Habemus eIDAS 2.0 – what's next?

Viky Manaila, Trust Services Director at Intesi Group, offers insights into Europe’s digital identity wallet, highlighting updates and future steps.

After 32 months, 1010 amendments, 4 political trilogues, 37 technical trilogue meetings, countless discussions with stakeholders, and hearings since June 2021, we can finally shout out HABEMUS eIDAS 2.0! The Regulation has been voted on in the plenary of the EU Parliament on 29th February and will enter into force 20 days after its publication in the Official Journal of the European Union. What’s coming next, how will change the EU citizens’ lives and the global digital identities’ landscape, and what is still needed to widely open the doors to secure and privacy-protecting online interactions?

First of all, we should make clear that eIDAS 2.0 will NOT repeal eIDAS regulation, but will amend it, meaning that we need them both at hand, looking carefully at what has been changed. Several arguments deserve special attention, and the list below is not exhaustive:

Article 24.1 - Identity verification for the issuance of qualified certificates for electronic signatures or qualified electronic attestation of attributes shall be based on EDIW (European Digital Identity Wallet) or a notified electronic identification means which meets the requirements for the assurance level ‘high’, level of assurance ‘substantial’ being removed. The transitional period for services provided under the current regulation in this case is 24 months, a period in which the providers must update their methods for identity verification.

What will happen with the eIDs ‘substantial’? Will they be abandoned? The answer is NO; those eIDs will continue to exist and can be on-boarded into the Wallet in conjunction with additional remote procedures, raising the level of assurance at ‘high’. The European Commission is expected to publish an implementing act establishing technical and operational specifications to facilitate that. However, outside the Wallet, these ‘substantial’ eIDs can no longer be used for the generation of qualified electronic signatures.

Therefore, it is strongly recommended that all trust service providers and stakeholders having implemented automated solutions for signing documents based on electronic identity verification on the fly start assessing the impact of this change and updating their services in due time.

eIDAS 2.0 is expanding the categories of trust services, electronic archiving being one of the additions. ‘Electronic archiving means a service ensuring the receipt, storage, retrieval, and deletion of electronic data and electronic documents in order to guarantee their durability and legibility as well as to preserve their integrity, confidentiality, and proof of origin throughout the preservation period.’

E-archiving is already available on the market, defined by national rules and, therefore, subject to diverse requirements and no cross-border acceptance or recognition. Introducing it as a trust service regulated by eIDAS 2.0 leads to a European approach, avoiding fragmentation, likely resulting in an increased demand for the service on the whole market. At the same time, it comes with a set of requirements and obligations specific to trust service providers, such as procedures and technologies capable of ensuring the durability and legibility of the electronic data over time, integrity, and accuracy from the beginning of the preservation period to the moment of retrieval.

As eIDAS 2.0 updates article 16 regarding Penalties for trust service providers, regardless of whether they are qualified or non-qualified, e-archiving providers will be subject to administrative fines of ‘a maximum of at least EUR 5,000,000 when the trust service provider is a natural person or EUR 5,000,000 or 1% of the total worldwide annual turnover of the undertaking to which the trust service provider belonged in the financial year preceding the year in which the infringement occurred, whichever is higher.’

Again, the same recommendations: to e-archiving providers - to assess their services against the new requirements, working towards compliance as 24 months flies fast; to stakeholders – to check with their e-archiving provider the plan and timeline to become compliant and whether the service becomes qualified.

Creating a market for the secure exchange of digital identity attributes across borders, such as proof of age (overrated already as an example), professional qualifications, e-prescriptions, driving license, insurance, and all sorts of data linked to eID of the user is significantly expected and seems the bet of eIDAS 2.0.

The Regulation requires Member States to ensure measures allowing qualified trust service providers to verify the attributes relying on data stored in authentic sources. Such verification requires technical and legal links and the full control of the user or data subject. This comes with several challenges: technical costs for public authorities to enable access to data stored, the willingness of public authorities to open up to the private sector, and under which conditions, the business model. So, the success and taking off of EAAs are based on intertwined dependencies; therefore, raising awareness toward public entities’ data owners is paramount.

The whole ecosystem has been designed to put citizens in control of their data and to give them access to services in a secure and privacy-protecting way. Only identity attributes required for a transaction will be shared, and the relying parties will not be able to request more data than needed and should be subject to uniform rules.

eIDAS 2.0 defines Relying Party as ‘a natural or legal person that relies upon an electronic identification, European Digital Identity Wallets or other electronic identification means, or a trust service’ and makes it subject to registration and pre-authorisation by the Member State’s competent authority in order to get access to the EUDI Wallet. All of them, with no exceptions, should go through a process declaring the intended use of the Wallet and the data to be requested. A common mechanism for the identification and authentication of relying parties will be provided by the European Commission through an Implementing Act.

The benefits for online service providers to use eIDs for customer identification and due diligence are immense, but will they be willing to enter into a pre-authorisation process?

‘Union citizens should have the right to a digital identity that is under their sole control and that enables them to exercise their rights as citizens in the digital environment and to participate in the digital economy. To achieve this aim, a European digital identity framework should be established allowing Union citizens to access public and private online and offline services throughout the Union.’

‘A harmonised digital identity framework should create economic value by providing easier access to goods and services and by significantly reducing operational costs linked to identification and authentication procedures, for instance during the on-boarding of new customers, by reducing the potential for cybercrimes, such as identity theft, data theft and online fraud, thus promoting efficiency gains and the secure digital transformation of Union’s micro, small and medium-sized enterprises (SMEs).’ (extracts from the Preamble of eIDAS 2.0)

We come a long way and immense effort and dedication are behind this regulation. We have the governance, the standards in support of these new services are in the making, the development of the EDIW reference implementation is on track, large-scale pilots co-funded by the European Commission are working to deploy of most important use cases. It’s time now for awareness and market education, as we know changing people’s habits is not easy to do.

To delve deeper into how eIDAS 2.0 revolutionizes authentication for financial transactions and TPPs under PSD2, explore Viky Manaila's comprehensive analysis featured in the Open Finance Report 2023.

About Viky Manaila

Viky is an international expert in the field of electronic signatures, digital identity, and digital transformation processes. She has been contributing to the impact assessment for the revision of the eIDAS Regulation in support of the European Commission, to establish a legislative framework for a secure, widely usable, and interoperable Digital Identity for the Digital Single Market – eIDAS 2.0.

About Intesi Group

An Italian private company, Qualified Trust Service Provider according to eIDAS Regulation, Intesi Group has more than 20 years of experience in cryptography, technology development, and trust services provisioning, serving customers from the highest regulated industries such as financial, biopharmaceutical, and healthcare.