Education Center

eIDAS Compliance

  1. What is the eIDAS Regulation?
  2. Why Was eIDAS Introduced?
  3. What Does eIDAS Include?
  4. Who Provides Electronic Trust Services?
  5. What are the Benefits of Complying with the eIDAS Regulation?
  6. Where is eIDAS Applicable, and Who Should Comply?
  7. What is eIDAS 2.0?
  8. How is eIDAS 2.0 different from eIDAS 1.0?
  9. When will eIDAS 2.0 be enforced?
  10. eIDAS for Secure and Fast Digital Transactions

What is the eIDAS Regulation?

eIDAS stands for electronic identification, authentication, and trust services and refers to a European Union (EU) regulation that governs electronic transactions in the EU member states.

The two primary objectives of the eIDAS regulation include:

  • Enable interoperability of government-issued electronic identification schemes (eIDS) to ensure secure and seamless electronic transactions. This allows citizens, businesses, and public authorities within the EU to use their national eIDS when accessing public services online in any EU member state.
  • Create a single digital market for trust services in the EU by ensuring that the trust services work across borders and have the same legal status as their traditional paper-based counterparts.

By providing legal certainty to electronic identification and trust services, eIDAS aims to build trust and confidence in electronic transactions and promote their usage.

eIDAS was initially introduced in 2014 as “Regulation 910/2014” and was later enforced across the EU from July 1, 2016, repealing the old eSignatures Directive.

Why Was eIDAS Introduced?

Previously, identity verification mandated the physical attendance of customers in the commercial office, store, or branch of the organization they were transacting with. The entire process was paper-driven, requiring in-person meetings, signatures, physical stamps, and documents. This inevitably led to long waiting periods and process delays, leaving customers frustrated.

The eIDAS regulation was introduced to remove these process barriers and make the transactional experience friction-free for both customers and organizations. eIDAS provided the framework to use reliable digital identification mechanisms that allow users to verify their identities digitally, removing the need for in-person verification. The digital identification mechanisms provided by eIDAS are as secure as physical verification, with the highest level of security and legality confirmed by a Conformity Assessment Body.

By creating a flexible and secure online environment for user verification, eIDAS accelerates the transactional process and improves user experience while reducing cost and workload for organizations.

What Does eIDAS Include?

To help EU member states recognize electronic identification and trust services as legal equivalents to physical or paper-based services, eIDAS defines the standards for the provisioning and effectiveness of various trust services, such as electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services, and certificate services for website authentication.

The trust services covered under the eIDAS regulation include:

  1. Advanced and Qualified Electronic Signatures associated to a legal or natural person or entity
  2. Advanced and Qualified Electronic Seals associated to a legal person or entity
  3. Qualified validation for Qualified Electronic Signatures and Seals
  4. Qualified preservation of Qualified Electronic Signatures and Seals
  5. Qualified time stamps
  6. Electronic Registered Delivery Services (ERDS)
  7. Qualified Website Authentication Certificate (QWAC)

Here are the definitions of the trust services covered under the eIDAS regulation:

1. Electronic Signature: Data in electronic form that is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.

eIDAS classifies electronic signatures into three types with increasing levels of security:

  • Simple Electronic Signature (SES): Any form of a digital mark that indicates the acceptance of a document. It could be a typed name, a scanned copy of the handwritten signature, or pressing a button that says ‘I Agree’ or ‘I accept,’ also referred to as a clickwrap signature. SES is acceptable in cases where the digital identity of the signatory need not be verified.
  • Advanced Electronic Signature (AES): As Simple Electronic Signatures are vulnerable to forgery and tampering, AES stipulates stricter requirements for user verification in high-risk and sensitive transactions, such as loan applications, property sales, etc. According to the eIDAS regulation, an advanced electronic signature must be:
    • Uniquely linked to its signer
    • Capable of identifying the signer
    • Created using a private key, which is under the sole control of the signer
    • Linked to the data in a way that detects any changes in the data in order to invalidate it
  • Qualified Electronic Signature (QES): The QES is granted a special status in the eIDAS regulation, which gives it the same legal weightage as the handwritten signature across the EU. According to eIDAS, a QES must:
    • Be generated using a qualified signature creation device (QSCD)
    • Supported by a qualified certificate issued by an EU Trust Service Provider (TSP) registered in the EU Trusted List (ETL). Qualified certificates must be stored on a QSCD, such as a USB token or a smart card. The certificate proves that the electronic signature is original and trustworthy.

2. Electronic Seals (eSeals): These are data in electronic form that validate the origin and integrity of other logically associated data. They are equivalent to physical stamps used in business invoices and contracts. A Qualified Electronic Seal is created using a qualified certificate for the electronic seal that is stored on a qualified signature creation device (QSCD).

2023 EMA Report: SSL/TLS Certificate Security-Management and Expiration Challenges

3. Electronic Timestamp (eTimestamp): This is a piece of electronic data that binds other electronic data to a particular time providing evidence that the document existed at that time and has not been altered since. It can be used with a Qualified Electronic Signature to prove exactly when exactly the document was signed, making it easier to track documents.

4. Electronic Registered Delivery Services (ERDS): These services provide a secure infrastructure for the electronic transfer of data between two transacting parties or systems, with evidence, such as proof of sending and receipt. This builds accountability and minimizes the risk of data getting stolen, lost, or altered.

5. Qualified Website Authentication Certificate (QWAC): These certificates are used to validate the identity of websites. They help authenticate the entity that owns the website and verify the website’s legitimacy. A QWAC provides users with confidence that the website they are interacting with is trustworthy, which helps protect them from phishing sites and online scams.

Who Provides Electronic Trust Services?

Trust Service Providers (TSPs) provide electronic trust services. These are Certificate Authorities (CAs) that create digital certificates for electronic transactions such as e-signatures. Qualified Trust Service Providers (QTSPs) are those that are qualified by the Member State’s supervisory body and are listed in the EU Trust List. Only QTSPs can offer services, such as Qualified Electronic Signatures required to authenticate highly secure transactions.

What are the Benefits of Complying with the eIDAS Regulation?

In complying with eIDAS, organizations and citizens can benefit in many ways, including:

  • Minimized process overhead and costs: As administrative services are carried out online, paper workloads and associated costs are reduced. The process is more streamlined and user-friendly. Organizations can share the documents with users and receive their legally accepted signatures online, accelerating the identification and customer acquisition process.
  • Increased trust and security in cross-border transactions: When working with businesses in other member states of the EU, using electronic signatures makes business transactions more secure. Using a QES ensures a high-level of assurance for the data that is not always assured when sent via physical means, such as post or fax.
  • Interoperability and service convenience: Businesses today increasingly work either with partners in other member states or in multiple member states. In such cases, the EU-wide standard for electronic identification and trust services makes it easier and faster for businesses to carry out their transactions anywhere in the EU. There is no uncertainty over the legitimacy of the deal or legal compliance in different regions. eIDAS is also immensely useful for citizens as it allows people from one EU member state to electronically avail public services in other EU member states using their existing national eID and complete transactions regardless of their location.
  • Transparency and standardization in the EU market:

By establishing uniform standards for the use of trust services across the EU, eIDAS makes electronic services more transparent and establishes a Digital Single Market (DSM) in the EU that permits trust services complying with the regulation to be circulated freely in the internal market.

Where is eIDAS Applicable, and Who Should Comply?

The eIDAS regulation is applicable in all EU member states. Any individual, business, or public authority transacting electronically in the EU needs to comply with the eIDAS Regulation.

As all European organizations are expected to comply with eIDAS, any organization that has a European presence or conducts business with an organization within the EU will have to comply with eIDAS. The United Kingdom has also adopted eIDAS into its legal system, although with a few amendments.

What is eIDAS 2.0?

In June 2021, the European Commission proposed an update to the eIDAS regulation of 2014. The revision, popularly known as eIDAS 2.0, builds on the original regulation and aims to improve the security and reliability of identification and trust services to ensure the regulation is implemented consistently across all member states, in both public and private sectors.

At the heart of the eIDAS regulation is the concept of a digital wallet. A European Digital Identity (EUDI) Wallet is a mobile application or a cloud service that allows all EU citizens and businesses to store and manage their digital identity credentials and use them securely and privately for several government and private services.

How is eIDAS 2.0 different from eIDAS 1.0?

Unlike eIDAS 1.0, which called for persistent, rigid IDs, the revised proposal focuses on end-users and employs self-sovereign identity (SSI) to give users more ownership and control over their identification information. This means users have the control to only share information that’s necessary for a particular transaction instead of revealing all available information. For instance, if someone needs to prove their age to avail a service, they will be allowed only to share this information and not other personal details, such as their home address, driver’s license number, etc.

Another significant change introduced by the eIDAS 2.0 regulation is the expansion of the scope of the regulation by including three new types of electronic trust services: Electronic archiving services, electronic ledgers, and the management of remote electronic signature and seal creation devices.

eIDAS 2.0 also aims to remove the complexities and barriers that the earlier regulation posed for the private sector by providing more detailed technical and operational requirements and guidelines around employing electronic identification and trust services. This will help reduce online fraud, protect privacy rights, and increase transparency.

When will eIDAS 2.0 be enforced?

eIDAS 2.0 is expected to be enforced starting in September 2023, when all EU member states are required to ensure digital identity wallets are available to all EU citizens, residents, and businesses. Currently, only 14 European member states have electronic ID schemes covering 59% of citizens. With eIDAS 2.0, the European Commission expects 80% of EU citizens to use a digital ID by 2030.

eIDAS for Secure and Fast Digital Transactions

The eIDAS regulation lays a strong foundation and clear legal framework for people, businesses, and public administrations to securely and conveniently carry out regular online activities, such as filing tax returns, getting a driver’s license, applying for university, opening a bank account, setting up a business in another member state, and more. When implemented, eIDAS 2.0 will be a game-changer for both the public and the private sector by serving as a key enabler for secure digital transactions.

Let’s get you started on your certificate automation journey