Exploring eIDAS - The Key Principles for Trust Services

The eIDAS Regulation creates a pan European market for electronic Trust Services (eTS). This includes things like electronic signatures and seals, electronic service delivery, website authentication and time stamps. The major thrust of the Regulation is towards ensuring that these mechanisms, when used, get the same legal status as conventional paper-based alternatives - across borders, throughout the EU.

The creation of a digital Single Market requires that these electronic means of conducting business and providing services be on the same legal pedestal as the traditional methods.In order to achieve these goals, the eIDAS Regulation provides various guidelines and sets criteria that must be met. However, there are certain key principles behind all of these guidelines which collectively form the essence eIDAS. In this article, we look as some of these key principles for trust services as envisaged by the developers of eIDAS.

Transparency and Accountability

The transparency and accountability in the operation of trust service providers is of paramount importance. eIDAS provides a well-defined minimum set of obligations for these trust service providers along with defining their liability. The ultimate objective is to foster greater transparency and provide the ability to differentiate qualified trust providers from other Trusts Services.

Non-mandatory technical standards ensuring presumption of compliance

The eIDAS Regulation empowers the Commission to adopt a number of technical standards. The adoption of these standards is not mandatory but doing so does provide the presumption of compliance with the regulation. This means that although eIDAS is technology-neutral, the Commission can still identify / recommend technical standards and the solutions using those standards would be considered compliant with the regulation. These technical standards therefore go a long way in communicating the intent of the Regulation.

Specific legal effects associated to qualified trust services and Non-discrimination in Courts of eTS versus their paper equivalent

This is perhaps one of the most important aspects of electronic Trust Services which has been covered under eIDAS. The different legal regimes within member states makes the cross-border delivery of certain services challenging from a legal perspective. With eIDAS, the focus is to standardize the practice across all EU member states. For the creation of a true digital single market, it is also important that these electronic methods of signing and authentication must be treated on-par with other traditional paper-based mechanisms.

Risk management approach

The qualified trust service providers have certain specific risk management and security obligations applicable to them under eIDAS. This is complemented with a clear liability regime to ensure compliance at various levels. The risk management approach covers things like operations, conduct and procedures.

Technological neutrality

Placing restrictions in terms of specific technologies ultimately stifles innovation. For eIDAS to truly succeed, it had to adopt the principle of technological neutrality. The necessary security requirements should be able to be achieved using different technologies. With such a neutral approach, innovators should be able to improve upon service delivery and even create new services that uses the underlying mechanisms of eIDAS.

Conclusion

These key principles reflect the intent of the developers and framers of eIDAS. The Regulation has laid down the foundation for creating a true digital Single Market which provides legal certainty to its participants in addition to security and trust. The system provides for seamless and convenient cross-border delivery of services, secured with best-in-class safety mechanisms.

References and Further Reading

• REGULATION (EU) No 910/2014  on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission

• eIDAS & 4th Anti-Money Laundering Directive - a short update (2017), by Andrea Servida

• Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (2015), by the European Parliament and the Council of the European Union

• INCEPTION IMPACT ASSESSMENT European Social Security Number (11/2017), by the European Commission 

• Directive 2009/102/EC of the European Parliament and of the Council of 16 September 2009 in the area of company law on single-member private limited liability companies (2009), by the European Parliament and the European Council

• Selected articles eIDAS  (2014-today), by Gaurav Sharma, Guillaume Forget, Stefan Hansen, Michal Tabor , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more

• Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more
• REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council

• Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council

• eIDAS & 4th Anti-Money Laundering Directive - a short update(2017), by Andrea Servida

• Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (2015), by the European Parliament and the Council of the European Union

• Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
• Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
• NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
• Security Controls Related to Internat Banking Services (2016), Hong Kong Monetary Authority

 Image: Geelong Scandia passage race Jan 2009, courtesy of  jojo, Flickr (CC BY 2.0) enhanced with the eIDAS letters by VentureSkies