Issued together with other organisations that represent stakeholders in the qualified trust services sector, the letter expresses their concerns over the risks in article 24 of the eIDAS 2 regulation Council’s general approach.
The qualified trust services sector has expressed concerns over the move and the consequence for citizens, as a number of extensively used eID schemes within Europe not only have an assurance level ‘substantial’, but are also the preferred method of identity verification for citizens, due to their increased user-friendliness.
Even for countries with notified eIDs level of assurance (LoA) high, the most predominantly used eID systems throughout Europe are fully digital and with a LoA substantial. As detailed in the open letter, some examples of successful LoA substantial systems are:
The SPID identification scheme in Italy, with 33 million active citizens;
The Swedish BankID and FrejaID+1, with over 8 million users;
The Danish NemID/MitID, with more than 5 million citizens;
And the French FranceConnect, with over 41 million users, which is also in the phase of update from LoA low to LoA substantial.
The numbers and statistics highlight that countries with a LoA substantial eID scheme saw a growing adoption and use of it, creating value to citizens and a rich environment for Qualified Trust Service Providers (QTSPs) for the issuance of Qualified Certificates that help enhance the overall security level of electronic transactions.
Even though LoA high schemes of the likes of the Italian Electronic Identity Card CIE and the German Personalausweis exist, they are restricted by a lack of user-friendliness, with a multitude of citizens having these identity cards, but not using them actively for qualified signatured or for accessing public services.
Relying on a physical card with a chip, generally with NFC function, a LoA high eID scheme can be read with compatible handsets or smart-card readers only. This implies a complex process both on the side of the user and of the maintenance teams, a fact highlighted by statistics that show how in Germany each citizen has an identity card (over 60 million), while the eID function has been used only 11 million times in 2021, as opposed to the usage of SPID, which saw 1 billion transactions.
Members of the organisations that have issued the open letter have the concern that should the LoA ‘substantial’ be removed, existing popular schemes will have to stop being used.
The EU direction is that Qualified Electronic Signatures (QES) are the preferred signature level nationally and for cross-border communication. The current text proposed for Art.24 is believed to jeopardise the mainstream availability of QES with severe consequences for both citizens and stakeholders.
In spite of policy makers’ expectation that the move will result in increased adoption of LoA high schemes of the likes of the eIDAS 2 wallet, the CSC’s and other organizations’ experience suggest that citizens and the market will opt for user friendliness and move from qualified trust services, which are believed will become less easy to obtain, towards less regulated options with a reduced level of security (advanced signatures). The belief is that the predominant driver behind the shift will be simplicity within the identification process, although at the expense of security.
For the above-mentioned reasons and more, delineated in the open letter, policymakers are urged by the CSC together with the other organisation to have the assurance level ‘substantial’ in article 24 reinstated (in line with the Commission’s initial proposal), and to revisit the issue in the time to come, following further assessment of the LoA ‘high’ feasibility.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now