Language:
Europaflaggen an Fahnenmasten vor einem Gebäude

The eIDAS Regulation: basic principles and goals

Published 22.11.2023

Trust is a valuable asset in the digital world. After all, you want to know exactly who you are doing business or exchanging sensitive information with online. The European Union’s eIDAS Regulation increases trust in electronic interactions. Not only does this benefit citizens, but also all of the states in the European digital single market. Everything you need to know about the eIDAS Regulation – and an overview of how it is shaping Europe’s digital future.

A brief introduction to the eIDAS Regulation

The digital transformation has long since captured and fundamentally changed business models, operations and processes – from online banking transactions, to eGovernment, to electronic signature of non-disclosure agreements. And just like in the “real world”, trust also plays a decisive role in digital communication with business partners, customers and government agencies.

Back in September 2014, the European Union issued a uniform legal framework for trustworthy electronic interactions which acquired formal validity just two years later – the eIDAS Regulation. eIDAS stands for “electronic IDentification, Authentication and Trust Services”. It creates guidelines for electronic proof of identity and defines trust services, which bring processes like handwritten signatures or seals into the digital world. With this focus, the eIDAS Regulation then replaced the EU-Signature Directive (1999/93/EG) as well. While the complexity of the latter ironically prevented the breakthrough of digital signatures, the eIDAS Regulation focuses on user-friendliness.

Goals and applications of the eIDAS Regulation

There are two goals behind the eIDAS Regulation. On one hand, it is intended to simplify electronic business and government processes – after all, everyone in the EU benefits from the speed and efficiency brought by digitalisation. On the other, it is supposed to ensure that these business and government processes are at least as secure as their analogue equivalents. In this sense, the eIDAS Regulation creates a digital space of trust – a space where no one need doubt whether the person or company on the other end is really who they claim to be. This is achieved simply by all transaction participants having to prove their identity.

This is ensured by eIDAS-notified electronic means of identification, which in this country include the ID card, electronic residence permit and the EU citizen card with its online ID function (eID). Everyone throughout Europe can use these to prove their identity for public services. On the other hand, trust services like electronic signatures and seals or certificates are used to confirm identities on documents or websites.

Personalausweis auf einem Laptop Bildschirm

The illustration shows an identity card on a laptop screen.

This is ensured by eIDAS-notified electronic means of identification, which in this country include the ID card, electronic residence permit and the EU citizen card with its online ID function (eID). Everyone throughout Europe can use these to prove their identity for public services. On the other hand, trust services like electronic signatures and seals or certificates are used to confirm identities on documents or websites.

The legal basis and validity of the eIDAS Regulation

The eIDAS Regulation contains binding and Europe-wide regulations for these means of identification and trust services. As an EU regulation, it has been a directly applicable law in all 27 EU member states and the European Economic Area (EEA) since July 2016.

National regulations accompany the eIDAS Regulation:

  • The German eIDAS Implementing Act came into effect on 29 July 2017. The German Act on Identity Cards and Electronic Identification and the Identity Card Regulation were amended in favour of electronic identification via eID.
  • However, at the heart of the regulations is the Trust Services Act (VDG), which rendered the outdated Signature Act (SigG) invalid.
  • This was followed by a Clarification in the Trust Services Ordinance (VDV) at the end of February 2019. Key updates here relate to the probative value of electronic signatures, for example in court. This place the qualified electronic signature on an equal footing with the handwritten version – more on this later.

Trust services: definition and role in the eIDAS Regulation

Trust services are usually defined in an abstract manner, for example that they lay the groundwork for a space of trust in the digital world, in which interactions between companies, administrations and citizens can take place securely. The Federal Ministry for Economic Affairs and Climate Action (BMWK) goes one step further and explains how they fulfil their purpose, namely “by using appropriate certificates to verify the identity of persons appearing on the Internet or in electronic business transactions.”

Types of eIDAS trust services

Trust services guarantee the highest level of trust and therefore the highest probative value with the “qualified” rating. The main types include:

Qualified electronic signatures (QES), which replace the handwritten signatures of natural persons in the digital space.

Qualified electronic seals (QSeal), which are bound to legal entities – companies, public authorities and other institutions – and digitise seals and stamps.

Qualified electronic time stamps, which record the date and time when a document is created and also serve as integrity protection. This means that they prove that a document has not been changed after the recorded point in time, regardless of whether the document was created when it was received by the organisation or when it was sent to the recipient.

Qualified website authentication certificates (QWACs), with which the website owners can prove their identity. QWACs are equivalent to EV-TLS certificates – the highest class of web certificate. As part of the PSD2 European Payment Services Directive, they secure the communication between banks and payment service providers, for example.

The following trust services are lesser known but are an integral part of the eIDAS Regulation.

  • qualified services for the delivery of electronic registered letters
  • qualified validation services, which can be used to check the validity of the QES, QSeals, and qualified time stamps
  • qualified preservation services, which ensure that the probative value of qualified, electronically signed or sealed documents is preserved in the long term

The role of qualified trust service providers

Digital services designed to create trust in a digital space should be issued by trustworthy entities. That’s why the eIDAS Regulation established the qualified trust service provider (QTSP). The VDG regulates approvals in Germany. Companies seeking the QTSP title must have themselves and their products qualified by the Federal Network Agency (FNA). For this purpose, the TIA (Technical Inspection Association) checks whether companies meet the necessary standards, for example in terms of security and data protection regulations. It then passes its report on to the FNA.

If the criteria are met and the FNA approves the certification, the company may refer to itself as a qualified trust service provider in its own country. It additionally receives an entry in the FNA trusted list, which is part of a Europe-wide trusted list directory. However, a QTSP cannot afford to rest on its laurels. As with cars, TÜV or other independent bodies regularly repeat the review and assess the conformity of the QTSP with the eIDAS Regulation. D-Trust GmbH, a company in the Bundesdruckerei Group, has been one of the few qualified German trust service providers since 2016.

Electronic signature: a core element of eIDAS

Since the eIDAS Regulation is the immediate successor to the Signature Directive, the public sometimes perceives it as merely concerning digital signatures. Although this interpretation is under-informed, the prominent role of the electronic signature cannot be denied. Strengthening it was without doubt a core motivation behind eIDAS, and for good reason: In many companies and government agencies, media disruptions remain a consistent obstacle to digital workflows and work processes. Documents created on a computer are printed out, signed by hand and then scanned again. This not only raises costs and wastes resources, but also impedes digitalisation in the organisation as a whole. The use of electronic signatures is therefore one of the most important accelerators of digitalisation.

The qualified electronic seal

While the qualified electronic signature on documents verifies the identity of individuals at the highest level, the qualified electronic replaces the old company seal. In administration, the electronic seal can be used as a digital counterpart for the authority seal. The amendment the Online Access Act (OAA 2.0) explicitly prescribes the QSeal for eGovernment services as well.

Forms of implementation of QES and QSeals

Qualified electronic signatures and seals can be used in two product categories,

with signatures and seal cards being the classic examples. The cards contain qualified certificates and must be used with a reader. The second factor in authentication is a PIN.

Remote signature / remote seal: Here the signature is activated exclusively online after two-factor authentication, for example from a mobile phone or from within an organisation’s own specialist application.

Electronic identification according to eIDAS: EU-wide proof of identity

eIDAS has established trust services, including their providers, and defines the framework for cross-border electronic identification. Anyone in an EU member state wishing to apply for services, for example in a digital administration, must clearly identify themselves. In Germany, the online identification feature / eID of the ID card, the EU citizen card and the electronic residence permit was developed for such cases.

The eID can also be used in the private sector – for example to open a bank account, to take out insurance, to access patient records, or to activate a phone’s SIM card. In addition to trustworthiness, the eID also offers a real advantage in terms of usability: Citizens simply have to keep their ID document on their smartphone and enter their self-selected PIN. In the case of service providers, the extracted data is automatically entered into the system, without the need for staff to review the document beforehand. 

Since 2018, Brussels has obliged individual states to mutually recognise their respective national eID systems. This requires the notification of the respective eID system to the European Commission. While the notification is carried out on a voluntary basis, the recognition of notified eIDs in administrative procedures is mandatory.

Drei Hände halten einen Personalausweis, eine Unionsbürgerkarte und einen elektronischer Aufenthaltstitel

The illustration shows the identity card, the union citizen card and the electronic residence permit.

eIDAS levels of trust

When notifying the means of identification, the member states can assign different levels of trust. The system provided by eIDAS is very easy to remember: The lowest level of trust is called “low”, the highest is “high”. “Substantial” ranks between them. Germany’s ID card online identification feature meets the “high” standard. This also means that Germans can use their online ID card wherever member states require an electronic identification classified as “high” or lower – for example, to register a business abroad.

eIDAS: basic principle for a European digital single market

Electronic identification and trust services are particularly important for the realization of a common European digital single market. Germany benefits from Europe’s coalescence more than most countries, with nearly 60 percent of its exports going to other EU states. A digital single market boosts the competitiveness of European companies and ensures that they can offer products and services under the common rules and standards inside the EU. In turn, the consumers benefit from cost savings and a wider range of products and services.

More legal security in digital commerce

By providing the legal and organizational framework for electronic identification and use of trust services, the eIDAS Regulation creates the groundwork for more cross-border interactions. The regulation harmonizes national single markets and enables Europe-wide digital administration. According to a 2023 study by the EU Parliament’s research service, simply heightening digital integration could increase the economic performance of the union by 384 billion euros over the next decade.

For this breakthrough however, signatures, seals and the like would have to be given greater consideration in national legislation. This is what people like Christian Seegebarth from D-Trust GmbH are calling for. “Wherever authentication and identification play a role, the law should read: “EIDAS trust services must be integrated for these purposes”, says Seegebarth. And the National Regulatory Control Council seems to share this claim in its “Monitor Digital Administration #6” from 2021, in which it recommends assessing the digital sustainability of laws.

eIDAS 2.0: What does Europe’s digital future look like?

The European Commission is currently working on the next steps. In June 2021, it submitted a draft amendment to the eIDAS Regulation. But eIDAS 2.0 is more than just a revision of the trust services regulations. It is to be assumed that the legislative process will be finished at the end of 2023.

Mann steht in einer rasenden Menschenmasse

The picture shows a man standing in the middle of a blurry crowd.

eIDAS 2.0 and the introduction of the EUDI Wallet

The amendment stipulates the mandatory introduction of a European digital identity: In future, every EU member state will have to provide each natural and legal person with an EUDI Wallet, which will bundle other credentials such as driver’s licenses and PID (Person Identification Data) on their smartphones. It must be usable across borders, which is also a reaction to the fact that many member states have still not introduced an eID.

The advantage of the EUDI Wallet is that all personal data is stored in a secure location on the user’s phone, meaning citizens maintain full control over it. The wallet is also designed to simplify the use of online services and represent legal entities.

Certain service providers will also accept the wallet as a means of identification. These include banks, postal and telecom service providers, as well as transport and energy companies, as digital processes take place for the most part between two corporate entities.

New trust services

The revision of the trust services’ regulations will once again focus on user-friendliness. Furthermore, new trust services will be added, with particular attention given to the qualified electronic attestation of attributes (QEAA).

The basic idea of QEAA is that an identity consists of more than just a first and last name, a place of residence and a date of birth. Other attributes include the type of educational qualification, the existence of a driver’s license, or membership in a professional group. Qualified trust service providers should be able to confirm such attributes. Wallet holders can then use these for electronic interactions, while at the same time driving the development of the digital single market.

Summary: an overview of eIDAS Regulation

The eIDAS Regulation creates the legal framework for a profound digital transformation of our society. It establishes Europe-wide regulations which ensure smooth cross-border use of electronic identification and trust services. The use of electronic signatures in particular is promoted by the eIDAS Regulation.

Overall, the European Union is driving forward the digitalisation of the EU with the amendment to the eIDAS Regulation. Secure digital identities and trust services allow fully digital processes and workflows in many sectors and industries. The European Commission has already presented a revision of the regulation with the eIDAS amendment. In addition to strengthening existing trust services and using new ones, it also plans the mandatory introduction of an EUDI Wallet, which will bundle the important forms of evidence and be usable across borders. Ultimately, this means greater digital leeway for citizens and companies. The European single market can benefit from this over the long term.

Frequently asked questions about the eIDAS Regulation

The abbreviation eIDAS stands for “electronic IDentification, Authentication and Trust Services”.

The eIDAS Regulation is the legal basis for electronic identification and trust services in the EU. It supports companies, administrations and citizens in carrying out secure cross-border electronic transactions.

The eIDAS Regulation creates the framework for the cross-border use of national electronic means of identification, and thus also for the use of the German online ID card. In this context, cross-border identification is to be based on the mutual recognition of member states’ national electronic means of identification.

For this purpose, member states can voluntarily notify their electronic means of identification to the EU Commission. Subsequently, all notified electronic means of identification must be bindingly recognised by other member states. The online ID card is one such form of eID and can be used with the ID card, the electronic German residence permit and the EU citizen card.

Article
Article