eIDAS 2 is already here. With the approval (on Thursday, February 29th 2024) of the amendment to REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of July 23rd, 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, the starting signal is given for the implementation of the ambitious changes that the EU intends to address in the field of digital identity, electronic signature and trust services in general and aimed, in particular, at guaranteeing the right of all European citizens to interact with institutions, private corporations and their fellow citizens by electronic means with the utmost respect for the privacy of their data.
The journey to reach this important milestone has not been easy since the first draft of the regulatory changes announced by the President of the European Commission, Ursula von der Leyen, was published two and a half years ago, on June 3, 2021. Since then, several versions have been published with significant changes to the initial text and progress has been made in the practical application of the standard with the development of the so-called Toolbox that includes the technical architecture and a reference framework (ARF), still in draft form.
But the road has only just begun, and there are still months of work ahead of us in which the complementary regulations, implementing acts and technical standards that will allow the effective application of the standard and its adoption by the main agents involved - trust service providers, public administrations and users - will have to be finalized.
In this article, we will describe the main new features of the new eIDAS2, with a special focus on the new identity wallet EUDI (EU Digital Identity) Wallet) and how these changes will affect us practically.
What's new in eIDAS 2?
It is clear that all the focus of the renewed regulation is on the new European digital identity wallets (EUDIW or simply identity wallets) and the entire ecosystem that goes with it, from the creation of new trust services, to the emergence of new concepts such as the so-called electronic attribute statements or authentic sources, so we will go into all the relevant details later, but, in addition, eIDAS2 includes important new features that should also be considered, among them:
- The creation of new electronic trust services. The current trust services (creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, certified electronic delivery services, certificates for website authentication and preservation of electronic signatures, seals, or certificates) now include the management of remote signature or electronic seal creation devices, the issuance and validation of electronic attribute declarations, the electronic archiving of electronic data and documents and the activity of recording electronic data in an electronic ledger.
- The requirements for unqualified providers are tightened, who must have policies and manage the necessary measures to minimize legal, business and operational risks and will be subject to a liability regime like that of qualified providers.
- Tightening of the sanctioning regime.
- The concept of "advanced electronic signature based on qualified certificates" is introduced and the rules for its validation are established.
- Future standardization of the "advanced electronic signature" is promoted.
- The creation of an interoperability framework for qualified delivery services is envisaged.
- It establishes the obligation of browsers to accept qualified web certificates.
- A new framework for monitoring wallets and users has been created.
- The European Digital Identity Cooperation Group (EDICG) was created, composed of representatives from each member state to cooperate, follow up and progress on everything related to wallet, digital identity and trust services.
The Identity Wallet
As we had already mentioned, the European digital identity wallet is the cornerstone on which this important reform is based, but what is this wallet after all? According to the definition given by the legal text itself, the identity wallet is a
¨means of electronic identification that allows the user to securely store, manage and validate person identification data and electronic attribute statements to provide them to user parties and other users of European digital identity wallets, as well as to sign by means of qualified electronic signatures or to seal by means of qualified electronic seals¨.
In summary, identity wallets will be APPs (although theoretically, their use on cell phones is not restricted) that all Europeans as individuals or legal entities will have the right, but not the obligation, to use and that will allow us to:
- Identify ourselves with the so-called "user parties" and other users.
- Demonstrate certain attributes linked to our identity such as academic or professional qualifications, licenses, or authorizations or any quality or capacity of the holder by means of electronic declarations of attributes.
- Produce qualified electronic signatures.
To meet the generic uses listed above, the wallets will be equipped with several basic functionalities, including:
- Request, obtain, select, combine, store, delete, share and submit person identification data and electronic attribute statements.
- Enable the above information to be selectively presented.
- Allow the use of pseudonyms.
- Allow online and offline use.
- Interact with other citizens' wallets.
- Produce free qualified signature (potentially limited to individuals and non-professional use).
In addition, as we highlighted at the beginning of the article, the ultimate purpose of this new identity model is to guarantee the privacy of citizens, so numerous safeguards are established to allow its effective compliance, such as:
- The obligation of prior registration of the user parties.
- The possibility of being able to view in the wallet itself the logs of all accesses carried out by the user parties, requesting the deletion of data and being able to file a complaint with the data protection agencies.
- Possibility of exporting data to exercise the right of portability.
- Use of pseudonyms and selective provision of data.
- Guarantee of non-traceability of wallet use by wallet providers and issuers of electronic attribute statements.
- Providers will not be able to cross the data obtained for the provision of the wallet or the corresponding attribute statements with the data obtained from other services provided to the user.
Who will provide these identity wallets, and how soon will they be available?
The regulation foresees that these new identity wallets may be provided by member states following these three options:
a) directly by a State Member
b) under a mandate from a State Member.
c) independently of a State Member, but with the recognition of that State Member.
Whichever model is chosen by each State Member from among the above options, they will have to provide at least one European digital identity wallet within 24 months of the entry into force of the implementing acts, which could extend their effective application to 30 months from the publication of the rule.
Regardless of the model adopted, basic premises are established that all providers must comply with: they will be provided free of charge to the citizen, with an electronic identification system with a high level of security and under an open-source license (except for certain functions restricted for security reasons).
The ecosystem around identity wallets
Satellite to the wallet, a whole ecosystem is created linked to its provision and use, in which the following roles are identified:
- Wallet user or holder. It is the natural or legal person who is presumed to have the exclusive possession and use of the wallet. As mentioned above, the use of the wallet is a right of the citizen, who in no case may be forced to use it or be discriminated against for not using it. In certain circumstances, the wallet user may also act as a verifier of the identity, or attributes contained in another wallet under a "peer to peer" model.
- Wallet provider. We have already seen that there are different options for its issuance, but in any case, the entity that provides it must be in charge of the onboarding process that will include, at least (1) its application and registration, (2) the verification and verification of the citizen's identity and, (3) the issuance, delivery, and activation of the wallet and the person's identity information, also called "Personal Identification Data" (PID), which are the citizen's basic data, equivalent, with nuances, to those contained in the national identity documents. In addition to their issuance, the designated entities will also be responsible for their maintenance and life cycle, including their renewal and revocation if necessary.
- Authentic source: the repository or system, maintained under the responsibility of a public sector entity or private entity, which contains and provides attributes about a natural or legal person or object, and which is considered a primary source of such information, or which is recognized as authentic in accordance with Union or national law, including administrative practices.
- Issuers of electronic attribute declarations: these are the entities responsible for attesting to the possession by the holder of a certain quality, capacity, or permission linked to his identity. These declarations may be qualified or unqualified and may be issued by the public entities responsible or delegated by the person responsible for the authentic source of the data or, following the classic eIDAS model, by a trust service provider authorized for the issuance of electronic attribute declarations.
- User parties: those entities that interact with the identity wallets to request information from their owner regarding their identity or specific attributes. These user parties must be previously registered in a public registry and may not request more information than that declared in this registry. In certain cases, service providers in the fields of transport, energy, banking, financial services, social security, health, drinking water, postal services, digital infrastructure, telecommunications, or education will be obliged to accept the use of wallets when a strong user authentication for online identification is required by law or contract, as well as for the so-called "very large online platforms" in their user authentication processes.
- Other roles within the ecosystem: in addition to the main roles listed above, there are other agents within the ecosystem that play significant roles, such as standardization bodies, conformity assessment bodies (CABs), supervisory bodies, device manufacturers, etc...
How the new identity model will affect my daily life. Practical examples.
European identity wallets will mark a turning point in the way we identify ourselves as Europeans and will create a precedent that will surely be replicated in other legal systems.
When the entire ecosystem of trust is available, European citizens will be able to interact electronically with providers of public and private products and services in a simple way and, most importantly, with full guarantees of security and privacy.
Some of the most relevant examples of use of our wallet could be:
- The authentication of citizens and the completion of procedures with Public Administrations.
- Access to large electronic platforms (more than 45 million users).
- Obtaining and submitting university degrees and other academic certificates.
- Electronic driving license.
- Obtaining and presenting certificates from public and private entities (such as financial or health entities).
- Obtaining and presenting travel documents.
- Power of attorney certification.
- Age verification for access to certain online services.
- ...
The list of possible uses is almost infinite and allows the creation of very interesting and complex identification and authentication circuits to be executed with current technologies. For example, we can formalize the rental of a car only with our wallet providing the data (electronic statements of attributes) strictly necessary: name, age, type of driver's license, validity., . ... and, at the end of the validation process as a user party, the contract can be signed, and the rental agency can even issue its credential to the user, enabling him/her to pick up the assigned vehicle at the pick-up point without waiting or further formalities.
It is important to highlight that, although the use cases we currently have in mind are those with a greater legal relevance (administrative procedures, academic degrees...) the model allows and will be very useful in more everyday procedures. Such as the issuance of transport tickets, cultural and sporting events, membership cards, loyalty cards., ...
Another strong point is the possibility of using the same authentication mechanism for online and offline environments. In the previous example, we saw how we could share our data with the car rental agency, but we can do the same in person at the agency's offices or with a traffic officer if required.
Finally, we must highlight the improvements in terms of the privacy of our data, especially regarding the principle of data minimization. Until now, when we are required to prove our identity, we usually do so by providing official documents that contain a large amount of data (name, full address, date of birth, sex, place of birth, identity number,). In most cases, all we need to prove is, for example, that we are of legal age to buy a pack of cigarettes, that we reside in a town to receive a subsidy or that we belong to a large family to obtain a discount. Thanks to the selective disclosure technologies included in the regulations or even more advanced Zero Knowledge Proof (ZKP) technologies, we can effectively guarantee this right.
What are the next steps, and can the new model be implemented now?
Once the amendment has been approved by the European Parliament, the new text must be formally approved by the EU Council of Ministers and published in the official journals and from that moment the race begins for the approval of complementary regulations and implementing acts with different timeframes (six or twelve months from the publication of the reform). The longest period is the maximum period for the provision of the different wallets, which can take up to 30 months from the publication of the regulation, but which could be available in little more than a year at the discretion of the member states.
Meanwhile, the race against the clock continues so that everything is ready: development of the necessary technical standards by the standardization bodies, publication of the final Framework and the reference wallet, development and analysis of the results of the European pilots (Large-Scale Pilots), interoperability tests, audits, publication of trust lists, ...
The good news is that, at Validated ID, we have been working on this technology for years, so, although we have years of work ahead of us to continue adapting our services to the evolution of standards, today we have all the necessary technological components that allow, from now on, to start enjoying most of the benefits that this new identity model brings. We have one of the most advanced identity wallets and one of the first to pass EBSI compliance tests, a complete credential issuance portal (electronic attribute statements), an OpenID connector and an API Rest to facilitate integration.
Whether you are a Public Administration that wants to start advancing in the issuance and validation of credentials or a private entity that aims to address your identity use cases in an easy, secure and respectful way with the user's privacy, we invite you to contact us and analyze your project together.