What’s new in the eIDAS Regulation, who will it impact and how?
July 13, 2016 - Authentication, trust services and eID
As from 1 July 2016, the eIDAS Regulation (EU) 910/2014 will repeal the electronic Signature Directive 1999/93/EC. Regarding electronic signatures not much will change. However, the eIDAS Regulation not only covers electronic signatures but also authentication and it lays down rules and a legal framework for a number of other trust services. This article provides an overview of the changes introduced by the eIDAS regulation, the parties it will impact and how.
Regarding authentication, the Regulation offers Member States the possibility of cross-border acceptance of their authentication means for natural and legal persons. For cross border acceptance, the electronic identification scheme needs to be notified. How notification needs to take place is described in Commission Implementing Decision (EU) 2015/1984. Notification needs to be done by the Member State’s single point of contact as described in Commission Implementing Decision (EU) 2015/296. This Implementing Decision also describes how the Member States will cooperate.
Authentication on basis of notified schemes shall be accepted by public bodies in other Member States provided that the assurance level corresponds to the required assurance level for the service and may be accepted by private parties. To this end, the Regulation defines three assurance levels: low, substantial and high. The requirements for these three assurance levels have been laid down in Commission Implementing Regulation (EU) 2015/1502. This Implementing Regulation puts down requirements for each level regarding enrolment, electronic identification means management, authentication, and management and organization. Important distinguishing requirements for the levels Substantial and High are the following:
- Identity proofing during enrolment may either be done in person or via electronic means.
- Assurance level Substantial requires verification of evidence like an identity document or electronic means at level Substantial;
- Assurance level High requires verification of evidence like an identity document or electronic means at level High.
- Electronic identification means management
- Assurance level Substantial requires 2 factor authentication
- Assurance level High requires in addition that the electronic identification means need to protect against duplication and tampering as well as against attackers with high attack potential.
- Assurance levels Substantial and High require both dynamic authentication.
- Management and operation
- Assurance level High requires independent periodic external audits.
Commission Implementing Regulation (EU) 2015/1501 defines the minimum set of person identification data which needs to be exchanged between Member States and optional additional attributes. It also defines nodes which will be responsible for connecting Member States in a secure manner and have the capability to recognize and process or forward transmissions. Regarding the technical implementation of the communication infrastructure architecture and the message format the Regulation stays rather high level. Technical specifications as part of the digital service infrastructure of Regulation (EU) 1316/2012 have been developed. These technical specifications cover a.o. the interoperability architecture, the message format, attribute profile and cryptographic requirements. ISO/IEC 27001 certification of the nodes (or a comparable certification) is required by (EU) 2015/1501.
Effects of the eIDAS Regulation authentication requirements on Member States and eID scheme participants
Adding authentication to the Regulation and defining authentication levels is a useful addition to the Regulation. The eSignature Directive did not mention authentication. Authentication on basis of the eSignature mechanism could be covered by the Regulation but assurance levels were missing. Besides, more modern authentication mechanisms do not make use of the eSignature mechanism for authentication and could therefore not be covered by the eSignature Directive. The assurance levels and cross-border acceptance architecture defined in the eIDAS Regulation are based on the results of the STORK project. Assurance levels had also already been defined in ISO/IEC 29115. It is unclear why the Regulation does not refer to this international standard but puts down its own requirements for assurance levels.
Cross-border acceptance of electronic authentication fully corresponds to one on the main ideas of the European Union, i.e. realizing one internal market. Because it is based on the results of the STORK project is has been tested in practice and reference implementations are available. Acceptance of authentication based on notified schemes shall only be mandatory from September 2018 onwards. All Member States accepting a national authentication means on level Substantial or High for a public service shall have to accept foreign authentication means of notified schemes as well. It is up to Member States’ governments to notify eID schemes and initiate the support for mutual recognition by implementing or having implemented an interoperability infrastructure and nodes. eID scheme participants like identity providers and relying parties will need to realize connections to these nodes. How these connections between scheme participants and nodes shall be realized is a national matter.
The eIDAS Regulation may also lead to some (minor) changes regarding assurance level requirements in eID schemes as the scheme supervisors have to ensure the assurance levels used in the scheme correspond to the assurance levels as described in the eIDAS regulation. Identity providers may need to make some changes to their solution, relying parties may want to re-assess the assurance level they require for a service.
In addition to electronic signatures already defined in Directive 1999/93/EC, the eIDAS Regulation introduces electronic seals. eSeals are comparable to eSignatures but placed by a legal person instead of a natural person. eSignature and eSeal certificates are issued by a trust service provider (previously called certification service provider). Trust service providers can also provide the following services to enable and/or facilitate verification of electronic transactions: validation services, preservation services, time stamping, registered electronic delivery, and website authentication.
Trust service providers
Trust service providers can either be qualified or non-qualified. Qualified trust service providers have to adhere to stricter rules and are more closely supervised by a supervisory body. Supervisory bodies shall be established to supervise qualified trust service providers and to take action in relation to non-qualified trust service providers when informed that they allegedly do not meet the requirements laid down in the eIDAS Regulation. Both qualified and non-qualified trust service providers shall take technical and organizational measures to manage the risks posed to the security of the trust services they provide and notify the supervisory body in case of a security breach. In case the security breach is likely to adversely affect a natural or legal person, they shall also notify the natural or legal person. This is in correspondence to the General Data Protection Regulation (EU) 2016/679. The supervisory body shall report on a yearly bases the security breaches to ENISA.
Qualified trust service providers will be published on a trusted list. The technical specifications and format of the trusted list is specified in Commission Implementing Decision (EU) 2015/1505 which refers to ETSI TS 119 612. Qualified trust service providers may use the EU trust mark to indicate in a simple, recognizable and clear manner the qualified trust services they provide. This EU trust mark is specified in Commission Implementing regulation (EU) 2015/806.
Electronic signatures and seals
Qualified electronic signatures shall have the equivalent legal effect of a handwritten signature and qualified electronic signatures and seals based on a qualified certificate shall be recognized cross border. Public sector bodies shall not request a higher security level than the qualified electronic signature or seal. A qualified electronic signature or seal is an advanced electronic signature or seal created by a Secure Signature/Seal Creation Device (SSCD). This SSCD may also be managed by the trust service provider on behalf of the signatory as Commission Implementing Decision (EU) 2016/650 shows. Advanced electronic signatures and seals are:
- uniquely linked to the signatory/creator,
- capable of identifying the signatory/creator,
- created using electronic signature/seal creation data that the signatory/creator can, with a high level of confidence, use under his sole control, and
- linked to the data signed therewith/to which it relates in such a way that any subsequent change in the data is detectable.
Specifications for the formats of advanced electronic signatures and seals to be recognized by public sector bodies have been laid down in Commission Implementing Decision (EU) 2015/1506. These include XML, CMS and PDF formats at all levels. The Implementing Decision refers to ETSI standards TS 103171, 103172, 103173 and 103174.
Qualified certificates for electronic signatures shall meet the requirements in Annex I of the eIDAS Regulation and for electronic seals in Annex III. SSCDs shall meet the requirements in Annex II of the eIDAS Regulation and shall be certified on basis of a security evaluation. The standards for the security assessment of qualified SSCDs have been laid down in Commission implementing Decision (EU) 2016/650. The evaluation is a Common Criteria evaluation based on Protection Profiles laid down in European Norm 419211. A list of certified SSCDs shall be published.
Validation and preservation of qualified electronic signatures and seals may be offered according to the eIDAS Regulation. The Commission may, by means of implementing acts, establish reference numbers of standards for these services. Up till now these have not been published.
Time stamping, eDelivery and website authentication
The eIDAS Regulation provides legal effect to electronic time stamps and qualified electronic time stamps shall enjoy the presumption of the accuracy of the date and the time in indicates and the integrity of the data to which the date and time are bound. Qualified time stamps are recognized cross-border.
Similar conditions hold for electronic registered delivery services. Data sent and received using a qualified electronic registered delivery service shall enjoy the presumption of the integrity of the data, the sending of that data by the identified sender, its receipt by the identified addressee and the accuracy of the data and time of sending and receipt indicated by the qualified electronic registered delivery service.
Qualified certificates for website authentication shall meet the requirements laid down in Annex IV of the eIDAS Regulation.
For time stamping, eDelivery and website authentication, the Commission may, by means of implementing acts, establish reference numbers of standards to comply with. Up till now these have not been published.
Effects of the eIDAS Regulation trust services requirements on trust service providers and relying parties
The rules for eSignatures under the eIDAS Regulation do not differ much from those under Directive 1999/93/EC and neither do the organizational and procedural measures to which the trust service providers need to comply differ much from those for certification service providers under the eSignaure Directive. Trust service providers can continue their operations regarding qualified electronic signatures since the eIDAS regulation states that secure signature creation devices of which the conformity has been determined in accordance with Directive 1999/93/EC shall be considered as qualified electronic signature creation devices under the eIDAS Regulation and qualified certificates issued to natural persons under Directive 1999/93/EC shall be considered as qualified certificates for electronic signatures under the eIDAS Regulation until they expire. A certification service provider issuing qualified certificates under Directive 1999/93/EC needs to submit a conformity assessment report according to the new eIDAS regulation to the supervisory body as soon as possible but not later than 1 July 2017. Until the submission of such a conformity assessment report and the completion of its assessment by the supervisory body, that certification service provider shall be considered as qualified trust service provider under the eIDAS Regulation. Since certification service providers have to provide a conformity assessment report every 2 years anyway this is not a difficult requirement. Trusted lists were also already available guaranteeing the cross border acceptance of qualified electronic signatures.
In many Member States solutions for citizens for (qualified) electronic signatures are available. Whether these electronic signatures are frequently used depends on the availability of additional services like reliable electronic authentication, ease of use, acceptance by enough relying parties, and an obligation to use them. The eIDAS Regulation is not likely to influence this directly.
Electronic signatures for businesses worked with certificates issued to natural persons for specific roles or with a register containing mandates. Perhaps the introduction of the eSeal will facilitate the use by businesses since an eSeal is not or less strictly linked to a specific natural person. The legal framework laid down by the eIDAS Regulation for other types of trust services like time stamps, registered eDelivery and website authentication provides new opportunities for both trust service providers and relying parties. That being said, several parties have already been offering solutions for electronic transactions. These solutions are mostly targeted at specific business domains and in most circumstances not based on qualified or even advanced electronic signatures or qualified trust services. Since these solutions have already proven their usability, the eIDAS Regulation may not lead to changes directly. Perhaps that in the long term more generic solutions based on (qualified) trust services as defined in the eIDAS Regulation and standards as defined in delegated or implementing acts will become available.