“Identity without borders” was the slogan pronounced by the European Union in reference to the eIDAS regulation, which (regulation) aims to establish online trust to facilitate economic and social development. Let us now try to understand why this regulation is crucial to take into account when developing new standards for digital identity.
In this first part we understand the role of eIDAS within the European digital market, while in the second part, we will see how the regulation is necessarily approaching the world of Self-Sovereign Identity, and vice versa.
The history of Eidas
Eidas is the culmination of many individual initiatives at European level. For example, since 1999, Italy has had the Bassanini regulation in place, which introduced the first regulations concerning teleworking and which authorities could certify remote working activities. With Eidas, the aim was to create an international framework to improve the validity and interoperability of cross-border services. Eidas was conceived in 2014, but only became effective in 2016. The impact in real life is evident: the electronic identity card or/and spid, are operational thanks to this European regulation.
Resuming its formal description:
“The eIDAS (electronic IDentification Authentication and Signature) Regulation – EU Regulation No 910/2014 on digital identity – has the objective to provide a regulatory basis at EU level for trust services and electronic identification services in member states. The eIDAS Regulation aims to enhance trust in transactions in the European Union by providing a common regulatory basis for secure electronic interactions between citizens, businesses and public administrations.”
The Regulation was created
“with the aim of ensuring the proper functioning of the internal market while pursuing an adequate level of security of electronic identification means and trust services: it lays down the conditions under which Member States shall recognise electronic identification means of legal persons covered by a notified electronic identification scheme of another Member State, establish rules concerning trust services, in particular electronic transactions. Finally, it establishes a legal framework for electronic signatures, electronic documents, electronic certified delivery services and website authentication certificate services.”
The Regulation was created
“with the aim of ensuring the proper functioning of the internal market while pursuing an adequate level of security of electronic identification means and trust services: it lays down the conditions under which Member States shall recognise electronic identification means of legal persons covered by a notified electronic identification scheme of another Member State, establish rules concerning trust services, in particular electronic transactions. Finally, it establishes a legal framework for electronic signatures, electronic documents, electronic certified delivery services and website authentication certificate services.”
The idea is to ensure a kind of European citizenship in the world of the web. The objectives are thus to remove obstacles to the exercise of European citizens’ rights, to allow citizens to use their electronic identification to authenticate themselves in another Member State and to create a common basis for secure economic interaction between businesses, improving the effectiveness of electronic services for public and private individuals.
Key points of Eidas
The key points of the Eidas Regulation are:
- Setting the conditions under which member states shall recognise electronic identification means of natural and legal persons covered by a notified electronic identification scheme of another member state
- Establish standards for trust services, in particular for electronic transactions
- Establish a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic certified delivery services and website authentication certificate services.
The aim is therefore to create a common market for digital identity that can facilitate businesses, citizens and public administration in the digitisation of processes and the dematerialisation of documents and practices.
Getting more technical, the eIDAS regulation creates guidelines for the following purposes
- Outline the rights and obligations of all trust service providers, according to their characteristicsÂ
- Provide full recognition of digital signatures within the regulatory regime
- Identify European technical standards for digital signatures
- Facilitate identification, authentication and authorisation when a user, company or public administration wants to operate within the infosphere
Below is a brief description of the regulation regarding the role of Trust Service Providers (TSPs). We would like to remind you, however, that at the heart of the regulation is always the concept of identity. The very idea of digital signature, conceptually, is a corollary of digital identity.
Trust Service Provider (TSP)
The eIDAS Regulation, as it is conceived, is based on a centralised structure and therefore needs to have trust third parties that can issue trust services within the digital marketplace. The role of the trust service provider (TSP) is precisely to be the link between the regulation, the digital identity and the citizen or business.Among the types of trust service provider, there is a subgroup defined as Qualified Trust Service Provider (QTSP), whose actors are certified by Conformity Assessment Bodies, defined as CABs. A TSP is a QTSP only after a CAB has carried out an audit.
The distinction between roles within the market can be explained by the need to have different levels of trustworthiness towards a digital identity. Let us be clearer, the creation of a digital identity, at least currently, can be divided into three different levels of trustworthiness: low, significant and high. Let’s take an example: if I have to buy a cinema ticket online, or if I have to join a gym online, or if I have to make a financial transaction online, the level of trustworthiness between the declaring party and the declaring digital identity has to be certified in a completely different way. That is why a TSP or a QTSP becomes the fundamental trust service in some circumstances when one wants to eliminate the abusive use of an identity.
Conclusion
Buying a house in Nice, without moving from Rome, is now possible thanks to the eIDAS regulation. We have therefore understood how the role of digital identity enters so much into the lives of citizens. And, perhaps, even more so in the world of private companies with large movements of goods, large import and export systems that can move easily thanks to authentication systems that are recognised throughout Europe.
In this first part, we have tried to summarise the key concepts concerning the eIDAS regulation. In the second part, we will tell you how this regulation is interacting with self-sovereign identity.