and businesses to identify online in a secure, convenient and uniform way across the Union.

On 19 February 2020, the European Commission announced a revision of Regulation (EU) No 910/2014 (Regulation eIDAS) with the aim of extending its benefits to the private sector and promoting trusted digital identities for all Europeans.

Shortly afterwards, the coronavirus pandemic and the shift towards the use of digital services showed that the Regulation eIDAS has limitations that need to be addressed urgently.

For the above reasons, the European Commission published the Proposal for a Regulation amending Regulation eIDAS on 3 June 2021 (“Proposal”).
The proposed amendment aims to establish a more harmonised approach to digital identification.[2]

1. What's new in the Proposal
a. European Digital Identity Wallet

The Proposal introduces the “European Digital Identity Wallet” which should be a product and service that, amongst other things, allows users to store identity data, credentials and attributes linked to their identity, to:

a) provide them to relevant parties on request and to use them for authentication, online and offline, for a service; and

b) sign via qualified electronic signatures.[3]

Offline use would be important in many sectors, including in the health sector where services are often provided by face-to-face interaction.

The use of the European Digital Identity Wallets should be free of charge to all and accessible to people with disabilities.

The European Digital Identity Wallet should be issued by a Member State (or under its mandate) or independently but, recognised by a Member State.

Member States should provide validation mechanisms for the European Digital Identity Wallets:

a) to ensure that its authenticity and validity can be verified;

b) to allow relevant parties to verify that the attestations of attributes (e.g. driving licence, diplomas, bank account) are valid;

c) to allow relevant parties and qualified trust service providers to verify the authenticity and validity of attributed person identification data.

b. Electronic Identification Schemes

In order to make more electronic identification means available for cross border use, Member States should notify at least one “electronic identification scheme” including at least one identification means.

The “electronic identification scheme” means a system for electronic identification under which electronic identification means are issued to

I. individuals or legal persons; or

II. individuals representing legal persons.

c. Unique Identification

To guarantee the unique identification, Member States should include

I. a minimum set of person identification data necessary to uniquely and persistently represent an individual or legal person; and

II. a unique and persistent identifier in conformity with Union law, to identify the user upon their request in those cases where identification of the user is required by law.

This is important in instances where identification is required by law such as in the areas of health, finance to discharge anti-money laundering obligations, or for judicial use.

d. Cross-border reliance on European Digital Identity Wallets

Where electronic identification using an electronic identification means an authentication is required under national law or by administrative practice to access an online service provided by a public sector body in a Member State, the electronic identification means, issued in another Member State, should be recognised in the first Member State for the purposes of cross-border authentication for that online service, provided that some conditions are met.

e. Qualified preservation service for qualified electronic signatures and qualified electronic archiving service for electronic documents

A qualified preservation service for qualified electronic signatures and a qualified electronic archiving service for electronic documents[4] may only be provided according to the standards will be adopted by Commission, by a qualified trust service provider,that uses procedures and technologies capable of extending the trustworthiness of the qualified electronic signature beyond the technological validity period.

f. Electronic attestation of attributes

The current eIDAS framework does not cover the provision of electronic attributes, such as medical certificates or professional qualifications, making it difficult to ensure pan-European legal recognition of such credentials in electronic form.

For this reason, the Proposal introduces the electronic attestation of attributes.

According to the Proposal, an electronic attestation of attributes should not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form.

The attestation of attributes above should have the same legal effect as lawfully issued attestations in paper form.

g. New qualified trust services

In addition to the qualified electronic archiving service for electronic documents (as described above), the Proposal introduces other new qualified trust services, namely:

i. Remote qualified signature creation device

The “remote qualified signature creation device” means a qualified electronic signature creation device[5] where a qualified trust service provider generates, manages, or duplicates the electronic signature creation data on behalf of a signatory.

The management of remote qualified electronic signature creation devices as a qualified service may only be carried out by a qualified trust service provider that meets the conditions laid down by the Proposal.

ii. Electronic ledgers

An Electronic ledger is a tamper proof electronic record of data, providing authenticity and integrity of the data it contains, accuracy of their date and time, and of their chronological ordering.

An electronic ledger should not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic ledgers.

A qualified electronic ledger should enjoy the presumption of the uniqueness and authenticity of the data it contains, the accuracy of their date and time, and their sequential chronological ordering within the ledger.

[1]The text of the Proposal is available at the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2021%3A281%3AFIN&qid=1622704576563.

[2]To avoid fragmentation and barriers due to diverging standards, the Commission has adopted a Recommendation, at the same time as the Proposal, to set out a process to support a common approach allowing Member States and other relevant stakeholders from the public and private sectors to avoid endangering the implementation of the European Digital Identity framework.

[3]According to the Regulation eIDAS, “qualified electronic signature” means an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures (art. 3, n. 12).

[4]According to the Proposal, “qualified electronic archiving service” means a service that meets the requirements laid down in art. 45 sub g) of the Proposal (art. 1, n. 48).

[5]According to the Regulation eIDAS, “qualified electronic signature creation device” means an electronic signature creation device that meets the requirements laid down in Annex II of the Regulation (art. 3, n. 23).

Latest insights

More Insights
Curiosity line green background

China Cybersecurity and Data Protection: Monthly Update - December 2024 Issue

17 minutes Dec 23 2024

Read More
featured image

Update on recent UK data protection guidance in the financial services space

3 minutes Dec 19 2024

Read More
Bank card propped up against laptop

Germany: BaFin updates AML guidance

Dec 19 2024

Read More