Andrea Servida

DG CONNECT, European Commission

Andrea.servida@ec.europa.eu

eIDAS Regulation

Boosting trust & security in the Digital Single Market

eIDAS

eIDAS: boosting trust & supporting businesses!

TRUST CONVENIENCE

CROSS-BORDER SEAMLESS 2

Legal Act Reference Adoption date

Entry into force

eIDAS Regulation 910/2014 23.07.2014 17.09.2014 (1.07.2016 - application

provisions on TS)

eID

ID on procedural arrangements for MS cooperation on eID (art. 12.7)

2015/296 24.02.2015

17.03.2015

IR on interoperability framework (art. 12.8) Corrigendum C(2015) 8550 of 4.02.2016

2015/1501 8.09.2015 29.09.2015

IR assurance levels for electronic identification means (art. 8.3)

2015/1502 8.09.2015 29.09.2015

ID on circumstances, formats and procedures of notification (art. 9.5)

2015/1984 3.11.2015 5.11.2015 (notified to Ms)

Trust services

IR on EU Trust Mark for Qualified Trust Services (art.23.3)

2015/806 22.05.2015 12.06.2015

ID on technical specifications and formats relating to trusted lists (art. 22.5)

2015/1505 8.09.2015 29.09.2015

ID on formats of advanced electronic signatures and seals (art. 27.5 & 37.5)

2015/1506 8.09.2015 29.09.2015

ID on standards for the security assessment of qualified signature and seal creation devices (art. 30.3 & 39.2)

2016/650 25.04.2016 05.2016

The eIDAS Legal Framework

3

2014

2015 2016 2017 2018 2019

29/09/2015 Voluntary cross-border recognition

1.07.2016 Date of application of eIDAS rules for trust services

29/09/2018 Mandatory cross- border recognition

Timeline

eID

17.09.2014 Entry into

force of the eIDAS

Regulation

Trust services

eSignature Directive rules

4

26.11.15 - eID DSI v.1 eIDAS compliant

eIDAS – The Regulation in a nutshell

5

2 MAIN CHAPTERS SUBJECT TO DIFFERENT RULES AND REQUIREMENTS

Chapter II: Mutual recognition of e-identification means

Chapter III: Electronic trust services

- Electronic signatures

- Electronic seals

- Time stamping

- Electronic registered delivery service

- Website authentication

+ Chapter IV: Electronic Documents

•

eIDAS: Key principles for eID

eID

Sovereignty of MS to use or

introduce means for eID

Mandatory cross-border

recognition only to access public

services

Full autonomy for private

sector

Principle of reciprocity relying on

defined levels of assurance

Interoperability

framework

Cooperation between

Member States

The Regulation does not impose the use of eID

6

Mandatory recognition of electronic identification

Voluntary notification

of eID schemes

"Cooperation and interoperability"

mechanism Liability rules

Assurance Levels: "high" and

"substantial" (and "low")

Interoperability framework

Access to authentication

capabilities: free of charge for public sector

bodies & according to

national rules for private sector relying parties

7

eIDAS – Mutual recognition of eIDs

eIDAS – Main definitions related to eID

8

•‘electronic identification’ means the process of using person identification data in electronic form uniquely representing either a natural or legal person, or a natural person representing a legal person;

Electronic identification – art. 3(1)

•‘electronic identification means’ means a material and/or immaterial unit containing person identification data and which is used for authentication for an online service;

Electronic identification means – art.

3(2)

•‘electronic identification scheme’ means a system for electronic identification under which electronic identification means are issued to natural or legal persons, or natural persons representing legal persons;

Electronic identification scheme – art.

3(4)

•‘authentication’ means an electronic process that enables the electronic identification of a natural or legal person, or the origin and integrity of data in electronic form to be confirmed;

Authentication – art. 3(5)

eIDAS - eID

• • Mutual recognition (Art 6)

• MS must recognise eID means issued under ‘notified’ eID schemes from other Member States for cross-border access to its public services requiring e-identification based on the reciprocity principle (art.6)

• Notification (Art 9)

• MS may ‘notify’ to European Commission the ‘national’ electronic identification scheme(s) used at home for, at least, access to public services (art.9)

• Commission Implementing Decision (EU) 2015/1984 of 3 November 2015 on defining the circumstances, formats and procedures of notification

• eID assurance levels (Art 8)

• Notified eID schemes shall specify the assurance level of the eID means (art.8.1)

Assurance level low recognition is voluntary (art.6.2)

Assurance level substantial recognition is mandatory (art.6.1(b))

Assurance level high recognition is mandatory (art.6.1(b))

• Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 setting out minimum technical specifications and procedures for assurance levels for electronic identification means (art. 8.3) 9

•

• Interoperability of notified eID schemes (art. 12)

• ensured through an interoperability framework

• Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework (art. 12.8)

• Authentication (art 7(f))

• MS must provide cross-border online eID authentication capabilities (art.7(f))

• The cross-border authentication shall be free of charge where in relation to a service online provided by a public sector body (art.7(f))

• MS may allow the private sector to use authentication capabilities: the regime applicable to national private sector shall apply to private sector established in a different MS (principle of non-discrimination) (art.7(f))

• Cooperation and interoperability (art 12)

• MS must exchange good practices and experience (art.12)

• Commission Implementing Decision (EU) 2015/296 of 24.02.2015 on procedural arrangements for MS cooperation on eID (art. 12.7)

• Liability (art 11)

• Liability of MS, eID providers & authentication operators is foreseen (art.11) 10

eIDAS - eID

•

eIDAS: Key principles for trust services

Trust services

Transparency and

accountability

Technological neutrality

Non-mandatory technical standards ensuring

presumption of compliance Specific legal

effects associated to qualified trust

services

Non-discrimination

in Courts of eTS vs paper

equivalent

Risk management

approach

The Regulation does not

impose the use of trust

services

11

12

eIDAS – Trust services

• Liability regime for Q & non-QTSPs (art.13)

• Liability for damages caused intentionally or negligently

• Reversal of the burden of the proof only for QTSPs

• Possible limitations of liability for the use of the service by the TSP subject to clear information to customers

• Applicability of national rules on liability

• Recognition of 3rd countries TSPs (art.14)

• Only through international agreements between the Commission and a third country or international organisation

• Principle of reciprocity

• Accessibility for persons with disabilities (art.15)

13

eIDAS – General principles for trust services

• • Light touch ex post reactive monitoring of non-qualified TSPs vs. Full-

fledged ex ante and ex post supervision of qualified TSPs (art.17)

• Detailed tasks of the Supervisory body (art.17.4)

• Analyse conformity assessment reports

• Report to the Commission about main activities

• Carry out audits / Request conformity assessments

• Inform data protection authorities where appropriate

• Grant and withdraw qualified status

• Inform national body responsible for trusted lists

• Require (Q)TSPs to remedy any failure to fulfil the requirements

• …

14

eIDAS – Role of the Supervisory body

• • Minimum security requirements + notification of significant security

breaches by all TSPs (art.19)

• Specific requirements to be met by QTSPs (art.24):

• staff,

• trustworthiness of their systems,

• liability insurance scheme,

• identification of the certificate owner, etc.

• Conformity assessment of QTSP (art. 20 & 21):

• Ex ante (prior authorisation scheme – art.21) SB may grant the qualified status in a given timeframe Inclusion in the Trusted Lists

• ex post (every 24 months & ad hoc – art. 19) May withdraw the qualified status

• building upon Regulation 765/2008 conformity assessment scheme 15

eIDAS – Obligations of TSPs

• • Trusted lists for QTSPs and QTSs (art.22) & CID (EU) 2015/1505

Has a constitutive value for QTSP and QTS

Ensure continuity with the existing EU TLs established under the Service Directive.

Ensure legal certainty wrt QTS.

Foster interoperability of qualified trust services by facilitating a.o. the validation of e-signatures and e-seals.

Allow citizens, businesses and public administrations to easily verify nature and status of a trust service.

• EU trust mark for qualified trust services (art.23) & CIR (EU) 2015/806

Usage by QTSP after qualified status has been indicated in the TLs

Trustmark indicates in a simple, recognisable, and clear manner the qualified status of a trust service

Link to the relevant TL has to be ensured by the QTSP 16

eIDAS – Supporting tools

•

17

eIDAS – main definitions related to TS, eSign, eSeal and eDocument

• 'trust service' means an electronic service normally provided for remuneration which consists in:

• (a) the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to these services or

• (b) the creation, verification and validation of certificates for website authentication or

• (c) the preservation of electronic signatures, seals or certificates related to these services

Trust services – art. 3(16)

• 'electronic document' means any content stored in electronic form, in particular text or sound, visual or audiovisual recording

Electronic document - art.

3(35)

• 'electronic signature' means data in electronic form which are attached to or logically associated with other electronic data and which are used by the signatory to sign

Electronic signature – art.

3(10)

• 'signatory' means a natural person who creates an electronic signature Signatory – art.

3(9)

• 'electronic seal' means data in electronic form which are attached to or logically associated with other electronic data to ensure the origin and the integrity of the associated data

Electronic seal – art. 3(25)

•'creator of a seal' means a legal person who creates an electronic seal Creator of an

electronic seal art. 3(24)

• • Non-discrimination as evidence in legal proceedings (art.25.1-35.1)

• Legal effect of qualified e-signatures / eSeals (art.25.2-35.2)

• e-signature:

only for natural persons

Assimilation to handwritten signature

• e-seal:

only for legal persons

Integrity of the data and correctness of the origin

• Recognition in all MS of a qualified electronic signature /seal based on a qualified certificate issued in one MS (art.25.3 -35.3 & CID (EU) 2012/1506)

18

eIDAS - Electronic signature and seals

• • Art. 27(1) & (2) / 37 (1) & (2) - If a Member State requires an AeS or and

AeS + QC to use an online service offered by, or on behalf of, a public sector body that Member State shall:

• recognise signatures or seals of the same or higher level than the one required

• in at least the formats or using methods defined in Commission Implementing Decision (EU) 2015/1506 of 8 September 2015

• Art. 27(3) & 37(3) - Member States shall not request for cross-border use in an online service offered by a public sector body an electronic signature / seal at a higher security level than the qualified electronic signature / seal.

19

eIDAS – Recognition of e-signature and seals by public sector bodies

•

• Validation of e-signatures and seals (art.32 & 33-40)

Requirements for the validation of qualified e-signatures / seals (art.32.1-40)

Requirements for qualified validation services for qualified e-signatures / seals

Meeting the requirements set in article 32.1 (art.33.1-40)

Allow relying parties to receive the results (art.33.1-40):

in an automated process which is reliable and efficient

bearing the advance electronic signature / seal of the provider of the Q-validation service

• Long term preservation of e-signatures and seals (art.34-40)

20

eIDAS – Validation & preservation of e-signature and e-seals

•

21

eIDAS: definition of electronic registered delivery service

• 'electronic registered delivery service' means a service that makes it possible to transmit data between third parties by electronic means and provides evidence relating to the handling of the transmitted data, including proof of sending and receiving the data, and which protects transmitted data against the risk of loss, theft, damage or any unauthorised alterations

Electronic registered delivery

service – art. 3(36)

• 'registered item' means a service providing a flat-rate guarantee against risks of loss, theft or damage and supplying the sender, where appropriate upon request, with proof of the handing in of the postal item and/or of its delivery to the addressee

Registered item (art.

2(9) of Directive 97/67)

• • Non-discrimination as evidence in legal proceedings (art.43.1)

• Legal effect of qualified e-registered delivery service (art.43.2)

Integrity of the data sent and received

Accuracy of the date of the data sent and received

• Requirements for qualified e-registered delivery service (art.44)

To be provided by one or more QTSPs

Ensure with high level of confidence identification of the sender

Before delivery of the data: ensure identification of the addressee

Sending and receiving of data have to be secured by AeS or AeSeal of the QTSP

Needed changes to data have to be clearly indicated

The date and time of sending, receipt and changes have to be indicated with a Qualified e-time stamp

eIDAS - Electronic registered delivery service

22

•

23

eIDAS – Definitions of electronic time stamp & website authentication certificate

• 'electronic time stamp' means data in electronic form which binds other electronic data to a particular time establishing evidence that these data existed at that time

Electronic time stamp –

art. 3(33)

• 'certificate for website authentication' means an attestation which makes it possible to authenticate a website and links the website to the natural or legal person to whom the certificate is issued

Certificate for website

authentication - art. 3(38)

eIDAS - Electronic time stamp

• • Non-discrimination as evidence in legal proceedings (art.41.1)

• Legal effect of qualified e-time stamp (art.41.2)

Accuracy of the date and time it indicates

Integrity of the data to which the date and time are bound

• Requirements for qualified e-time stamp (art.42)

Binds the date and time to data in such a manner as to reasonably preclude undetectable changes to the data

Based on accurate time source linked to UTC

Signed with an AeS or sealed with an AeSeal of the QTSP – or by some equivalent method

• Recognition in all MS of a qualified e-time stamp issued in one MS (art.41.3)

24

• • eIDAS Website authentication provides with:

• clear requirements for website authentication certificates to be trustworthy

• minimal obligations for providers of such certificates with regard to the security of their operations (art.19)

• liability providers of such certificates (art 13)

• (light-touch) supervision regime (art 17)

the Regulation will ensure:

• transparency of service quality offered to users,

• accountability of providers with regard to security of their services,

• trustworthiness of the data associated to authenticated websites,

• technological neutrality of services and solutions.

25

eIDAS – What does it mean for website authentication

• • Art. 25(2) - A qualified electronic signature shall have the equivalent

legal effect of a handwritten signature

• Art. 35(2) - A qualified electronic seal shall enjoy the presumption of

integrity of the data and of correctness of the origin of that data to which

the qualified electronic seal is linked.

• Art. 41(2) - A qualified electronic time stamp shall enjoy the

presumption of the accuracy of the date and the time it indicates and the

integrity of the data to which the date and time are bound.

• Art. 43(2) - Data sent and received using a qualified electronic

registered delivery service shall enjoy the presumption of the integrity of

the data, the sending of that data by the identified sender, its receipt by

the identified addressee and the accuracy of the date and time of sending

and receipt indicated by the qualified electronic registered delivery

service.

26

eIDAS – Legal effects of qualified trust services

27

eIDAS definition of electronic document

• 'electronic document' means any content stored in electronic form, in particular text or sound, visual or audiovisual recording

Electronic document - art. 3(35)

• Non-discrimination of electronic documents vis-à-vis paper documents as evidence in legal proceedings (art.46)

Ensures validity and legal certainty of cross-border electronic transactions through the impossibility for Courts to reject a document on the grounds that it is in electronic form

28

eIDAS - Electronic documents

Where does eIDAS have an impact?

UMM&DS - Uniform User Management and Digital Signatures eHGI - eHealth Governance Initiative ECI - European Citizens' Initiative ESSN - European Social Security Number

SUP - Directive on single-member private limited liability companies PSD2 – Revised Directive on Payment Services AML4 - 4th Anti-Money Laundering Directive

29

Website authentication: check if the website you

enter is really linked to the Specific Court

Creation of the document

Time stamp: Proof of submission of the

document in due time

E-registered

delivery: Formal

communications with and

from the Courts may need

to be securely delivered

Preservation: Electronic storage of the submitted documents and

acknowledgment of receipt

eID: identify (or authenticate) yourself using, for instance, an

eID means

30

E-Transactions workflow Cross-border exchange of

documents with Courts

E-signature: the legal professional

may need to confirm the content of

the documents

E-seals: ensures the authenticity of

the documents as well as that they are

from the Court / law firm

Commission initiative on Digitising European Industry (DEI)

A comprehensive policy package adopted on 19.04.2016:

• Communication on Digitising European Industry: Reaping the full benefits of a Digital Single Market COM(2016) 180 final

• Communication on a European Cloud Initiative-Building a competitive data and knowledge economy in Europe COM(2016) 178 final

• Communication on an EU e-Government Action Plan 2016-2020. Accelerating the digital transformation of government

COM(2016) 179 final

• Communication on Priorities of ICT Standardisation for the Digital Single Market COM(2016) 176 final

http://europa.eu/rapid/press-release_IP-16-1407_en.htm 31

EU e-Government Action Plan 2016-2020. Accelerating the digital transformation of government (COM(2016) 179 final)

Underlying principles:

References to eIDAS: Policy priority 1 ("Modernise public administration with ICT, using key digital enablers") - actions: • "Further efforts by all administrations are needed to accelerate the take up of

electronic identification and trust services for electronic transactions in the internal market [...] actions to accelerate cross-border and cross-sector use of eID (including mobile ID) in digitally enabled sectors (such as banking, finance, eCommerce and sharing economy) and in the public sector namely on the European e-Justice Portal. The Commission will also explore the need to facilitate the usage of remote identification and secure authentication in the retail financial services"

• "The Commission will gradually introduce the 'digital by default' principle when interacting online with external stakeholders, using eIDAS services (in 2018), eInvoicing (in 2018) and eProcurement (in 2019)."

Digital

by

Default

Once

only

principle

Inclusiveness

and

accessibility

Openness

and

transparency

Cross-border

by

default

Interoperability

by

default

Trustworthiness

and

Security

32

Communication on Priorities of ICT Standardisation for the Digital Single Market (COM(2016) 176 final)

Sets a comprehensive strategic and political approach to standardisation for 5 priority ICT areas: 5G communications, cloud computing, the internet of things (IoT), (big) data technologies and cybersecurity.

Action in the area of Cybersecurity (section 3.1.4):

"The Commission will:

• Invite ESOs and other SDOs and relevant stakeholders to develop standards by the end of 2018 that support global interoperability and seamless trustworthy authentication across objects, devices and natural and legal persons based on comparable trust models. This work should be based on technical standards aligned with the eIDAS regulatory framework."

33

Stakeholder engagement - eIDAS Observatory

Purpose

• Help facilitate the use of cross-border electronic identification and trust services

• Foster transparency and accountability by identifying market hurdles and good practices, promoting knowledge-sharing and developing initiatives for innovation

• Contribute to the enhancement of trust and security of digital transactions thus to the building of the Digital Single Market

• Act as a virtual network of stakeholders to exchange ideas and good practices as well as recommend actions and initiatives to ease the uptake of eID and trust services

Timeline

• Setting up: first half of 2016

• Launch: to be officially announced at the event marking the entry into application of the rules on trust services (30 June 2016)

34

For further information and feedback Web page on eIDAS

http://ec.europa.eu/digital-agenda/en/trust-services-and-eid

Online eIDAS Participatory Platform http://europa.eu/!qc98fX

Text of eIDAS Regulation in all languages http://europa.eu/!ux73KG

Connecting Europe Facility – Catalogue of Building Blocks http://europa.eu/!DN99RQ

eIDAS functional mailbox & twitter account

CNECT-TF-eIDAS-LT@ec.europa.eu @EU_eIDAS

35