EIDAS is the European Regulation for the electronic identification and trust services for electronic transactions. It repeals Directive 1999/93/EC. Since its announcement in July of 2014, the intent of the eIDAS Regulation has been to facilitate secure and seamless electronic transactions throughout the European Union (EU) by providing a regulatory environment that would promote their use.
This article explains the purpose and scope of eIDAS, its scope, the use of electronic signatures under eIDAS and the requirements to qualitfied trust service providers.
Having the ability to safely conduct electronic transactions online when dealing with businesses or public services allows both the signatory and the recipient a higher level of convenience and security. They are able to complete their transactions across borders using “one click” instead of depending on traditional means of submitting paperwork, whether by mail, facsimile service or by submitting in person. This saves time and added expense in delivering and guaranteeing that signatures on paper documents are indeed authentic.
Purpose of eIDAS
Under eIDAS, citizens and businesses are able to use their native electronic identification schemes (eIDS) when accessing public services within other EU Member States that use eIDS. This regulation defines the conditions in which the Member States will recognize electronic identification from users.
Additionally, this regulation created a standard for electronic signatures, time stamps, electronic seals, and other proof of authentication, including electronic certification and registered delivery services that give those electronic transactions the same legal status as if they were conducted on paper.
The Scope of eIDAS
Electronic identification schemes that have been identified by the Member State and trust service providers that are established within the EU fall under eIDAS regulations. A regulation is similar to a national law with the difference that it is applicable in all EU countries. eIDAS replaces the Directive 1999/93/EC. For USA, Switzerland, the Gulf Region and South-East Asia see the article: Major Standards and Compliance of Digital Signatures - a World-Wide Consideration.
The eIDAS These regulations do not supersede set provisions under national laws or legal agreements between defined parties for trust services that are used only within closed systems. Alternatively, eIDAS does not have jurisdiction over national or EU laws that are related to the validity and conclusion or additional legal obligations relating to form.
In the simplest of definitions, a qualified electronic signature carries the equivalent legal effect as if the signature were handwritten. It can be used as evidence within a legal proceeding, provided it meets the requirements for being recognized as a qualified electronic signature. With eIDAS, all Member States must recognize a qualified electronic signature as valid if it is based on a qualified certificate that has been issued by one of its Member States.
To ensure their validity, advanced electronic signatures must meet several requirements to prove their authenticity. The signature must be uniquely linked and capable of identifying the signatory. The signature must be created using electronic signature creation data that is under the control of the signatory and is capable of identifying if the data has been tampered with after being signed.
Under eIDAS, Member States must recognize both qualified and advanced electronic signatures that comply with the required standards. They also must refrain from requesting signatures of a higher level than an advanced electronic signature for cross-border use of online services used by the public sector.
Qualified electronic signatures are validated by certificates that are issued through a qualified trust service provider. When a qualified certificate is issued, the trust provider must verify the identity of the signatory.
Requirements for Qualified Trust Service Providers
Qualified trust service providers are required to meet strict requirements under eIDAS to ensure the validity of the certificates they issue. They must:
- Inform the supervisory body of any changes they may make regarding their trust services
- Maintain ample financial resources or carry liability insurance
- Properly train employees in data security procedures
- Take measures to prevent forgery and data theft
- Store data in its verifiable format in a manner that allows only for its retrieval under the consent of the person whom it relates to.
References and Further Reading
- Trust Services and eID (retrieved 11.01.2016) by the European Commission
REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
- Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (2016), by the European Commission
- Selected articles on Authentication (2014-today), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more
- REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council
Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
- Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
- Security Controls Related to Internat Banking Services (2016), Hong Kong Monetary Authority
Featured Image: courtesy of Elvert Barnes, Flickr