The eIDAS Regulation came into force across the European Union in September 2014, requiring all member states to enact its clauses by 1st July 2016. The regulation forms part of the EU’s digital agenda, which aims to “ensure a fair, open and secure digital environment” for businesses across the union.
This article explains what the eIDAS Regulation is and how it helps to create smooth, seamless and secure digital transactions across all EU member states.
What is the eIDAS Regulation and What Does it Mean?
eIDAS stands for electronic IDentification, Authentication and trust Services, and the regulation is part of a larger effort to standardise rules for electronic transactions such as electronic signatures across the EU. The idea is that any person, business or public body in any member state should be able to carry out electronic transactions with any other person, business or public body in the internal market in a secure manner and without running into any obstacles.
The eIDAS regulation, formally known as Regulation 910/2014, was issued on 23rd July 2014 with the aim of creating legal certainty over digital identification in the bloc. It creates rules for trust services that facilitate electronic transactions. It also defines a legal framework for:
- electronic signatures
- electronic seals
- electronic time stamps
- electronic documents
- electronic registered delivery services
- certificate services for website authentication
The interoperability promoted by eIDAS means that European nations can now work together to recognise and authenticate each others’ electronic identification systems, which cuts red tape for businesses. The creation of a list of trust service providers encourages discussion and innovation in terms of electronic security measures.
Any business that makes use of electronic transactions across the EU needs to ensure it is compliant with the eIDAS Regulation.
Understanding the Terminology
There are a large number of terms you need to understand in order to comply with eIDAS. Here are the most important definitions from the regulation.
Qualified Trust Services
Also known as Trust Service Providers and Trusted Service Providers (TSPs), these bodies create, verify and validate certificates for electronic transactions such as e-signatures. Qualified Trust Services (QTS) are those that have been recognised to offer a service secure enough to provide certificates for Qualified Electronic Signatures. The member state’s supervisory body determines which trust service providers are to be qualified. Only QTS that appear on the EU Trust List can provide services that authenticate the top level of secure transactions under the eIDAS legislation.
A QTS is a type of certificate authority, in that it has the authority to issue the certificates that validate electronic transactions. It is also known as a certification authority or a CA.
At a very basic level, electronic signatures are pieces of digital data used to denote acceptance of or agreement with the content of a document. eIDAS dictates that an e-signature cannot be denied legal effect just because it is electronic. However, individual states should decide the legal impact of an electronic signature inside its own borders. This does not include a Qualified Electronic Signature (QES), which carries the weight of a traditional handwritten signature across the union. Keep reading to find out more about the different types of electronic signature.
Electronic seals, or eSeals, are electronic data that ensure the origin and integrity of other data. It is a little bit like a digital fingerprint for a business or organisation which validates that the information received originates from that business. Electronic seals can be used to validate invoices processed automatically or contracts sent between businesses in different member states without having to mail physical paper documents. A Qualified Electronic Seal carries the same weight across the union.
An electronic timestamp, or eTimestamp, can be applied with a Qualified Electronic Signature to prove exactly when you signed the document. The issuer of the document must lawfully acknowledge that the date and time of the timestamp are correct if applied to the QES. It is electronic proof that a piece of data existed at a certain point in time. This makes it easier to track the progress of documents and provides extra accountability. For example, the Evidos solution Certify provides such timestamps and electronic certification.
Electronic Registered Delivery Services
An Electronic Registered Delivery Service, or eDelivery, allows public organisations, businesses and the public to transfer data to and from other parties, complete with proof of sending and receipt. This increases accountability and minimises the risk of losing the data, having it stolen or having it altered by an unauthorised party. Electronic Registered Delivery Services can be used for purchase orders, contracts or any other similar documentation.
Qualified Web Authentication Certificate
These certificates prove who the owner of a website is. A QWAC gives visitors confidence that the website they are visiting is trustworthy and reliable. This certification helps to avoid phishing sites and other online scams.
What are the Types of Electronic Signatures as defined by eIDAS?
eIDAS defines three different types of electronic signatures, with increasing levels of security. Here are the three types and some of their features:
|Type of e-signature||Features|
|Simple Electronic Signature (SES)||Also called a Basic Electronic Signature, this can be any form of a digital mark to indicate acceptance of a document. From scanning a copy of your wet signature and pasting it onto the page to pressing a button that says ‘I Agree’. If you do not need to verify the digital identity of the signatory, this is an acceptable electronic signature.|
|Advanced Electronic Signature (AES)||To receive an AES, you need to be able to check the identity of the signatory. You do not need to be able to guarantee it, however. You should also have the ability to check that there are no subsequent changes to the document after the recipient adds their signature. In order to create an AES, you need a Secure Signature Creation Device (SSCD).|
|Qualified Electronic Signature (QES)||The QES holds a special status in the eIDAS Regulation, which gives it the same weight as an in-person handwritten signature across the union. This is due to the secure manner in which the QES is created. To obtain a QES, you must first have your identity confirmed by a QTP either face to face or over a video call. A QES also requires multi-factor authentication when it’s used such as entering a PIN code.
A Qualified Signature Creation Device (QSCD) is necessary to generate a QES.
In the case of an SES or AES, the issuer must prove that the signatory is the person they were claiming to be if there is a dispute afterwards. A QES is so secure that, if the signer denies it was them who made the signature, the burden of proof is on them during any legal proceedings instead.
There are three different assurance levels for the various electronic identification means, as presented in Article 8 of the regulation. They form the basis of the classification of the three different types of electronic signature. These are the three eIDAS assurance levels:
|Low||Electronic identification methods that meet the provision for a low assurance level offer only “a limited degree of confidence” when checking and verifying the identity of the recipient.|
|Substantial||A substantial assurance level means that the eID method offers more confidence in terms of accurate identification.|
|High||eIDs with a high assurance level offer “a higher degree of confidence” when it comes to identifying the signatory.|
These assurance levels are based around the ISO/IEC 2915 standard and use two main types of assurance to define them.
- Identity assurance – refers to the systems in place to identify the individual when they register for the service.
- Authentication assurance – refers to the manner in which you look to verify that identity at the time of signing the document.
For the Low Assurance Level, you might require a basic form of identification on registration and then a simple password on sign-in. Although there are some systems in place to ensure the correct person signs the document, it would not be too difficult for a third party to acquire that information and sign fraudulently.
For the Substantial Assurance Level, you might verify the identification with an authority and require not only a password but also a One-Time Passcode (OTP) sent via SMS to complete the signature.
For the High Assurance Level, you would use the registration authority and then verify the identification using official government documentation and by a face-to-face meeting either in person or on a video call. At the time of signing, you need multi-factor identification and cryptographic protection through a public key infrastructure (PKI). Watch the video below to learn more about how PKI works.
What are the Security Levels for Electronic Identification (eID)?
As eIDAS is an EU-wide regulation that allows member states to qualify their own trusted services with relation to eID, the text of the legislation is particular about maintaining the same level of security across the union. One of the reasons behind eIDAS was to provide seamless cross-border transactions, making this consistency important.
Paragraph 34 requires individual governments to follow “essential supervision requirements” to maintain this parity. They are also encouraged to discuss best practices with their counterparts. States are asked to use comparable IT processes to create QESs, for example.
The regulation also makes it clear that the QES and Qualified Electronic Seal represent the highest security level and that no member state should require any form of eID that requires a more stringent security level to verify a transaction from another state.
Although eIDAS does not impose any technical specifications, there are standards set for trust service providers by the European Commission and most member states reference these when building their trust lists. Certain specifications must be met for certification of the TSPs themselves, for the eID assurance levels and for the three types of signature.
In November 2017, the European Commission (EC) issued the Delegated Regulation on Regulatory Technical Standards for Strong Customer Authentication and Common and Secure Open Standards of Communication.
This regulation complements eIDAS and is intended to provide customers across the bloc with the safest possible online experience when it comes to the validity of payments and other electronic transfers. It requires payment providers to use qualified certificates for electronic seals and qualified certificates for website authentication.
How Companies are Affected by the eIDAS Regulation
Companies can benefit from the eIDAS Regulation in a number of ways. There is a much more streamlined workflow for a start. Gone are the paper documents that you must send across the union for signing and then wait until they come back. Using a signing solution such as Signhost by Evidos, it all takes place on your device, with a handy transaction receipt generated for your audit trail.
Nowadays, businesses increasingly work either with partners in other member states or even in multiple member states themselves. In these and many other cases, the EU-wide standard for the legal standing of a QES makes business transactions more secure. It means that there is no uncertainty over the legitimacy of the deal in different jurisdictions. And you can have a high level of confidence when it comes to compliance.
There is also less of an administrative burden because everything takes place online and runs to a clear and easy to follow process. When someone is due to sign a document, they receive the information on their phone or tablet, meaning you do not have to chase them for a signature.
There is the higher level of security to consider, too. Using a QES gives you the protection of intricate cryptologic systems to keep your data safe in a way that sending a document through the post, by fax or even over email does not.
What is a trust service?
The trust service provider creates digital certificates that authenticate electronic signatures and give confidence to both issuer and signatory that the transaction is safe and secure. Qualified trust service providers can issue certificates for Qualified Electronic Signatures, and they are listed on the EU Trust List once qualified by public authorities in their country.
What is EUTL?
The EUTL is the European Union Trust List and features those bodies across the union whose governments accredit them with the ability to meet the requirements of eIDAS. The providers on this list are allowed to create digital certificates to verify electronic transactions.
The eIDAS Regulation has transformed the way EU member states do business, ensuring seamless electronic interactions and making the experience more secure and streamlined. As part of the union’s digital agenda, the regulation governs the implementation of the highest levels of security to ensure trust and confidence when working digitally across borders. That is why it is important that all businesses adhere to eIDAS when carrying out electronic identification.