Does eIDAS provide the strength and flexibility for e-IDs?

Backbones have to be flexible. EU ministers may not have considered the metaphor when they passed the regulation on identification and trust services for electronic transactions (eIDAS) last summer, but it’s apt to think of it as providing a backbone for the digital single market.

eIDAS was drawn up to strengthen trust in the relevant mechanisms when using online services or engaging in digital trade between member states. They have been developing their own approaches towards e-identification and, with everybody wanting a slice of a transnational digital economy, acknowledged a need for rules to ensure that a mechanism used by one EU member would be accepted in another. The emphasis was on flexibility rather than a prescriptive approach.

It was reflected in the words of Neelie Krooes, the European Commission’s vice president for digital at the time, who described it as “a stable framework for secure services” and emphasised the importance of features including interoperability, risk management and technology neutrality. It is focused on public services, encouraging the private sector to follow the lead, and to provide a launchpad for developing solutions for e-identification.

Most of eIDAS will apply from July 2016 – replacing the existing regulation on electronic signatures – and it will not need any legislation by member states, although they will have to adapt their procedures and systems to comply. The Commission is working on the implementing acts for an interoperability framework, to cover features such as technical specifications, minimum sets of ID data and operational security standards, which are due to be completed by September 2015. It is also drawing up rules for trust service providers – to be complete by July 2016 – and has set a 2018 deadline for mandatory mutual recognition of eIDs for public services by member states.

Some observers are worried about that deadline when it is still not clear how the regulation will work. “I don’t think it’s been thought through in enough detail, and the devil is in the detail,” says Andy Smith, a member of the Identity Assurance Working Group at BCS The Chartered Institute for IT.

“The eIDAS legislation is a very good idea, but the problem is that it’s more about implementation and the foundations it’s built on. “

He says it will be interesting to see what the Commission produces in the implementing acts, but that he has little confidence in some of the identity products now used in the EU. Also, not all of the national assurance schemes are sufficiently robust, with enrolment processes that are not particularly rigorous, and there is no guarantee that they will become so by the deadline for mandatory mutual recognition. This can undermine the credibility of authenticating identities online, especially when the person is in an unsupervised environment.

It raises further questions about liability models and legal frameworks to protect organisations that are deceived by false identities.

“What protection mechanisms are they going to put in place to ensure that if those schemes fail or are abused those that are forced to use them are not liable? It’s about where the blame would fall, and if it’s abused who would be accountable?”

There are more positive perspectives on the legislation. Phil Greenwood, commercial director at records management and data protection specialist Iron Mountain, says the consistency of standards that should come from eIDAs will reduce some of the challenges faced by CIOs and information teams. He cites the example of how many feel a need to print electronic documents in order to sign them, then scan them back to document management systems. But eIDAS should do more to facilitate the use of e-signatures.

“e-Signatures mean that data can exist in just the one format and that its every movement, amendment and security is tracked reliably,” he says.

Similarly, the Paris-based Secure Identity Alliance (SIA) has publicly welcomed the regulation, and a spokesperson says it expects benefits in building a trust framework between member states, which in turn will support the development of cross-border online services.

SIA acknowledges, however, that a few factors have to be addressed to build confidence in the regulation. One is the need for a clear differentiation between ‘substantial’ and ‘high’ levels of assurance, and to resist the temptation to focus too much on the ‘low’ level to encourage adoption.

“We strongly believe the success of the digital single market depends on countries delivering solutions and services at the highest assurance level,” it says.

SIA also points to the need for some clear definitions for functions such as an implementation framework, an interoperability model that is the base for an ecosystem (it favours something like the EMV for payment card interoperations) and privacy by design. It also wants a security model based on Senior Officials Group Information Systems Security EAL4+ standard, and e-identification based on best practice rather than minimum standards.

On technology it wants a flexible approach, but without relaxing the requirements for security and privacy protection. It says there are technologies in place that could easily be made compliant with eIDAS, and cites biometrics as one that has matured to an extent that it could provide solutions.

There are broad implications for the market for e-identification and trust services across Europe. Phil Greenwood says eIDAS will make it easier for organisations to bid for contracts across borders, and that there will be “a rich new market” for companies of all sizes that comply with the legislation.

Andy Smith suggests that those who show they are ready to be more rigorous than the legislation demands could use it as a selling point.

“Organisations that put trust services in place in such a way that they can evidence the trust will develop a market,” he says. “But I think those will be organisations that act of their own cognisance to go way beyond the legislation.”

As for the implications for how organisations deal with identification, SIA says: “Services providers will need to define the level of assurance that they request/need for each of their services. For that they will need to clearly understand their rights, liabilities and risks.

“The public services must take into account that they will be obliged to accept all electronic identification means that will be notified, from their own or other member states, at an equivalent or higher level than the one they request for their services.”

It is important to note that the mandatory element of eIDAS will apply only to public services; but there is a view that it will only fulfil its promise when it has a wide effect on how the private sector approaches the issue.

“For the private sector, it will mainly depend on the way governments will develop or adapt their digital identity framework to eIDAS,” says the SIA spokesperson.

“If sufficient member states adopt eIDAS, it can be expected that the private sector will also adopt as it allows them to easily extend their market to other EU countries.

“For those member states who do adopt eIDAS, their economies will be given a boost and gain significant competitive advantage over those that do not.”