Accepting ID in the Era of eIDAS
As stated in the first clause of the European Union’s Electronic Identification, Authentication and Trust Services (eIDAS) regulation “building trust in the online environment is key to economic and social development.” eIDAS specifies requirements and technical obligations to help ensure transactions are safe and the adoption of new online services can continue to prosper.
The EU wants to build a digital single market, “where citizens and businesses can seamlessly and fairly access online goods and services, whatever their nationality, and wherever they live.” eIDAS regulation was enacted to provide a foundation for secure electronic interaction such as electronic signatures, electronic seals, time stamp, electronic delivery service and website authentication. Providing legal status for these technologies, on par with traditional documentation techniques, enables parties to enter into electronic transactions with the full backing of the EU.
It’s important to understand that eIDAS applies to government services; member states must accept eID from other member states who have a notified eID scheme as of September 29, 2018. Each Member State, however, does not have to notify their eID scheme and can create their own eID program (or programs) as they see fit.
Private sector businesses are not covered under eIDAS and therefore have no obligation to accept eID from another country. However, “Member States should encourage the private sector to voluntarily use electronic identification means under a notified scheme for identification purposes when needed for online services or electronic transactions.” So, while not mandatory, businesses wanting to take advantage of the opportunities of secure electronic interaction have legal standing to do so.
As Zac Cohen, general manager at Trulioo, stated regarding the EU-wide identity framework “the rules and infrastructure it puts into place will make it easier for private sector firms to accept and implement similar processes.”
For the entire system of secure electronic interactions to work, there is a requirement for an effective, efficient and secure identity framework.
Assurance levels of electronic identification schemes
1. An electronic identification scheme notified pursuant to Article 9(1) shall specify assurance levels low, substantial and/or high for electronic identification means issued under that scheme.
2. The assurance levels low, substantial and high shall meet respectively the following criteria:
(a) assurance level low shall refer to an electronic identification means in the context of an electronic identification scheme, which provides a limited degree of confidence in the claimed or asserted identity of a person, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of misuse or alteration of the identity;
(b) assurance level substantial shall refer to an electronic identification means in the context of an electronic identification scheme, which provides a substantial degree of confidence in the claimed or asserted identity of a person, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of misuse or alteration of the identity;
(c) assurance level high shall refer to an electronic identification means in the context of an electronic identification scheme, which provides a higher degree of confidence in the claimed or asserted identity of a person than electronic identification means with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent misuse or alteration of the identity.
eIDAS, 4AMLD and SCA
The substantial and high assurance levels of electronic identification enables use-cases that require pronounced security regimens, such as banking and other financial services. Andrea Servida, Head of the Unit of DG CONNECT of the European Commission stated, “when adopted by co-legislators, all this will greatly facilitate the cross-border use of eID means for meeting the requirements of 4AMLD in fully digital onboarding processes.”
eIDAS also provides an access point for firms looking to implement Strong Customer Authentication (SCA) compliant solutions. The regulated technical standard (RTS) for PSD2 regarding SCA includes a reference to consider notified eID schemes. Servida, who led the eIDAS Task Force for four years, stated,, “this is another additional step forward in operationalising and accelerating the use of trust services in the financial sector thereby ensuring secure and convenient online transactions.”
While currently only one country (Germany) is notified, others are in process. There are seven countries that have pre-notified. Member States wanting to enable easy access to services throughout the EU for their citizens would do well to determine their eID scheme and notify it.
As Member States increasingly notify their schemes, the clarity for businesses to use the approved eID scheme will enable proliferation of a whole host of new digital opportunities. “The market that is the EU is so big, one would have to be pretty short-sighted to ignore what is happening,” stated Cohen.