eID heats up all over Europe

DigiCert’s Stephen Davidson examines the acceleration of e-government ID schemes in Europe and what it could mean for the future of digital identity, facilitating legal e-signatures as well as simplifying the complex requirements for KYC/AML and onboarding of remote customers.

Posted 1 February 2022 by Christine Horton

E-government ID schemes are accelerating quickly throughout Europe. Digital transformations swept through the world during the pandemic with businesses rapidly evolving to adapt to remote working and the disruptions to in-person customer relationships caused by Covid-19. The public sector is also rapidly transforming, with a heightened focus on e-government programmes such as eID, online filings, and electronic signatures.

United Kingdom

The UK government, for example, wants to make digital identities as “trusted as passports.” In May, the Government Digital Service (GDS) released its strategy from 2021 to 2024. Within they discuss their plans to unify government identities so that British citizens can streamline their interactions with government services. It recently released a £5 million public tender to develop a smartphone based digital identity app that would allow citizens to authenticate to and access 300 different government services.

eIDAS 2.0

The European Union has similar ideas. In 2021, it announced that eIDAS – the long-standing regulation which governs electronic identification and online trust services across the EU – would be given a significant update.

A major part of that update are plans to accelerate the issuance and adoption of official eID which could be used by citizens across European borders. In simplest form, the proposal will set common standards for all EU countries for eID as well as for electronic wallets that citizens may use to protect their mobile eID, to authenticate to online services, and to facilitate interactions with Qualified Trust Service Providers (TSP). For example, the eID wallet can assist in the creation of cloud-based electronic signatures, or allow individual identity attributes (such as employment affiliation or professional qualification) to be added to the eID.

This is meant to serve as an alternative to the commercial ID offered by tech giants like Google and Facebook. These services offer users the ability to use their commercial logins to access a range of third party services, and there is much concern over the privacy implications of these arrangements. The European eID and wallet hope to restore individual control over the use of their identity, and to bind relying parties (in both the public and private sector) to privacy agreements. The EU Commission has stated that “very large platforms will be required to accept the use of European Digital Identity wallets upon request of the user.”

The eIDAS update also includes a renewed focus on Qualified Web Authentication Certificates (QWAC) to verify the identity of entities that operate websites. One example is the use of QWACs to protect transactions between banks and payment service providers in accordance with the European Payment Services Directive 2 (PSD2) which is influential in the development of new Open Finance rules in the EU and Open Banking standards internationally.

The eIDAS legislative proposals underline a belief that identity is an important factor for websites that deal with sensitive personal information, and that despite ongoing efforts to coordinate, major web browsers “continue to refuse supporting QWACs and have been unable to present alternatives with the same degree of legal assurance.” Stakeholders have proposed requiring browsers to display QWAC identity details, but as of writing, there is no formal obligation.

The update will also revisit the standards for Qualified TSPs, the regulated entities that provide many of the digital transformation services underpinning eIDAS such as digital certificates and electronic signatures. A “Qualified” service from such a provider – certified under ETSI standards and operated under the supervision of an EU state — brings legal benefits to many transactions performed online.  The eIDAS update will expand the Qualified TSP rules for management of keys (for tasks such as e-signatures) in the cloud as well as the operation of ledgers.

eIDAS is adapting to new conditions

eIDAS was originally enacted in 2014 and a great deal has changed since then. The EU has made several significant regulatory changes in the region of digital identities – including the 2019 cybersecurity act and the 2016 EU NIS Directive. Technology has progressed too: mass remote work is now a reality and a series of authentication technologies and standards have emerged onto the market in recent years.

The last 18 months have been tumultuous, fueling massive digital transformations affecting nearly every sector of society and commerce. In fact, by Mckinsey’s estimate, digital evolution has accelerated by seven years over the course of the pandemic. Businesses have grasped connected technologies to ensure their survival amidst national lockdowns.  Forward-looking governments too have moved forward with their e-government projects for their own functioning – ranging from online filings to digital vaccination certificates — but also to modernise laws and regulations to keep pace with the changing ways of doing business.

Digital identities, and the electronic signatures and digital certificates which go with them, are about to become an even bigger part of Europeans’ lives. The update of eIDAS means that more businesses will have to think more closely about how they interact with customers’ identities and signatures online.

What eIDAS 2.0 means for enterprises

While some countries already have eID programmes and identity wallets, later in 2022 new “toolkit” standards will become clear for the unified eIDAS 2.0 approach.  Governments and private sector organisations will wish to consider their need and obligations to authenticate users and conduct e-signatures in light of the new opportunities of government-issued eID.  This is particularly relevant in regulated sectors – like banking and financial services – with money laundering and Know Your Customer (KYC) requirements which are expected to coalesce around the eID.

In particular, the advancement of the wallets and cloud-based signing services operated by QTSPs like DigiCert + QuoVadis will allow users to more readily sign with Qualified Electronic Signatures (QES), with simpler signup and authentication procedures and using only mobile devices.  Accepting these will be mandatory for most EU national Government services, and sought after by many companies.

The IT sector has been rich with proposals for different identity schemes over the years, from both Governments and the tech giants, fraught with trial and error.  The eIDAS 2.0 proposals hope to adopt the best ideas from proven schemes, and to implement them across an entire continent, with the weight of official ID and signature laws behind them.  This alone presents significant opportunities for enterprises seeking to de-risk aspects of the recent surge into online work methods.

Stephen Davidson is senior manager in DigiCert’s global Governance, Risk and Compliance team.