Exploring eIDAS - The Key Principles for Trust Services

The eIDAS Regulation creates a pan-European market for electronic Trust Services (eTS). This includes electronic signatures and seals, service delivery, website authentication, and time stamps. The major thrust of the Regulation is towards ensuring that these mechanisms, when used, get the same legal status as conventional paper-based alternatives - across borders, throughout the EU.

The creation of a digital Single Market requires that these electronic means of conducting business and providing services be on the same legal pedestal as the traditional methods. To achieve these objectives, the eIDAS Regulation establishes various guidelines and requirements. However, there are certain key principles behind all of these guidelines which collectively form the essence of eIDAS. In this article, we look at some of these key principles for trust services as envisaged by the developers of eIDAS.

Transparency and Accountability

Transparency and accountability are of the utmost importance in the operation of trust service providers. eIDAS provides a well-defined minimum set of obligations for these trust service providers along with defining their liability. The ultimate goal is to promote greater transparency and provide the ability to differentiate qualified trust providers from other Trusts Services.

Non-mandatory technical standards ensuring presumption of compliance

The eIDAS Regulation empowers the Commission to adopt several technical standards. The adoption of these standards is not mandatory, but doing so does provide the presumption of compliance with the regulation. This means that although eIDAS is technology-neutral, the Commission can still identify/recommend technical standards, and the solutions using those standards would be considered compliant with the regulation. These technical standards, therefore, go a long way in communicating the intent of the Regulation.

Specific legal effects associated to qualified trust services and Non-discrimination in Courts of eTS versus their paper equivalent

This is perhaps one of the most essential aspects of electronic Trust Services which has been covered by eIDAS. The different legal regimes within member states make the cross-border delivery of certain services challenging from a legal perspective. With eIDAS, the focus is to standardize the practice across all EU member states. For the creation of a true digital single market, it is also important that these electronic ways of signing and authenticating must be treated the same as traditional paper-based methods.

Risk management approach

The qualified trust service providers have certain specific risk management and security obligations applicable to them under eIDAS. This is complemented by a clear liability regime to ensure compliance at multiple levels. The approach to risk management includes operations, conduct, and procedures.

Technological neutrality

Placing restrictions in terms of specific technologies ultimately stifles innovation. For eIDAS to truly succeed, it had to adopt the principle of technological neutrality. The necessary security requirements should be able to be achieved using different technologies. With such a neutral approach, innovators should be able to enhance service delivery and even develop new services that utilize the eIDAS mechanisms.

Conclusion

These key principles reflect the intent of the developers and framers of eIDAS. The Regulation has laid down the foundation for creating a true digital Single Market that provides legal certainty to its participants in addition to security and trust. The system facilitates seamless and convenient cross-border delivery of services, secured with best-in-class safety mechanisms.

References and Further Reading

• REGULATION (EU) No 910/2014  on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission

• eIDAS & 4th Anti-Money Laundering Directive - a short update (2017), by Andrea Servida

• Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (2015), by the European Parliament and the Council of the European Union

• INCEPTION IMPACT ASSESSMENT European Social Security Number (11/2017), by the European Commission 

• Directive 2009/102/EC of the European Parliament and of the Council of 16 September 2009 in the area of company law on single-member private limited liability companies (2009), by the European Parliament and the European Council

• Selected articles eIDAS  (2014-today), by Gaurav Sharma, Guillaume Forget, Stefan Hansen, Michal Tabor , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more

• Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more
• REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council

• Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council

• eIDAS & 4th Anti-Money Laundering Directive - a short update(2017), by Andrea Servida

• Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (2015), by the European Parliament and the Council of the European Union

• Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
• Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
• NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
• Security Controls Related to Internat Banking Services (2016), Hong Kong Monetary Authority

 Image: Geelong Scandia passage race Jan 2009, courtesy of  jojo, Flickr (CC BY 2.0) enhanced with the eIDAS letters by VentureSkies