What Is eIDAS and What Does It Mean for My Business?
Building trust in the online environment is key to economic and social development. Lack of trust, in particular because of a perceived lack of legal certainty, makes consumers, businesses and public authorities hesitate to carry out transactions electronically and to adopt new services.
eIDAS was set out in order to give consistency to regulations in the EU regarding electronic signatures, thereby improving trust.
What is eIDAS?
eIDAS seeks to enhance trust in electronic transactions in the EU’s internal market by providing a common foundation for secure electronic interaction between citizens, businesses and public authorities cross-borders, in order to increase the effectiveness of public and private online services, electronic business and electronic commerce in the Union.
The regulation will replace the current eSignatures Directive and any current inconsistencies in Digital Signature law across Europe. It was adopted by the General Affairs Council in July 2014, with regulations for trust services coming into force 1st July 2016. The mandatory mutual recognition of electronic identities (eIDs) will apply from mid-2018.
eIDAS covers authentication, signature seals, registered delivery services and time stamps.
What Are the Benefits of eIDAS?
The eSignature Directive (Directive 1999/93/EC) has been around for 15 years and lacks defined obligations for national supervision of service providers. It also doesn’t take into account new technologies that have developed since its implementation. eIDAS will bring a new layer to Digital Signature Regulation and aims to:
- Make cross-border electronic transactions more secure and trustworthy.
- Allow for transparency and standardization in the market.
- Ensure accountability.
- Allow citizens moving to new member states to reduce paperwork through online administration.
- Decrease red tape for businesses, meaning overheads can be reduced and profits increased.
- Increase flexibility and convenience of government services.
Who is eIDAS for?
Any person or business operating in the EU who uses electronic signatures for identity verification and electronic transactions should ensure they are complying with these regulations.
Types of e-Signatures as Defined by eIDAS — Qualified vs. Advanced vs. Electronic Seals
eIDAS regulation has definitions for Advanced Electronic Signatures (AdES) and Qualified Electronic Signatures (QES). These are set in order to provide consistency across all EU member states in the way that Document Signing is carried out.
Both AdES and QES prove identity of the signer and are the equivalent of a wet ink signature. The main difference is acceptance by other EU member states (i.e., states other than where the trust provider originated). AdES can be accepted by other member states, but QES must be accepted. It’s also important to note that an AdES shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.
Finally eIDAS also introduces the recognition of electronic seals which are like signatures but pertain only to legal persons and corporate entities. This allows organizations to sign documents as a department instead of having to use an authorized signer.
Timestamps are expected to be used on all electronic signatures in order to verify time linked to the signing.
Article 8 of the new regulation establishes three levels of assurance for identification schemes that are directly proportional to their legal value — low, substantial and high. Whatever the assurance level, States who have notified an identity scheme become liable for it, the registration of data operators, and identity and authentication providers included in the notified scheme.
Unfortunately, the language in eIDAS is slightly vague and unhelpful when it comes to explaining theses:
“assurance level low shall refer to an electronic identification means in the context of an electronic identification scheme, which provides a limited degree of confidence in the claimed or asserted identity of a person, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of misuse or alteration of the identity” (source)
However, you can see how existing signature credentials can fit into this tiered approach. For example:
- Low Assurance provides limited confidence in the identity of the signer, so this type of credential might only prove ownership of an email address.
- Substantial Assurance provides a limited degree of confidence in the claimed identity of a signer, so to achieve this assurance level you might need to prove ownership of an email address and the identity of the signer.
- High Assurance provides a high degree of confidence in the claimed identity of a person. In addition to proving the person’s identity, a high assurance credential might also include the organization the individual represents.
eIDAS Regulations for the Trusted Services Provider
For electronic signatures to pass the eIDAS qualifications they must be created using a Digital Certificate purchased from a ‘trust services provider’, such as a Certificate Authority (CA). It is the responsibility of the trust service provider to follow the guidelines set out by eIDAs, including:
- Verify the identity of attributes of the person whom the certificate will be issued.
- By having the person physically present (for low assurance this can be an electronic presence)
- Inform a supervisory body of any changes in the provision of its trust services and any intention to revoke certificates.
- Train staff in data and security best practices.
- Be able to store data and certificates with utmost security and highest forms of trust as well as taking measures to avoid forgery or theft.
- Keep data on certificates even after a certificate has been revoked for an appropriate period of time. This is recommended to be done in a certificate database where it can register any changes such as revocation.
eIDAS regulations are worded vaguely because they cannot commit to a certain type of technology or validation process. As a result, definitions are open to interpretation. But what we can surmise from the regulation is that a legal court or government body will need to see an electronic signature is cryptographically signed with a credential issued by a trusted service provider and timestamped to prevent tampering.
Stay tuned for more posts on eIDAS, including how existing digital signature solutions map onto the regulation.
GlobalSign is the leading provider of trusted identity and security solutions enabling businesses, large enterprises, cloud service providers and IoT innovators around the world to secure online communications, manage millions of verified digital identities and automate authentication and encryption. Its high-scale Public Key Infrastructure (PKI) and identity solutions support the billions of services, devices, people and things comprising the Internet of Everything (IoE).
Nordic It Security is an annual security conference that provides industry experts with a platform for an open discussion of the latest trends and critical security issues in IoT, financial, defense, media and public sector spheres.
Organised in Stockholm, it’s the largest IT security event in the Nordics.
To register for the upcoming event, please visit: http://www.nordicitsecurity.com/