Everything you need to know about the revised eIDAS regulation

In June 2021, the EU Commission announced its plans for a revised eIDAS regulation. eIDAS (electronic IDentification, Authentication and trust Services) is the EU regulation 910/2014 on electronic identification and trust services in the EU. It came into force in 2014, so the revision is a major update to eIDAS. The past two years the Commission has been working on preparations, public surveys, expert committees and legal enhancements.

Yubico has taken an active role in the eIDAS revision and contributed to several expert surveys with comments and suggestions for enhancements, which have also been incorporated in the revised eIDAS legislation. The YubiKey is well positioned to play an important role in the emerging eIDAS ecosystem as in the case of the EU digital wallet for example, a YubiKey can be used to protect authentication credentials, which allow for portability and recovery of the EU digital wallet and its credentials. YubiKeys also supports WebAuthn solutions that cater to secure authentication for eIDAS remote signing services.

Major findings in the EU Commission’s analysis of the existing eIDAS regulation

National eID schemes have low adoption across borders.

• The eID schemes can be approved on a national (domestic) level. Such national eID schemes can voluntarily be notified on the EU level, which allows for cross-border identification. Only 19 countries have notified their eID schemes on the EU level, however, so the notified eID schemes only cover around 59% of the EU population. In addition to this, the certification requirements differ between the EU member states, so the acceptance and interoperability of notified eIDs across the EU level is low. Therefore, the cross-border eIDs have a too narrow scope, the utilization is minimal, and the federation protocols do not scale. There are also privacy concerns. All electronic identities, which are typically digital certificates, contain a set of attributes about the holder. Citizens cannot limit what eID attributes they want to present for authentication, when it is sometimes only necessary to present a specific attribute (such as age). Domestic eID schemes are however a lot more successful. In particular, private actors that issue eIDs are processing billions of authentications and signatures per year in each country.

Gaps still exist for Qualified Trust Service Providers to authenticate securely.

• The existing EU eIDAS regulation and technical standards for operating Qualified Trust Service Providers are considered to function properly, although certain technical and legal gaps need to be closed. When the eIDAS regulation was written in 2014, however, there were no available standards for how to operate signing devices by a trust service provider in a secure environment. So the legal eIDAS framework did not stipulate how a user can authenticate securely to a signing service provider to gain sole control of the signature process.

Need to Harmonize with the EU’s changing legal landscape.

• The EU has issued a number of new IT oriented regulations since 2014: The EU Cybersecurity Act (EU 2019/881), the EU NIS directive (EU 2016/1148), and the EU single digital gateway regulation (EU 2018/1724). These EU regulations will be streamlined with a future revision of eIDAS.

Incorporate the latest technical standards.

• The technical landscape has also changed since 2014. The most obvious change in people’s life is the increased use of mobile devices. The COVID-19 pandemic has accelerated the digitalization of our society, which has resulted in increased needs of strong authentication solutions. Blockchain technologies have matured, been enhanced and are now widely deployed, also for other use cases than cryptocurrencies. Last but not least, several new authentication solutions have been developed, such as FIDO2, WebAuthn, and OpenID Connect. Yubico is having a leading role in the design of these protocols, which are now impacting the authentication solutions on a global scale.

Major improvements to the revised eIDAS regulation

Mandatory for EU member states to provide EU digital identity wallets.

• The most significant improvement is the EU digital identity wallet, which will be made available to all EU citizens. The use cases for the EU digital identity wallets are for example electronic driving license, electronic passport, electronic national ID-card, identification to online services or digital agreement signing. It will be mandatory for each EU member state to provide EU digital identity wallets to all citizens free of charge, as opposed to the current situation when eID schemes are voluntary. Private actors will also be allowed to issue EU digital identity wallets, in contrast to the current state where national certification authorities are dominating the issuance of eIDs. Privacy for the citizens will be an important topic for the revised eIDAS regulation. It will be voluntary for the citizens to get an EU digital identity wallet, and the users also will be able to select what attributes (such as age) they want to present to a validator.

The Common Toolbox will standardize the EU digital identity wallet.

• The EU Commission will cooperate with the EU Member States to establish a common Toolbox by October 2022. This Toolbox should include the technical architecture, standards and guidelines for EU digital identity wallets. The technical standards of the EU digital identity wallet and the related Toolbox are not yet specified, although there are references in the eIDAS reports to a number of standards and initiatives. The W3C standards on Distributed Identity and Verifiable Credentials are mentioned as the potential technical foundation of the EU digital identity wallet. As regards to the EU’s blockchain infrastructure, the candidates are European Blockchain Services Infrastructure (EBSI), the European Blockchain Partnership (EBP) and European Self-Sovereign Identity Framework (ESSIF). The Europass Digital Credentials and the COVID-19 Credentials Initiative (CCI) may also be taken into account for the Toolbox.

Improved remote signature services.

• In order to ensure sole control of secure remote signing processes, the eIDAS regulation will be updated with references to the CEN standard that regulate the operation and authentication to remote Qualified Signature Creation Devices.

Harmonization with other EU regulations.

• The eIDAS trust service reporting requirements will be replaced with the rules and regulations in the EU NIS directive. Certification of EU digital identity wallets may also be harmonized with the proposed EUCC certification scheme in the EU Cybersecurity Act. Furthermore, the EU single digital gateway regulation will create a push for the EU Digital Identity Wallets to be rolled out at scale in 2023.

The revised eIDAS regulation contains very ambitious enhancements, and caters for a greater rollout of electronic identities across the EU. The deadline for all EU member states to implement the new eIDAS regulation is June 2024.

Yubico will remain in the frontline for inventing solutions and products that are compliant with the EU regulations, please contact us for a consultation on how eIDAS regulations may affect your organization. For more information on Yubico’s contributions to the eIDAS ecosystem, please read our blog post on the eIDAS revision process and how the YubiKey is deployed with eIDAS solutions.