We have asked Guy de Felcourt, Digital Identity Strategy Advisor and Published Author, who animated the BMI-Secure Identity Alliance eIDAS Workshop to tell us why EU Regulation No.910/2014 represents a major step forward in enabling digital identity in Europe and examines the value this will deliver for member states, companies and citizens.
If you are based in Paris or happen to be there on 19th November 2014, don’t miss the Forum Athena-MEDEF conference organized by Guy, supported by the Secure Identity Alliance, during which key testimonies of this new digital identity paradigm will be presented with the participation of the British and French Administrations.
To register, contact the Secure Identity Alliance.
Look at full conference agenda
Today, the all-digital horizon, where digital transactions are the norm, extends across the world. No longer the preserve of a small number of governments and forward thinking businesses, entire countries and regional groupings have recognized, and are acting upon, the significant social and economic benefits of “going digital”.
In the European Union, the "Digital Agenda for Europe” is the first of seven pillars of the European Commission’s “Europe 2020” strategy which sets out the EU’s growth strategy for the coming decade and strives to create a smart, sustainable and inclusive economy.
Designed to help Europe’s citizens and businesses get the most out of digital technologies, the Digital Agenda encompasses a comprehensive package of measures affecting infrastructure, customs, education and internal market rules. Within this forest of policies and projects, some critical initiatives are quietly advancing and are worthy of recognition.
A significant – and critical – step forward towards a truly digital Europe took place this summer with the ratification and publication of a new EU Regulation on electronic identification and trust services for the internal market.
Why is EU Regulation No.910/2014 so important?
On 23 July 2014 the European Parliament and the Council adopted Regulation (EU) No. 910/2014 – a new European legal framework applicable to cross-border electronic identification and e-signatures. Prior to this, in December 1999 the Directive on a Community framework for electronic signatures had been adopted (the ‘E-Signatures Directive) which, while providing EU rules relating to e-signatures did not deliver a comprehensive EU cross-border and cross-sector framework for e-identification, authentication, signatures and related trust services.
The new EU Regulation No.910/2014 confirms both the use and importance of identities in the digital framework in Europe; although to respect the privileged preserve of "identity" to member states, only the term "electronic identification” is mentioned. The regulation establishes the basis of the European Market for Digital Trust for secured transactions between citizens, businesses and administrative authorities, notably by focusing on 1) electronic identification and 2) the rules for cross-border electronic trust services.
Make no mistake, this regulation represents a deep transformation of the digital ecosystem in Europe and puts in place critical frameworks we believe will be significant in ensuring its effectiveness:
• The first dimension is the geographical harmonization of digital signatures and eID practices in one global and common EU internal market.
• The second dimension is the establishment of a functional framework and set of rules in the recording of data (enrolment), the provision of identity and authentication (support), digital signature (stamp), and timestamp and archive functions. Its aim is efficiency.
• The third dimension is the architecture of assurance levels and security by aligning technical degrees and probative value in order to improve the legal effectiveness of the ecosystem.
Ushering in a new digital reality
Largely unnoticed by the European public as a whole, the objective of this new EU regulation goes well beyond correcting the shortcomings of Directive 1999/93/EC on electronic signature , which it will replace in its entirety from 1 July 2016. It aims to deliver real backbone to the European digital landscape with an architecture capable of supporting an increase in the number of services and transactions individuals carry out digitally while simultaneously raising transaction values (technically and legally through trust levels) through the collection of adequate data integrity identity through to verifying the operation, the consent of the parties, compliance and archiving operations. With the new ecosystem in place, the customer journey will be securely facilitated from service enrolment to consumption – citizens will be able to access information on services offered by private companies, local authorities and governments and to use services in their entirety (even if the market or contractual value of these are significant).
Both private companies and public administration should be able to leverage considerable gains that impact positively their Profit and Loss accounts (thanks to lower distribution costs) and long term service delivery quality. These gains will stem from improved productivity and a faster distribution process, alongside a more personalized customer relationship and improved security – thanks to the ability to select a trust level for each transaction. Meanwhile, those EU member states that understand how to leverage the new regulation will benefit from a breadth of additional economic growth.
Taking a deeper look at the potential gains
Underlining this positive orientation, let’s consider some specific aspects of the new regulation worthy of greater attention.
1) Digital Signature
In relation to the legal validity of digital signatures, while "qualified" signatures retain the “de facto” value of handwritten signatures, other electronic signatures benefit from further harmonization in origin and formats within the EU which will enhance their use.
On technical grounds, a distinction is made between digital signatures, advanced digital signatures and qualified digital signatures; the last two forms allow more security in authenticating signatories and more securely binds the data or document signed. However, the regulation states that even simple digital signatures cannot be ignored without an appropriate motive and additional prescriptions are expected in September 2015 when updated standards from CEN and ETSI (Mandate 460) come into force; for example, relating to ‘server signing processes’.
2) Levels of Assurance
Article 8 of the new regulation also establishes three assurance levels for identification schemes that are directly proportional to their legal value; low, substantial and high. Whatever the assurance level, States who have notified an identity scheme become liable for it, the registration of data operators, and identity and authentication providers included in the notified scheme.
3) Driving Trust
To foster trust, the law distinguishes between simple operators and qualified operators, whose services will benefit from the presumption of high reliability. In return, those who belong to the category of "qualified trusted service provider" will have to go through various compliance audits and controls, in addition to having to sustain and provide proof through their technical records and logs in any dispute.
4) Identification Schemes
In relation to identification schemes, as expected the regulation gives member states the option of selecting public, private or both; but to achieve notification, identification schemes must be used for at least one public service, regardless of the number of private services. Many countries have already set up digital identity patterns, using public operators (Continental Europe), private banking (Nordic) or various private actors (United Kingdom).
In theory, member states are not required to notify any electronic identification scheme at least on a compulsory regime (identity remains a prerogative or reserved domain of member states). However, they will be obliged to allow European citizens using notified electronic identification schemes recognized as valid by the EU access to services and electronic transactions consistent with the level of security or legitimate expectations. This access starts with public services provided under the "one-stop shop" planned for certain formalities.
Going forward – challenges and opportunities
Some countries may be tempted to play for time as, while the law will apply from 1st July 2016, the mutual recognition of patterns of all EU countries will not be compulsory until 2019. Yet there is nothing to prevent a group of EU member states recognizing each others’ digital identity on a voluntary basis from 2017. So waiting is probably not be the best strategy, especially since the first schemes officially recognized by the EU would gain an advantage in terms of use on both the business and general public sides.
Ultimately EU Regulation No.910/2014 makes it possible for individuals to use digital identities issued by public and / or private operators to access easily all types of personalized and reliable services within the EU. Furthermore, companies will be able to market their products and services in a much simpler and extensive way, supported by a greater contractual reliability throughout the EU.
As we’ve seen, the new EU legislations opens a number of doors and companies need to explore carefully the potential opportunities on offer. Initially, we expect the take up level of services - activated through digital identity - will be the key starting business indicator. In the longer term, trust level and legal-digital long term preservation for certain types of business will gain more consideration. For now, there is little doubt that the regulation represents a major step forward in achieving a more effective digital Europe.