eIDAS Regulation (Reg. No. 910/2014)

The eIDAS Regulation (Reg. No. 910/2014 ).

e-ID and trusted services in Europe

Cosetta MasiIT Lawyer

August 29, 2016

Regulation No. 910/2014 of European Parliament and the Council of the European Union on electronic identification and trusted services for electronic transactions in the internal market repealing Directive 1999/93/EC.

All rights reserved – Cosetta Masi, 2016

Agenda1. Online transactions2. The adoption of the eIDAS Regulation3. Main innovations by the eIDAS Regulation4. Implementation5. Conclusions


1. Online transactions

Challenges of online transactions: Distance transaction: no

opportunity to ‘touch’ the goods or try the services

Identity of the counterparty Risk of prior performance Privacy and security risks Security of payment method

Lack of trust by the operators in the online market.


1. Online transactions

Participation to

tenders

Execution of

agreements

Filing of tax

declarationsEnrollme

nt with a foreign

university

E-banking

Take part to public and

private auction

sAll rights reserved – Cosetta Masi, 2016

Agenda2. The adoption of the eIDAS Regulation

2.1. Directive 1999/93/EC and its shortcomings2.2. The purpose of the eIDAS Regulation


2. The adoption of the eIDAS Regulation2.1. Directive 1999/93/EC and its shortcomings

Developing the online market fosters: the increase of transactions on the European internal market the free circulation of goods and services within the European Union

Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a community framework for electronic signatures.


2. The adoption of the eIDAS Regulation2.1. Directive 1999/93/EC and its shortcomings

Fragmentation

Need of transposition into national legislationLack of interoperability

Narrow

scopeScope of the Directive: limited to e-

signatures

Technologically outdated

Neutral approach toward technologiesMajor technological changes since 1999

Report from the Commission on the operation of the Directive (2006)

Commission communication ‘A Digital Agenda for Europe’ (2010)

Commission communication ‘Single Market Act’ (2011)

The online market and the use of e-signatures did not increase significantly in the framework of the Directive.


2. The adoption of the eIDAS Regulation2.2. The purpose of the eIDAS Regulation

Report from the Commission on the operation of the Directive – COM(2006) 120 final

“[…] the Commission will organize a series of meetings with Member States and the relevant stakeholders to address the following issues in the view of considering complementary measures, where appropriate: the differences in the transposition of the Directive; the clarifications of specific articles of the Directive; the technical and standardization aspects; interoperability problems” (para 5.1.).

Proposal by the Commission for the adoption of the eIDAS Regulation - COM(2012) 238 final

“the consultations made clear that a large majority of stakeholders agreed on the need to review the current framework to fill the gaps left by the electronic signature Directive. It was felt that this would better respond to challenges posed by the rapid development of new technologies (particularly online and mobile access) and by increased globalisation, while maintaining the technological neutrality of the legal framework” (para 2).


Agenda3. Main innovations by the eIDAS Regulation

3.1. The adoption of a Regulation3.2. Wider range of certification services3.3. Functional equivalence3.4. New framework for mutual recognition3.5. New framework for trust services


3. Main innovations by the eIDAS Regulation 3.1. The adoption of a Regulation Directly applicable in all Member States No need of transposition in the national legislation of

Member States Direct application of the Commission implementing

acts

Reduces legal fragmentation and increases certainty by introducing a harmonized set of core rules.


3. Main innovations by the eIDAS Regulation 3.2. Wider range of certification services

The eIDAS Regulation covers other certification services, beyond e-signatures. Electronic seals Electronic time stamps Electronic registered delivery

services Website authentication Electronic documents

Each aspect of an online transaction may be certified.

Website authentication

to ensure trustworthiness

E-signaturesand e-seals

to ensure the ID of the parties

Electronic documents

to ensure means of proof

Electronic registered transmissionto secure the

delivery

SECURE ONLINE

TRANSACTION


3. Main innovations by the eIDAS Regulation 3.3. Functional equivalence

The eIDAS Regulation is a further step in the acknowledgment of the equivalence between ‘paper based’ ID means and electronic means.

E-signaturesA qualified electronic signature shall have the equivalent legal effect of a handwritten signature – art. 25(2). E-sealsA qualified electronic seal shall enjoy the presumption of integrity of the data and of the correctness of the origin of that data to which the qualified electronic seal is linked – art. 35(2). E-time stampsA qualified time stamp shall enjoy the presumption of accuracy of the date and the time it indicates and the integrity of the data to which the date and time are bound – art. 41(2). All rights reserved – Cosetta Masi, 2016

3. Main innovations by the eIDAS Regulation 3.4. New framework for mutual recognition

Publication of the list of notified e-identification schemes in the Official Journal

Mutual recognition of e-ID issued under an e-ID scheme included in the list – art. 6

Notification of e-identification scheme by a Member State to the CommissionEligibility for notification - art. 7 Contents of the notification - art.

9

e-ID scheme is communicated to the other Member States – PEER REVIEWInteroperability Security



Mutual recognition

Liability

Inter-operabili

ty

Assurance levelsThe eIDAS Regulation

introduces new elements for the success of the mutual recognition of e-ID schemes between Member States.



Low, substantial and high. Minimum requirements for each assurance level are set by the Commission (Implementing Regulation No. 2015/1502).

Notified e-ID schemes should be interoperable (Implementing Regulation No. 2015/1501 on interoperability and Implementing Decision No. 2015/296 on procedures for cooperation between Member States).

Liability of the party issuing the e-ID means, the party operating the authentication procedure, and the Member States – art. 11.

Assurance levels

Inter-operabilit

y

Liability


3. Main innovations by the eIDAS Regulation 3.5. New framework for trust servicesDefinition in art. 1(16)An electronic service normally provided for remuneration which consists of (a) the creation, verification and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services; or (b) the creation, verification and validation of certificates for website authentication; or (c) the preservation of electronic signatures, seals or certificates related to those services.


3. Main innovations by the eIDAS Regulation 3.5. New framework for trust services Supervisory body – art. 17Member States shall designate a supervisory body, responsible for the supervision of trust service providers. Liability – art. 13Trust service providers shall be liable for damage caused intentionally or negligently to any natural or legal person due to the failure to comply with the eIDAS Regulation. Security requirements and breach notification – art. 19Service providers shall assure a level of security commensurate to the degree or risk, and notify to the supervisory body any breach of security or loss of integrity.


3. Main innovations by the eIDAS Regulation 3.5. New framework for trust services

Service providers Qualified

service providers

ex post supervision by the supervisory body

requirements in art. 24 ‘qualified’ status granted by the

supervisory body ex ante supervision by the

supervisory body auditing included in trusted lists drafted by

Member States entitled to use the EU trust markAll rights reserved – Cosetta Masi, 2016


Requirements for qualified trust service providers – art. 24General: employ staff and subcontractors which possess the necessary expertise, reliability,

experience and qualifications and who have received appropriate training with regard to risk of liability for damages, maintain sufficient financial resources

and/or obtain appropriate liability insurance

Technical: ensure lawful processing of data in accordance

with Dir. 95/46/EC use trustworthy systems to store data provided to

the TSP – take appropriate measures against forgery and theft of data

The Commission MAY adopt an implementing act to establish reference standards for trustworthy systems and products.



The eIDAS Regulation introduces new elements to enhance the (cross border) provision of trust services.

Transparency

- Trusted lists

- EU trust mark

Liability

Increase of trust in service

providers



EU trust mark

Source: Annex I, Commission Implementing Regulation No. 2015/806


Agenda4. Implementation

4.1. Timeline for implementation4.2. Implementing acts by the Commission


4. Implementation4.1. Timeline for implementation

17 September 2014Entry into force

29 September 2018Mandatory recognition of notified e-ID schemes

Increase trust in the online transactions

Adoption of implementing acts by the Commission

1 July 2016Repeal of the Directive.Mainly affects the provision of trust services


29 September 2015Voluntary recognition of e-ID means

4. Implementation4.2. Implementing acts by the Commission

Electronic identification: Implementing Decision No. 2015/296Procedures for the cooperation between Member States. Implementing Regulation No. 2015/1501Interoperability framework. Implementing Regulation No. 2015/1502Minimum technical requirements and procedures for assurance levels. Implementing Decision No. 2015/1984 Circumstances, formats and procedures of notification.

Electronic trust services: Implementing Regulation No. 2015/806Specifications relating to the EU trust mark. Implementing Decision No. 2015/1505Specifications and formats relating to trusted lists. Implementing Decision No. 2015/1506Formats of advanced e-signatures and e-seals to be recognized in the public sector. Implementing Decision No. 2016/650Standards for the security assessment of qualified signature and seal creation devices.


5. ConclusionsThe eIDAS Regulation introduces new tools or enhances the provisions of the Directive, for the purpose of:

Ensuring mutual recognition and acceptance of electronic identification means

Granting the free movement of trust services

Ensuring minimal security levels of trust for electronic identification means and for trust service providers

Liability

Cooperation

Technical standards

Transparency

SupervisionAll rights reserved – Cosetta Masi, 2016

5. Conclusions The eIDAS Regulation does not create an unified

system for eID Member States are under no obligation to notify eID

schemes: they are obliged to recognize eID issued under eID schemes notified by other Member States

Human factor?


For further comments and questions:

Avv. Cosetta Masi@ [email protected]

skype cosetta.ms


eIDAS Regulation (Reg. No. 910/2014)

Law

Transcript of eIDAS Regulation (Reg. No. 910/2014)