On July 1st 2016, eIDAS was introduced in the EU to replace the almost 20 year old European Signatures Directive. The directive was originally built with the intent to encourage the adoption of electronic signatures, and provide a legal framework by which member states could implement for consistency. Furthermore, the EU came out with a new strategy called "Digital Single Market”, which was to drive e-commerce across the EU and globally. The directive was found to hamper the efforts for the digital single market, and thus in 2014 it was announced that eIDAS would eventually take it’s place.
What’s changed in eIDAS?
As the directive was originally written in 1999, naturally the writers wrote the regulations with hardware in mind. This included hard tokens, hard chips and smart cards, and other physical solutions. Little did any of us know back in 1999, it would take not even a decade for cloud services to take over the market, along with widespread virtualization of almost everything we do in the computing world. eIDAS will not only dictate regulations for member states, but will also affect transactions that occur cross-border, including those between the EU and the US.
Going forward, the types of signatures that are accepted and regulated by the EU are the following:
- Simple Electronic Signatures- Broad scope, general usage and typically low security.
- Advanced Electronic Signatures – Authentication of the signer is provided by through the issuance of a digital certification by a trusted authority (CA).
- Qualified Electronic Signatures – Similar to advanced electronic signatures the signer is authenticated; however in this case the CA is supervised by authorities which have been designated by the EU.
Benefits of eIDAS include increasing the security and interoperability of cross-border transactions, providing accountability for transactions and signatures, reduction of paperwork and manual processes, and increasing the convenience of services such as those provided by financial services and the government.
How does this affect business in the US?
These regulations have the potential to greatly impact many US-based international businesses in terms of creating a better structure to follow, as there are no formal regulations in the North America for electronic signatures. While individual states and industries have produced legislation and guidance on signatures, there is no uniformity across the country – similar to what the EU experienced while working under the European Signatures Directive. But given that many US and EU-based businesses are highly interconnected and present on the global stage, any corporation working in both regions has been impacted by eIDAS and must work towards eIDAS compliance.
As eIDAS has introduced substantial changes to how transactions and signatures are governed, many businesses in the US that have operations or clients/customers in the EU have found themselves scrambling to implement appropriate technologies that can meet the requirements of eIDAS. What makes this transition difficult is many of the e-signature technology companies is the US are left in the same boat: they too, must become eIDAS compliant.
In March of 2015, an event was held by the European Commission to discuss eIDAS with over 100 EU public and private sector representatives. One of the largest stated goals from that meeting was the aim to achieve global interoperability, which meant national governments working with the EU would need to ensure that their own regulations (or lack thereof, in the case of the US) would meet those of eIDAS. After information was released between March through September of 2015, many sectors within the EU, the US, and other countries began preparing for the change.
A closer look at the financial sector
The financial services sector across the world viewed eIDAS as a double-edged sword – it was both a great help in creating guidance for e-signatures, but also represented quite a bit of work to execute prior to July 1, 2016. But as financial organizations are highly interconnected and facilitate millions of global transactions daily, eIDAS had possibly the greatest impact on this sector out of any. In order to accommodate and integrate with the financial sector, many banks both within the EU and other countries began working with the European Central Bank (ECB) in 2015 to draft technical standards that were adopted by the European Commission and taken into account for eIDAS to encourage interoperability rather than disruption and isolation. Still, both in the US, the EU and around the world, eIDAS is leading to a significant change in operations in many banks as it is changing how they interact with customers, AML standards, and digital banking platforms.
eIDAS was simply the next step for electronic signatures. Those of us in the US, as well as in the EU and across the world will continue to see the use of e-signatures increasingly expand. This no doubt will result in further regulatory amendments to eIDAS, as well the US adopting more structured, consistent e-signature regulations that compliment eIDAS. The sectors to pay closest attention to in the US, which will be the most highly affected industries will be government, financial services, and healthcare. As these industries are tightly regulated already (by the Fed, HIPAA, PCI, and other regulations), it is likely that the US will model any nation-wide regulations off of these industries, as well as eIDAS.
References and Further Reading
- Selected articles on Authentication (2014-16), by Heather Walker, Luis Balbas, Guillaume Forget,and Dawn M. Turner
- Selected articles on Electronic Signing and Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen, Dawn M. Turner and Tricia Wittig
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
- Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
- Security Controls Related to Internet Banking Services (2016), Hong Kong Monetary Authority