Maren Winter - stock.adobe.com
EU sees eIDAS regulation come into full force
A regulation aimed at cutting red tape to enable a digital single market in Europe will soon be in full force, but it could present some challenges to the UK after Brexit
From 29 September 2018, all EU countries will be obliged to recognise national systems that are already notified and comply with the electronic identification, authentication and trust services (eIDAS) regulation.
EU countries like Germany and Italy were first to complete the notification process with Spain, Luxembourg, Estonia, Croatia, Belgium, Portugal and the UK set to follow, although the future of the UK Government Digital Service’s Gov.uk Verify identity assurance programme is far from certain, as reported by Computer Weekly earlier this month.
The eIDAS regulation is aimed at promoting and improving trust, security and convenience online in the form of a single set of rules on electronic identification and trust services, including electronic signatures, seals, time stamping, delivery services and website authentication.
This means companies and individuals can use their own national e-identities (eIDs) when they do business or reside in another EU country to support efforts to enable a digital single market in Europe.
As a result, all organisations delivering public digital services in an EU member state must now recognise notified electronic identification from all other EU member states so that identify verification checks carried out in one EU country will be valid across all member states.
The regulation was established in July 2014, entered into force two months later and applied from 1 July 2016 with acceptance across the EU mandated from 29 September 2018.
It is aimed at moving EU countries away from traditional frameworks for identity verification where all members had their own manual systems, including document and in-person checks, third-party notarisations and government-issued identification that did not support high-speed online and mobile interactions.
The regulation underscores the importance of a digital identity framework that can perform electronic identification and trust services for digital transactions and is designed to help to create one identity framework for the whole EU.
This is expected to help reduce the cost of complying with different identity regulations in each EU country. “Once the rules and infrastructures are in place, it will make easier for the private sector to accept and implement similar processes, which will allow for more efficient AML [anti-money laundering] compliance and KYC [know your customer] regulations across borders,” said Zac Cohen, general manager at Trulioo, a global identity and business verification company.
“Instead of waiting for the potential of eIDAS to pass through the various legal stages and through to independent businesses, companies can improve their compliance procedures now.
“While each country has different ID procedures, there is best practice for each member state. Using shared technologies and data can help make identity verification across borders a far more efficient and streamlined process.”
Using eIDs across and between countries will cut red tape thanks to the “once only” principle, which is one of the main elements of the EU’s Single Digital Gateway, according to Andrus Ansip, European commissioner for digital single market and vice president of the European Commission.
“This will mean that people could save more than 855,000 hours and businesses more than €11bn – every year,” he wrote in a blog post that calls on EU countries to speed up on eID to boost support for the digital single market.
To support the widespread adoption of eID and trust services in line with eIDAS, leading European associations, projects and expert organisations in the eID and trust sector have joined forces to launch a non-profit initiative called go.eIDAS, which is supported by the EU through the research projects like FutureTrust and LIGHTest.
The main goals of the initiative are to raise awareness for eIDAS in Europe and beyond, and point out the benefits of eIDAS within application services and illustrate the huge trade opportunity for the EU related to pushing the eIDAS model and framework internationally.
Go.eIDAS is also aimed at demonstrating the ease of use of eID and trust services, supporting the integration of eID and trust services into application services, promoting the use and uptake of eIDAS in mobile environments and supporting he development of the eIDAS-Ecosystem and the internal market.
The initiative plans to promote interoperability among eIDAS-related solution components and support the creation of a sustainable network of eIDAS stakeholders, but the initial focus will be on the creation and maintenance of localisable and extensible eIDAS-related information material, the provision of local eIDAS-related webinars and the creation and maintenance of eIDAS-related open source software.
The go.eIDAS initiative founders include the German Association for IT, Telecommunications and New Media (Bitkom), the European Trust Foundation (ETF), the Kantara initiative and the European Association for e-Identity and Security (EEMA).
“We are excited to launch the go.eIDAS initiative and enjoy the forthcoming EU-wide eID recognition, which will further boost trust in Europe and beyond,” said Jon Shamah, chair of EEMA.
A global reach
Collin Wallis, executive director of the Kantara Initiative, welcomed the go.eIDAS-Initiative. “We are looking forward to contributing to the recognition of eID and trust services towards a global reach.
“Since Kantara is a global ethics-based ‘commons’ non-profit organisation, which recently absorbed the assets and operations from the US public-private sector IDESG (Identity Ecosystem Steering Group), it is in a good position to assist.”
Speaking in his personal capacity, Sharmah told Computer Weekly that eIDAS is an innovative piece a legislation that is directly aimed at reducing the friction of trading within the EU digital single market. “A digital ‘level playing field’ is provided with eIDAS, which influences every facet of trade – digital or physical,” he said.
Read more about Gov.uk Verify
- Government projects watchdog recommends terminating Gov.uk Verify identity project.
- GDS aims for path of least embarrassment as it shifts strategy on Gov.uk Verify.
- Latest Universal Credit revelations heap further pressure on Gov.uk Verify.
- GDS wants to take “hands off control” on digital identity, says Gov.uk Verify boss.
Asked about the implications of the UK’s planned departure from the EU, Sharmah said Brexit presents “unique challenges” for the UK when looking at the single market and eIDAS.
The eIDAS regulation applies to digital signatures, digital identity and other trust services such as electronic registered email delivery, all of which he said are essential for trade and all of which are absolutely essential components for proposals that offer “electronic solutions” to the soft/hard border-customs issues that the UK will experience after Brexit.
“The problem is that the regulation is not applicable to non-EU or non-EEA states, and this means the UK will not be included in eIDAS from the Brexit date even in any form of transition period as the UK will not be a member state. This would need a complex alteration to the regulation, and any border-customs solution might not be practical or ‘frictionless’.
“The problem is in that the UK government’s Gov.uk Verify authentication credential does not include digital signatures within its scope and may therefore be redundant, even if there was a way around the fact this ‘medium’ level assurance credential could be accepted in eIDAS directly,” he said, noting that while Gov.uk Verify has already been pre-notified to the EU, it has not yet been accepted.
However, Sharmah said there are some possible solutions that may help alleviate the problem, such as the EU-funded FutureTrust project that is reaching its final stages of development and involves the use of a “Global Trust List”, where known and certified schemes from across the globe, including eIDAS, can be used and trusted by each other.
“Differences between schemes are incorporated and accommodated, and the UK could join this Global Trust List, once it is formally established and operating in 2019,” he said, adding that FutureTrust will be offering OpenSource code for the easy-to-use components, through the newly launched go.eIDAS initiative.
“For post-Brexit UK, the ‘frictionless’ digital component of the EU single market may be very difficult to achieve, but the FutureTrust project and the go.eIDAS initiative may provide a great deal of hope for UK/EU trade,” he said.