How to get eIDAS certificates and use them with bunq

The use of eIDAS certificates has been one of the biggest subjects of the PSD2 implementation process. Everyone knows businesses serving bank account owners must get one, yet few companies, including those that have applied for a license from the National Competent Authority (NCA) (e.g. DNB in the Netherlands), know that getting the accompanying eIDAS certificate is a separate procedure. Did you know there are two types of these signatures?

Sounds complicated but we have the answers for you! You’ll find them in this article.

What is eIDAS

eIDAS stands for “electronic IDentification, Authentication and trust Services”. You want to be one if you plan to legally sell accounting, invoicing, expense management or other application service that needs to read information and/or make payments from EU bank accounts.

Types of eIDAS certificates and how to get them

The PSD2 directive works with two kinds of electronic signatures: Qualified Website Certificates (QWACs) and Qualified Certificates for Seals (QCSEALs). Both are issued by Qualified Trust Service Providers (QTSPs) and require the same information.

You can find your local QTSPs in the European List of Trusted Lists. Just check the QWAC and QCSEAL, choose your country, and get the list. The good news is, you can get the certificate anywhere in the EU, not just your own country.

The information you need to provide the QTSP with is the following:

• Your Authorization Number
• Your PSD2 role(s) (AISP/PISP/CBPII)
• Name of your NCA

Fun fact: according to EY PSD2 Market Scan, 14 countries, including the Netherlands and Spain, have not granted any PSD2 licenses as of March 18, 2019.

Another interesting point is that most companies apply for both AISP and PISP licenses, whereas CBPII has virtually no use cases. The official distribution of licenses mentioned in the EY PSD2 Market Scan is the following:

• AISP — 37%
• PISP — 12%
• Both — 51%

How to use eIDAS certificates with bunq

It’s no problem you don’t have an eIDAS certificate yet. Our sandbox accepts beta certificates. You can connect as a PSD2 service provider and test the scope of permissions that you get as an AISP, PISP or both.

Just following these steps:

1. Create a test eIDAS certificate. You can use our SDKs to generate one.
2. Register as a PSD2 party by following the PSD2 authentication flow.
3. Register an OAuth application.
4. Create another sandbox user and use it as an end user.
5. Authenticate the user via OAuth.
6. Start testing!