Blog - Cryptomathic

Understanding eIDAS

Written by Dawn M. Turner (guest) | 11. January 2016

EIDAS is the European Regulation for the electronic identification and trust services for electronic transactions. It repeals Directive 1999/93/EC. Since its announcement in July of 2014, the intent of the eIDAS Regulation has been to facilitate secure and seamless electronic transactions throughout the European Union (EU) by providing a regulatory environment that would promote their use.

This article explains the purpose and scope of eIDAS, its scope, the use of electronic signatures under eIDAS and the requirements to qualitfied trust service providers.

Having the ability to safely conduct electronic transactions online when dealing with businesses or public services allows both the signatory and the recipient a higher level of convenience and security. They are able to complete their transactions across borders using “one click” instead of depending on traditional means of submitting paperwork, whether by mail, facsimile service or by submitting in person. This saves time and added expense in delivering and guaranteeing that signatures on paper documents are indeed authentic.

Purpose of eIDAS

Under eIDAS, citizens and businesses are able to use their native electronic identification schemes (eIDS) when accessing public services within other EU Member States that use eIDS. This regulation defines the conditions in which the Member States will recognize electronic identification from users.

Additionally, this regulation created a standard for electronic signatures, time stamps, electronic seals, and other proof of authentication, including electronic certification and registered delivery services that give those electronic transactions the same legal status as if they were conducted on paper.

The Scope of eIDAS

Electronic identification schemes that have been identified by the Member State and trust service providers that are established within the EU fall under eIDAS regulations. A regulation is similar to a national law with the difference that it is applicable in all EU countries. eIDAS replaces the Directive 1999/93/EC. For USA, Switzerland, the Gulf Region and South-East Asia see the article: Major Standards and Compliance of Digital Signatures - a World-Wide Consideration.

The eIDAS These regulations do not supersede set provisions under national laws or legal agreements between defined parties for trust services that are used only within closed systems. Alternatively, eIDAS does not have jurisdiction over national or EU laws that are related to the validity and conclusion or additional legal obligations relating to form.

Using Electronic Signatures under eIDAS

In the simplest of definitions, a qualified electronic signature carries the equivalent legal effect as if the signature were handwritten. It can be used as evidence within a legal proceeding, provided it meets the requirements for being recognized as a qualified electronic signature. With eIDAS, all Member States must recognize a qualified electronic signature as valid if it is based on a qualified certificate that has been issued by one of its Member States.

To ensure their validity, advanced electronic signatures must meet several requirements to prove their authenticity. The signature must be uniquely linked and capable of identifying the signatory. The signature must be created using electronic signature creation data that is under the control of the signatory and is capable of identifying if the data has been tampered with after being signed.

Under eIDAS, Member States must recognize both qualified and advanced electronic signatures that comply with the required standards. They also must refrain from requesting signatures of a higher level than an advanced electronic signature for cross-border use of online services used by the public sector.

Qualified electronic signatures are validated by certificates that are issued through a qualified trust service provider. When a qualified certificate is issued, the trust provider must verify the identity of the signatory.

Requirements for Qualified Trust Service Providers

Qualified trust service providers are required to meet strict requirements under eIDAS to ensure the validity of the certificates they issue. They must:

  • Inform the supervisory body of any changes they may make regarding their trust services
  • Maintain ample financial resources or carry liability insurance
  • Properly train employees in data security procedures
  • Take measures to prevent forgery and data theft
  • Store data in its verifiable format in a manner that allows only for its retrieval under the consent of the person whom it relates to.

 References and Further Reading

Featured Image: courtesy of Elvert Barnes, Flickr