EIDAS explained

eIDAS (for "electronic IDentification, Authentication and trust Services") is an EU regulation with the stated purpose of governing "electronic identification and trust services for electronic transactions". It passed in 2014 and its provisions came into effect between 2016 and 2018.[1] [2]

In 2023, a proposed change to the law would allow any EU government to perform man-in-the-middle attacks and spy on all internet messages, including encrypted communications.[3] The proposal was condemned by groups of cyber security researchers, NGOs, and civil society, as a threat to human rights, privacy, and dignity.[4] [5] [6]

Description

eIDAS oversees electronic identification and trust services for electronic transactions in the European Union's internal market. It regulates electronic signatures, electronic transactions, involved bodies, and their embedding processes to provide a safe way for users to conduct business online like electronic funds transfer or transactions with public services. Both the signatory and the recipient can have more convenience and security. Instead of relying on traditional methods, such as mail or facsimile, or appearing in person to submit paper-based documents, they may now perform transactions across borders, like "1-Click" technology.[7]

eIDAS has created standards for which electronic signatures, qualified digital certificates, electronic seals, timestamps, and other proof for authentication mechanisms enable electronic transactions, with the same legal standing as transactions that are performed on paper.[8]

The regulation came into effect in July 2015, as a means to facilitate secure and seamless electronic transactions within the European Union. Member states are required to recognise electronic signatures that meet the standards of eIDAS.

Timeline

The law was established in EU Regulation 910/2014 of 23 July 2014 on electronic identification and repealed 1999/93/EC from 13 December 1999.[1] [2]

It entered into force on 17 September 2014 and applies from 1 July 2016 except for certain articles, which are listed in its Article 52.[9] All organizations delivering public digital services in an EU member state must recognize electronic identification from all EU member states from September 29, 2018. It applied to all countries in the European Single Market.[10] [11]

On July 2024, the first eIDAS-Testbed was launched by the go.eIDAS-Association with a number of German tech firms and foundations to issue PID-Credentials to Architecture and Reference Framework (ARF)-compliant wallets.[12]

Vision

eIDAS is a result of the European Commission's focus on Europe's Digital Agenda. With the commission's oversight, eIDAS was implemented to spur digital growth within the EU.[13]

The intent of eIDAS is to drive innovation. By adhering to the guidelines set for technology under eIDAS, organisations are pushed towards using higher levels of information security and innovation. Additionally, eIDAS focuses on the following:[14] [15]

Member states are required to create a common framework that will recognize eIDs from other member states and ensure its authenticity and security. That makes it easy for users to conduct business across borders.

eIDAS provides a clear and accessible list of trusted services that may be used within the centralised signing framework. That allows security stakeholders the ability to engage in dialogue about the best technologies and tools for securing digital signatures.

Regulated aspects in electronic transactions

The Regulation provides the regulatory environment for the following important aspects related to electronic transactions:

a European-wide framework (European Digital Identity Wallet, EDIW)[16] for digital authentication of citizens, with legal validity. Nine principles of European digital identity have been defined:[17] user choice, privacy, Interoperability and security, trust, convenience, user consent and control proportionality, counterpart knowledge and global scalability.

Evolution and legal implications

The eIDAS Regulation evolved from Directive 1999/93/EC, which set a goal that EU member states were expected to achieve in regards to electronic signing. Smaller European countries were among the first to start adopting digital signatures and identification, for example the first Estonian digital signature was given in 2002 and the first Latvian digital signature was given in 2006. Their experience has been used to develop a now EU-wide regulation, that became binding as law throughout the EU since the first of July, 2016.[19] Directive 1999/93/EC made EU member states responsible for creating laws that would allow them to meet the goal of creating an electronic signing system within the EU. The directive also allowed each member state to interpret the law and impose restrictions, thus preventing real interoperability, and leading toward a fragmented scenario.[20] In contrast with the 1999 directive, eIDAS ensures mutual recognition of the eID for authentication among member states,[21] thus achieving the goal of the Digital Single Market.

eIDAS provides a tiered approach of legal value. It requires that no electronic signature can be denied legal effect or admissibility in court solely for not being an advanced or qualified electronic signature.[22] Qualified electronic signatures must be given the same legal effect as handwritten signatures.[23]

For electronic seals (legal entities' version of signatures), probative value is explicitly addressed, as seals should enjoy the presumption of integrity and the correctness of the origin of the attached data.[24]

In June 2021, the Commission proposed an amendment and published a recommendation.[25] [26] [27]

Man-in-the-middle attacks and mass surveillance

In 2023, a change was proposed to eIDAS that would allow any EU government to surveil all internet communication, even when encrypted.[5] [3] The proposal worked via the same mechanism as a 2019 attempt at mass surveillance in Kazakhstan.

The proposal would force browser vendors to place a backdoor in web browsers to let them perform a man-in-the-middle attack, deceiving users into thinking that they were communicating with a server they requested, when, in fact, they would be communicating directly with a government server. The government server could then read and change their messages before passing the possibly modified message on to the intended recipient.[28]

If passed, EU governments would in principle be able to intercept any information transmitted in encrypted form by those browsers, reading any sensitive or encrypted contents without the user's knowledge, and changing information at will.[29] [30] This was considered particularly concerning in countries with weaker rule of law, where state and state-connected actors would be able to use the law to spy on their own citizens for political repression and personal gain. There was additional concern that this allow private actors with state connections to gain access to and misuse the power of mass surveillance for their own purposes.[4] [6]

While the main language of that text remains in the final draft, provisions have been made in the text that enable browser vendors to continue to implement security provisions that in practice would make this type of interception difficult to perform without being discovered.[31] Specifically, the final draft text states that:

By way of derogation to paragraph 1 and only in case of substantiated concerns related to breaches of security or loss of integrity of an identified certificate or set of certificates, web-browsers may take precautionary measures in relation to that certificate or set of certificates.

which has been interpreted as allowing browser vendors to continue to use mechanisms such as certificate transparency to maintain browser security.

Identity number

Database information has to be linked to some kind of identity number. To certify that a person has the right to access some personal information involves several steps.

eIDAS has as minimum identity concept, the name and birth date. But in order to access more sensitive information, some kind of certification is needed that identity numbers issued by two countries refer to the same person.[32]

Vulnerabilities

On October, 2019, two security flaws in eIDAS-Node (a sample implementation of the eID eIDAS Profile provided by the European Commission[33]) were discovered by security researchers; both vulnerabilities were patched for version 2.3.1 of eIDAS-Node.[34]

European Self-Sovereign Identity Framework

The European Union started creating an eIDAS compatible European Self-Sovereign Identity Framework (ESSIF), but in many countries, users need to be Google or Apple customers to use eIDAS services.

EUTL

The European Union Trusted Lists (EUTL) is a public list of over 200 active and legacy Trust Service Providers (TSPs) that are specifically accredited to deliver the highest levels of compliance with the EU eIDAS electronic signature regulation.[35]

See also

External links

Notes and References

  1. Web site: Turner. Dawn. Understanding eIDAS. Cryptomathic. 12 April 2016.
  2. Web site: Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. EUR-Lex. The European Parliament and the Council of the European Union. 18 March 2016.
  3. https://blog.mozilla.org/netpolicy/files/2023/11/eIDAS-Industry-Letter.pdf
  4. https://last-chance-for-eidas.org/
  5. https://nce.mpi-sp.org/index.php/s/cG88cptFdaDNyRr
  6. https://www.internetsociety.org/resources/doc/2023/qualified-web-authentication-certificates-qwacs-in-eidas/
  7. Web site: van Zijp. Jacques. Is the EU ready for eIDAS?. Secure Identity Alliance. 18 March 2016. https://web.archive.org/web/20161122071258/https://www.secureidentityalliance.org/index.php/blog/item/20-eidas-eu-identity-assurance/20-eidas-eu-identity-assurance. 22 November 2016. dead.
  8. Web site: Turner. Dawn M.. eIDAS from Directive to Regulation - Legal Aspects. Cryptomathic. 18 March 2016.
  9. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=LEGISSUM:l24118 eIDAS in force, applies and exceptions on Europa.eu
  10. https://connectis.com/en/eidas/#eidas Info on eIDAS
  11. https://eur-lex.europa.eu/legal-content/EN/LSU/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014
  12. Web site: eIDAS-Testbed successfully launched . 2024-06-19 . www.eid.as . en-GB.
  13. Web site: A Digital Agenda For Europe. EUR-Lex. The European Commission. 18 March 2016.
  14. Web site: Bender. Jens. eIDAS Regulation: EID - Opportunities and Risks. Bunde.de. Fraunhofer-Gesellschaft. 18 March 2016.
  15. Web site: J.A.. Ashiq. The eIDAS Agenda: Innovation, Interoperability and Transparency. Cryptomathic. 18 March 2016.
  16. Web site: 2022-06-13 . European Digital Identity Wallet Shaping Europe’s digital future . 2024-01-27 . digital-strategy.ec.europa.eu . en.
  17. Web site: Towards principles and guidance for eID interoperability on online platforms. live. https://web.archive.org/web/20190624050742/https://ec.europa.eu/futurium/sites/futurium/files/presentation_0.pdf. 24 June 2019. 29 August 2021. Europa.eu. European Commission.
  18. Web site: Turner. Dawn M.. The Difference Between an Electronic Signature and a Digital Signature. Cryptomathic. 21 April 2016.
  19. Web site: Regulations, Directives and other acts. Europa.eu. The European Union. 18 March 2016. https://web.archive.org/web/20131212034345/http://europa.eu/eu-law/decision-making/legal-acts/index_en.htm. 12 December 2013. dead.
  20. Web site: Understanding eIDAS – All you ever wanted to know about the new EU Electronic Signature Regulation . Legal Technology . 1 March 2016 . 17 January 2018 . https://web.archive.org/web/20180117234338/https://www.legaltechnology.com/latest-news/understanding-eidas-all-you-ever-wanted-to-know-about-the-new-eu-electronic-signature-directive/ . dead .
  21. Web site: A Big Step Toward the European Digital Single Market . Inside Magazine . 27 March 2019 . 27 March 2019 . https://web.archive.org/web/20190327134350/https://www2.deloitte.com/content/dam/Deloitte/lu/Documents/technology/lu-a-big-step-forward-the-european-digital-single-market.pdf . dead .
  22. Articles 25 (1) and definitions in article 3 (10) to 3 (12)
  23. Article 25 (2)
  24. Article 35 (2)
  25. Commission proposes a trusted and secure Digital Identity for all Europeans. 3 June 2021. . European Commission.
  26. https://eur-lex.europa.eu/procedure/EN/2021_136 Procedure 2021/0136/COD
  27. http://data.europa.eu/eli/reco/2021/946 Commission Recommendation (EU) 2021/946 of 3 June 2021 on a common Union Toolbox for a coordinated approach towards a European Digital Identity Framework
  28. https://www.eff.org/deeplinks/2021/12/eus-digital-identity-framework-endangers-browser-security
  29. https://www.eff.org/document/eidas-letter-2022
  30. https://mullvad.net/en/blog/2023/11/2/eu-digital-identity-framework-eidas-another-kind-of-chat-control/
  31. Web site: Hoepman . Jaap-Henk . 2023-11-20 . Some observations on the final text of the European Digital Identity framework (eIDAS). . 2023-11-25 . blog.xot.nl.
  32. https://www.elegnamnden.se/download/18.769a0b711614b669f29f2/1518186851374/Hur_skapar_du_en_koppling_mellan_utlandska_och_svenska_personidentiteter.pdf Hur skapar du en koppling mellan svenska och utländska eID:n?
  33. Web site: eIDAS-Node integration package . 2019-10-29 . . The eIDAS-Node software contains the necessary modules to help Member States to communicate with other eIDAS-compliant counterparts in a centralised or distributed fashion. . https://web.archive.org/web/20190610203557/https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS-Node+Integration+Package . 2019-06-10 . dmy-all .
  34. Web site: Major vulnerability patched in the EU's eIDAS authentication system . 2019-10-29 . Catalin . Cimpanu . 2019-10-29 . . Vulnerability would have allowed attackers to pose as any EU citizen or business. . https://web.archive.org/web/20191029114039/https://www.zdnet.com/article/major-vulnerability-patched-in-the-eus-eidas-authentication-system/ . 2019-10-29 . dmy-all .
  35. https://helpx.adobe.com/document-cloud/kb/european-union-trust-lists.html