Andrea Servida
DG CONNECT, European Commission
eIDAS Regulation
Boosting trust & security in the Digital Single Market
eIDAS
eIDAS: boosting trust & supporting businesses!
TRUST CONVENIENCE
CROSS-BORDER SEAMLESS 2
Legal Act Reference Adoption date
Entry into force
eIDAS Regulation 910/2014 23.07.2014 17.09.2014 (1.07.2016 - application
provisions on TS)
eID
ID on procedural arrangements for MS cooperation on eID (art. 12.7)
2015/296 24.02.2015
17.03.2015
IR on interoperability framework (art. 12.8) Corrigendum C(2015) 8550 of 4.02.2016
2015/1501 8.09.2015 29.09.2015
IR assurance levels for electronic identification means (art. 8.3)
2015/1502 8.09.2015 29.09.2015
ID on circumstances, formats and procedures of notification (art. 9.5)
2015/1984 3.11.2015 5.11.2015 (notified to Ms)
Trust services
IR on EU Trust Mark for Qualified Trust Services (art.23.3)
2015/806 22.05.2015 12.06.2015
ID on technical specifications and formats relating to trusted lists (art. 22.5)
2015/1505 8.09.2015 29.09.2015
ID on formats of advanced electronic signatures and seals (art. 27.5 & 37.5)
2015/1506 8.09.2015 29.09.2015
ID on standards for the security assessment of qualified signature and seal creation devices (art. 30.3 & 39.2)
2016/650 25.04.2016 05.2016
The eIDAS Legal Framework
3
2014
2015 2016 2017 2018 2019
29/09/2015 Voluntary cross-border recognition
1.07.2016 Date of application of eIDAS rules for trust services
29/09/2018 Mandatory cross- border recognition
Timeline
eID
17.09.2014 Entry into
force of the eIDAS
Regulation
Trust services
eSignature Directive rules
4
26.11.15 - eID DSI v.1 eIDAS compliant
eIDAS – The Regulation in a nutshell
5
2 MAIN CHAPTERS SUBJECT TO DIFFERENT RULES AND REQUIREMENTS
Chapter II: Mutual recognition of e-identification means
Chapter III: Electronic trust services
- Electronic signatures
- Electronic seals
- Time stamping
- Electronic registered delivery service
- Website authentication
+ Chapter IV: Electronic Documents
•
eIDAS: Key principles for eID
eID
Sovereignty of MS to use or
introduce means for eID
Mandatory cross-border
recognition only to access public
services
Full autonomy for private
sector
Principle of reciprocity relying on
defined levels of assurance
Interoperability
framework
Cooperation between
Member States
The Regulation does not impose the use of eID
6
Mandatory recognition of electronic identification
Voluntary notification
of eID schemes
"Cooperation and interoperability"
mechanism Liability rules
Assurance Levels: "high" and
"substantial" (and "low")
Interoperability framework
Access to authentication
capabilities: free of charge for public sector
bodies & according to
national rules for private sector relying parties
7
eIDAS – Mutual recognition of eIDs
eIDAS – Main definitions related to eID
8
•‘electronic identification’ means the process of using person identification data in electronic form uniquely representing either a natural or legal person, or a natural person representing a legal person;
Electronic identification – art. 3(1)
•‘electronic identification means’ means a material and/or immaterial unit containing person identification data and which is used for authentication for an online service;
Electronic identification means – art.
3(2)
•‘electronic identification scheme’ means a system for electronic identification under which electronic identification means are issued to natural or legal persons, or natural persons representing legal persons;
Electronic identification scheme – art.
3(4)
•‘authentication’ means an electronic process that enables the electronic identification of a natural or legal person, or the origin and integrity of data in electronic form to be confirmed;
Authentication – art. 3(5)
eIDAS - eID
• • Mutual recognition (Art 6)
• MS must recognise eID means issued under ‘notified’ eID schemes from other Member States for cross-border access to its public services requiring e-identification based on the reciprocity principle (art.6)
• Notification (Art 9)
• MS may ‘notify’ to European Commission the ‘national’ electronic identification scheme(s) used at home for, at least, access to public services (art.9)
• Commission Implementing Decision (EU) 2015/1984 of 3 November 2015 on defining the circumstances, formats and procedures of notification
• eID assurance levels (Art 8)
• Notified eID schemes shall specify the assurance level of the eID means (art.8.1)
Assurance level low recognition is voluntary (art.6.2)
Assurance level substantial recognition is mandatory (art.6.1(b))
Assurance level high recognition is mandatory (art.6.1(b))
• Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 setting out minimum technical specifications and procedures for assurance levels for electronic identification means (art. 8.3) 9
•
• Interoperability of notified eID schemes (art. 12)
• ensured through an interoperability framework
• Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework (art. 12.8)
• Authentication (art 7(f))
• MS must provide cross-border online eID authentication capabilities (art.7(f))
• The cross-border authentication shall be free of charge where in relation to a service online provided by a public sector body (art.7(f))
• MS may allow the private sector to use authentication capabilities: the regime applicable to national private sector shall apply to private sector established in a different MS (principle of non-discrimination) (art.7(f))
• Cooperation and interoperability (art 12)
• MS must exchange good practices and experience (art.12)
• Commission Implementing Decision (EU) 2015/296 of 24.02.2015 on procedural arrangements for MS cooperation on eID (art. 12.7)
• Liability (art 11)
• Liability of MS, eID providers & authentication operators is foreseen (art.11) 10
eIDAS - eID
•
eIDAS: Key principles for trust services
Trust services
Transparency and
accountability
Technological neutrality
Non-mandatory technical standards ensuring
presumption of compliance Specific legal
effects associated to qualified trust
services
Non-discrimination
in Courts of eTS vs paper
equivalent
Risk management
approach
The Regulation does not
impose the use of trust
services
11
12
eIDAS – Trust services
• Liability regime for Q & non-QTSPs (art.13)
• Liability for damages caused intentionally or negligently
• Reversal of the burden of the proof only for QTSPs
• Possible limitations of liability for the use of the service by the TSP subject to clear information to customers
• Applicability of national rules on liability
• Recognition of 3rd countries TSPs (art.14)
• Only through international agreements between the Commission and a third country or international organisation
• Principle of reciprocity
• Accessibility for persons with disabilities (art.15)
13
eIDAS – General principles for trust services
• • Light touch ex post reactive monitoring of non-qualified TSPs vs. Full-
fledged ex ante and ex post supervision of qualified TSPs (art.17)
• Detailed tasks of the Supervisory body (art.17.4)
• Analyse conformity assessment reports
• Report to the Commission about main activities
• Carry out audits / Request conformity assessments
• Inform data protection authorities where appropriate
• Grant and withdraw qualified status
• Inform national body responsible for trusted lists
• Require (Q)TSPs to remedy any failure to fulfil the requirements
• …
14
eIDAS – Role of the Supervisory body
• • Minimum security requirements + notification of significant security
breaches by all TSPs (art.19)
• Specific requirements to be met by QTSPs (art.24):
• staff,
• trustworthiness of their systems,
• liability insurance scheme,
• identification of the certificate owner, etc.
• Conformity assessment of QTSP (art. 20 & 21):
• Ex ante (prior authorisation scheme – art.21) SB may grant the qualified status in a given timeframe Inclusion in the Trusted Lists
• ex post (every 24 months & ad hoc – art. 19) May withdraw the qualified status
• building upon Regulation 765/2008 conformity assessment scheme 15
eIDAS – Obligations of TSPs
• • Trusted lists for QTSPs and QTSs (art.22) & CID (EU) 2015/1505
Has a constitutive value for QTSP and QTS
Ensure continuity with the existing EU TLs established under the Service Directive.
Ensure legal certainty wrt QTS.
Foster interoperability of qualified trust services by facilitating a.o. the validation of e-signatures and e-seals.
Allow citizens, businesses and public administrations to easily verify nature and status of a trust service.
• EU trust mark for qualified trust services (art.23) & CIR (EU) 2015/806
Usage by QTSP after qualified status has been indicated in the TLs
Trustmark indicates in a simple, recognisable, and clear manner the qualified status of a trust service
Link to the relevant TL has to be ensured by the QTSP 16
eIDAS – Supporting tools
•
17
eIDAS – main definitions related to TS, eSign, eSeal and eDocument
• 'trust service' means an electronic service normally provided for remuneration which consists in:
• (a) the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to these services or
• (b) the creation, verification and validation of certificates for website authentication or
• (c) the preservation of electronic signatures, seals or certificates related to these services
Trust services – art. 3(16)
• 'electronic document' means any content stored in electronic form, in particular text or sound, visual or audiovisual recording
Electronic document - art.
3(35)
• 'electronic signature' means data in electronic form which are attached to or logically associated with other electronic data and which are used by the signatory to sign
Electronic signature – art.
3(10)
• 'signatory' means a natural person who creates an electronic signature Signatory – art.
3(9)
• 'electronic seal' means data in electronic form which are attached to or logically associated with other electronic data to ensure the origin and the integrity of the associated data
Electronic seal – art. 3(25)
•'creator of a seal' means a legal person who creates an electronic seal Creator of an
electronic seal art. 3(24)
• • Non-discrimination as evidence in legal proceedings (art.25.1-35.1)
• Legal effect of qualified e-signatures / eSeals (art.25.2-35.2)
• e-signature:
only for natural persons
Assimilation to handwritten signature
• e-seal:
only for legal persons
Integrity of the data and correctness of the origin
• Recognition in all MS of a qualified electronic signature /seal based on a qualified certificate issued in one MS (art.25.3 -35.3 & CID (EU) 2012/1506)
18
eIDAS - Electronic signature and seals
• • Art. 27(1) & (2) / 37 (1) & (2) - If a Member State requires an AeS or and
AeS + QC to use an online service offered by, or on behalf of, a public sector body that Member State shall:
• recognise signatures or seals of the same or higher level than the one required
• in at least the formats or using methods defined in Commission Implementing Decision (EU) 2015/1506 of 8 September 2015
• Art. 27(3) & 37(3) - Member States shall not request for cross-border use in an online service offered by a public sector body an electronic signature / seal at a higher security level than the qualified electronic signature / seal.
19
eIDAS – Recognition of e-signature and seals by public sector bodies
•
• Validation of e-signatures and seals (art.32 & 33-40)
Requirements for the validation of qualified e-signatures / seals (art.32.1-40)
Requirements for qualified validation services for qualified e-signatures / seals
Meeting the requirements set in article 32.1 (art.33.1-40)
Allow relying parties to receive the results (art.33.1-40):
in an automated process which is reliable and efficient
bearing the advance electronic signature / seal of the provider of the Q-validation service
• Long term preservation of e-signatures and seals (art.34-40)
20
eIDAS – Validation & preservation of e-signature and e-seals
•
21
eIDAS: definition of electronic registered delivery service
• 'electronic registered delivery service' means a service that makes it possible to transmit data between third parties by electronic means and provides evidence relating to the handling of the transmitted data, including proof of sending and receiving the data, and which protects transmitted data against the risk of loss, theft, damage or any unauthorised alterations
Electronic registered delivery
service – art. 3(36)
• 'registered item' means a service providing a flat-rate guarantee against risks of loss, theft or damage and supplying the sender, where appropriate upon request, with proof of the handing in of the postal item and/or of its delivery to the addressee
Registered item (art.
2(9) of Directive 97/67)
• • Non-discrimination as evidence in legal proceedings (art.43.1)
• Legal effect of qualified e-registered delivery service (art.43.2)
Integrity of the data sent and received
Accuracy of the date of the data sent and received
• Requirements for qualified e-registered delivery service (art.44)
To be provided by one or more QTSPs
Ensure with high level of confidence identification of the sender
Before delivery of the data: ensure identification of the addressee
Sending and receiving of data have to be secured by AeS or AeSeal of the QTSP
Needed changes to data have to be clearly indicated
The date and time of sending, receipt and changes have to be indicated with a Qualified e-time stamp
eIDAS - Electronic registered delivery service
22
•
23
eIDAS – Definitions of electronic time stamp & website authentication certificate
• 'electronic time stamp' means data in electronic form which binds other electronic data to a particular time establishing evidence that these data existed at that time
Electronic time stamp –
art. 3(33)
• 'certificate for website authentication' means an attestation which makes it possible to authenticate a website and links the website to the natural or legal person to whom the certificate is issued
Certificate for website
authentication - art. 3(38)
eIDAS - Electronic time stamp
• • Non-discrimination as evidence in legal proceedings (art.41.1)
• Legal effect of qualified e-time stamp (art.41.2)
Accuracy of the date and time it indicates
Integrity of the data to which the date and time are bound
• Requirements for qualified e-time stamp (art.42)
Binds the date and time to data in such a manner as to reasonably preclude undetectable changes to the data
Based on accurate time source linked to UTC
Signed with an AeS or sealed with an AeSeal of the QTSP – or by some equivalent method
• Recognition in all MS of a qualified e-time stamp issued in one MS (art.41.3)
24
• • eIDAS Website authentication provides with:
• clear requirements for website authentication certificates to be trustworthy
• minimal obligations for providers of such certificates with regard to the security of their operations (art.19)
• liability providers of such certificates (art 13)
• (light-touch) supervision regime (art 17)
the Regulation will ensure:
• transparency of service quality offered to users,
• accountability of providers with regard to security of their services,
• trustworthiness of the data associated to authenticated websites,
• technological neutrality of services and solutions.
25
eIDAS – What does it mean for website authentication
• • Art. 25(2) - A qualified electronic signature shall have the equivalent
legal effect of a handwritten signature
• Art. 35(2) - A qualified electronic seal shall enjoy the presumption of
integrity of the data and of correctness of the origin of that data to which
the qualified electronic seal is linked.
• Art. 41(2) - A qualified electronic time stamp shall enjoy the
presumption of the accuracy of the date and the time it indicates and the
integrity of the data to which the date and time are bound.
• Art. 43(2) - Data sent and received using a qualified electronic
registered delivery service shall enjoy the presumption of the integrity of
the data, the sending of that data by the identified sender, its receipt by
the identified addressee and the accuracy of the date and time of sending
and receipt indicated by the qualified electronic registered delivery
service.
26
eIDAS – Legal effects of qualified trust services
27
eIDAS definition of electronic document
• 'electronic document' means any content stored in electronic form, in particular text or sound, visual or audiovisual recording
Electronic document - art. 3(35)
• Non-discrimination of electronic documents vis-à-vis paper documents as evidence in legal proceedings (art.46)
Ensures validity and legal certainty of cross-border electronic transactions through the impossibility for Courts to reject a document on the grounds that it is in electronic form
28
eIDAS - Electronic documents
Where does eIDAS have an impact?
UMM&DS - Uniform User Management and Digital Signatures eHGI - eHealth Governance Initiative ECI - European Citizens' Initiative ESSN - European Social Security Number
SUP - Directive on single-member private limited liability companies PSD2 – Revised Directive on Payment Services AML4 - 4th Anti-Money Laundering Directive
29
Website authentication: check if the website you
enter is really linked to the Specific Court
Creation of the document
Time stamp: Proof of submission of the
document in due time
E-registered
delivery: Formal
communications with and
from the Courts may need
to be securely delivered
Preservation: Electronic storage of the submitted documents and
acknowledgment of receipt
eID: identify (or authenticate) yourself using, for instance, an
eID means
30
E-Transactions workflow Cross-border exchange of
documents with Courts
E-signature: the legal professional
may need to confirm the content of
the documents
E-seals: ensures the authenticity of
the documents as well as that they are
from the Court / law firm
Commission initiative on Digitising European Industry (DEI)
A comprehensive policy package adopted on 19.04.2016:
• Communication on Digitising European Industry: Reaping the full benefits of a Digital Single Market COM(2016) 180 final
• Communication on a European Cloud Initiative-Building a competitive data and knowledge economy in Europe COM(2016) 178 final
• Communication on an EU e-Government Action Plan 2016-2020. Accelerating the digital transformation of government
COM(2016) 179 final
• Communication on Priorities of ICT Standardisation for the Digital Single Market COM(2016) 176 final
http://europa.eu/rapid/press-release_IP-16-1407_en.htm 31
EU e-Government Action Plan 2016-2020. Accelerating the digital transformation of government (COM(2016) 179 final)
Underlying principles:
References to eIDAS: Policy priority 1 ("Modernise public administration with ICT, using key digital enablers") - actions: • "Further efforts by all administrations are needed to accelerate the take up of
electronic identification and trust services for electronic transactions in the internal market [...] actions to accelerate cross-border and cross-sector use of eID (including mobile ID) in digitally enabled sectors (such as banking, finance, eCommerce and sharing economy) and in the public sector namely on the European e-Justice Portal. The Commission will also explore the need to facilitate the usage of remote identification and secure authentication in the retail financial services"
• "The Commission will gradually introduce the 'digital by default' principle when interacting online with external stakeholders, using eIDAS services (in 2018), eInvoicing (in 2018) and eProcurement (in 2019)."
Digital
by
Default
Once
only
principle
Inclusiveness
and
accessibility
Openness
and
transparency
Cross-border
by
default
Interoperability
by
default
Trustworthiness
and
Security
32
Communication on Priorities of ICT Standardisation for the Digital Single Market (COM(2016) 176 final)
Sets a comprehensive strategic and political approach to standardisation for 5 priority ICT areas: 5G communications, cloud computing, the internet of things (IoT), (big) data technologies and cybersecurity.
Action in the area of Cybersecurity (section 3.1.4):
"The Commission will:
• Invite ESOs and other SDOs and relevant stakeholders to develop standards by the end of 2018 that support global interoperability and seamless trustworthy authentication across objects, devices and natural and legal persons based on comparable trust models. This work should be based on technical standards aligned with the eIDAS regulatory framework."
33
Stakeholder engagement - eIDAS Observatory
Purpose
• Help facilitate the use of cross-border electronic identification and trust services
• Foster transparency and accountability by identifying market hurdles and good practices, promoting knowledge-sharing and developing initiatives for innovation
• Contribute to the enhancement of trust and security of digital transactions thus to the building of the Digital Single Market
• Act as a virtual network of stakeholders to exchange ideas and good practices as well as recommend actions and initiatives to ease the uptake of eID and trust services
Timeline
• Setting up: first half of 2016
• Launch: to be officially announced at the event marking the entry into application of the rules on trust services (30 June 2016)
34
For further information and feedback Web page on eIDAS
http://ec.europa.eu/digital-agenda/en/trust-services-and-eid
Online eIDAS Participatory Platform http://europa.eu/!qc98fX
Text of eIDAS Regulation in all languages http://europa.eu/!ux73KG
Connecting Europe Facility – Catalogue of Building Blocks http://europa.eu/!DN99RQ
eIDAS functional mailbox & twitter account
[email protected] @EU_eIDAS
35