Skip links
Girl with the phone

eIDAS 2.0: Advancing digital identity and trust services in the EU

In “eIDAS,” a well-known acronym for the legal framework within the EU, “ID” stands for identification. Identification is the basis for all other trust services: in order to trust, it is crucial to determine beyond doubt who the parties involved in the process really are.

Key principals and components of the original eIDAS regulation

The original eIDAS regulation, adopted in 2014 and effective since 2016, aimed to ensure that electronic transactions could be carried out securely and seamlessly across EU member states.

This framework was based on several fundamental principles and components:

1. Electronic identification (eID)
➡️ eIDAS provides a legal framework for the mutual recognition of national eID schemes across EU member states.
➡️ Member states must notify the European Commission of their eID schemes, which are then published on a list of trusted eID schemes.
➡️ eIDs must meet specific assurance levels (low, substantial, or high) to be recognized cross-border for accessing online services.

2. Interoperability framework:
➡️ Technical specifications and standards were established to ensure that eID schemes and trust services work seamlessly across member states.
➡️ The framework relies on using standards developed by European and international standards organizations.

3. Legal certainty:
➡️ Provides a clear and consistent legal framework for electronic identification and trust services, ensuring they are recognized and trusted across the EU.

4. Mutual recognition:
➡️ Requires member states to mutually recognize and accept notified eID schemes from other member states for accessing public sector services.
➡️ Facilitates cross-border access to online services, promoting a single digital market within the EU.

Terms “(electronic identification) schemes notification” and “notified (electronic identification) schemes” denote special types of identification processes.

EU member states define these processes according to legal and technical standards defined by eIDAS. Once defined, the eID scheme is “pre-notified” by member states to the European Commission.

After extensive evaluations, based on (among others) peer reviews conducted by other member states, the eID scheme earns “notified” state and is being published in the EC list of notified eID schemes.

Pre-notified and notified eID schemes under eIDAS

hand holding digital identity card

Challenges and limitations of eIDAS

One may wonder why we, as opposed to “Google login,” “Microsoft login,” or “Facebook login,” very rarely see “EU login” in use.

Well, it’s not a secret that eIDAS identification, while looking like a good idea on paper, didn’t translate so ideally to real life.

Here are some of the major challenges and limitations.

  1. Interoperability and cross-border recognition: While eIDAS established a framework for cross-border recognition of electronic identifications, actual interoperability has been limited. Member states need to be faster to adopt and notify their national eID schemes, and integration among various national systems has been challenging.
  2. Adoption rates: The adoption of eIDAS-compliant electronic identification systems has been uneven across the EU. Some member states have advanced eID solutions widely used by their populations, while others have yet to catch up, leading to an inconsistent user experience. For example, the first eID schemes were notified in 2017 (Germany), quite a few of them in 2023 (Poland, Slovenia, Bulgaria, Cyprus), while Romania still doesn’t have a notified national eID scheme.
  3. User experience and accessibility: The complexity and diversity of eID systems across member states have resulted in a fragmented user experience. Citizens and businesses often need help accessing and using eID services from other member states.

 

Let’s illustrate this with an example of the Croatian notified eID scheme “Personal Identity Card (eOI).” Like many other eID schemes, it is based on identification certificates issued on chips contained within the Croatian national identity card. This fact imposes a limitation that eID can only be used on desktop computers. In addition, smart card readers installed and configured, as well as auxiliary software (so-called middleware), are necessary.

Interestingly enough, in the meantime, Croatia has started issuing online (remote, cloud) identification certificates bound to electronic identity cards. It has also set up the government-backed identity provider service called “Certilia,” which is based on remote identification certificates and fully enabled for mobile use cases. Unfortunately, this eID scheme hasn’t been notified yet.

➡️ Limited use cases: The use cases for eID under the original eIDAS framework have been limited primarily to government services. The adoption of private sector applications has been slow due to the lack of a comprehensive approach that includes both the public and private sectors.

However, it is interesting to notice that even though most eID schemes are defined and backed by respective governments, there are examples of private business-backed eID schemes. One such example is Swedish, BankID scheme, which is backed by consortium of Swedish banks. Another interesting example is the Italian scheme SPID (Sistema Pubblico di Identità Digitale). While the SPID system is government-backed, the actual issuance of digital identities is managed by accredited private Identity Providers (IdP). These providers are authorized by the government to verify the identity of applicants and issue SPID credentials. Thus, the system operates as a collaboration between the public sector (providing the regulatory framework and oversight) and the private sector (providing the actual identity verification services). Needless to say, business-backed eID schemes have a much bigger market penetration and a much more streamlined user experience.

➡️ Security and privacy concerns: Despite its robust security framework, eIDAS has faced scrutiny over data protection and privacy issues. Ensuring that personal data is protected while being used across borders remains a significant challenge.

Introducing eIDAS 2.0

eIDASWith all this in mind, it was obvious that something had to be improved. Building on the foundation of the original eIDAS regulation, the EU has moved towards eIDAS 2.0, seeking to address its shortcomings and move the EU towards a more secure, user-centric, and inclusive digital identity landscape. eIDAS 2.0 has been worked on in different phases of development from 2021 to 2024. On April 30, 2024, Regulation (EU) 2024/1183 (official name for eIDAS 2.0) was published in the Official Journal of the European Union. It entered into force on May 20, 2024. Let’s see what’s new.

EUDIW: European digital identity wallet

EUDIW will be secure and user-friendly tools for citizens and business alike enabling them to access a wide range of public and private services, both online and offline. The information contained in EUDIW will be sufficient to prove their identity, However, EUDIW will be enabled to contain much broader sets of information, so called attributes, such as driving licenses, professional qualifications, health data, financial data as well as other verifiable credentials.

Electronic attestation of attributes (EAA)

In addition to standard identification procedures (online or offline, for public or private services), another really exciting feature of EUDI Wallets is the so-called electronic attestation of attributes (EAA).

Let’s illustrate this using an example in which the employer requests the employee health status attestation as an ongoing requirement for health compliance.

➡️ Using the EUDI Wallet, the employee authorizes the medical institution to issue the attestation.

➡️ The medical institution prepares the attributes that need to be attested based on the current medical records of the employee.

➡️ The medical institution enters the health data into a digital attestation format and signs the data using its qualified electronic signature.

➡️ Attestation is delivered and stored in the employees’ EUDI Wallet.

➡️ Using the EUDI Wallet, employee shares the attestation with the employer.

➡️ Employer may verify the validity of the attestation by checking the validity of its digital signature.

In the process mentioned above, the user of the EUDI Wallet (employee) has full control over the data that is shared with the third party (employer). Attestation and all related data are encrypted to protect against unauthorized access and ensure data privacy.

Ensuring successful implementation of eIDAS 2.0

Is there any guarantee that eIDAS 2.0 will not repeat the shortcomings of the original eIDAS in the form of fragmentation, lack of interoperability, etc? In attempt to secure that the legislative regulation is successfully accepted in real-life, a couple of activities are taking place in parallel.

  1. Legislative process: although the regulation itself has already come into force, there is still a lot of work to be done in drafting and adopting the implementing acts. This is primarily the responsibility of the European Commission with the consultancy of the relevant stakeholders, including industry experts, member states and the general public. The deadline for implementation of implementing acts is November 2024, while member states should update their implementing acts by May 2025.
  2. Architectural Reference Framework (ARF): This structured guideline outlines the technical and organizational architecture necessary to implement and comply with the eIDAS 2.0 regulation. The ARF provides a blueprint for national governments, service providers, and other stakeholders to develop and integrate eID and trust services in compliance with eIDAS 2.0. By following the ARF, member states can ensure that their systems are interoperable, secure, and legally valid across the EU. The current version of ARF is 1.4, and it is still considered a work in progress. It is expected to be modified based on feedback from legal experts and large-scale pilot projects.
  3. Reference Wallet implementation: this is a set of code libraries and a reference implementation of EUDI Wallet, based on functional requirements defined by ARF. The implementation is provided by the European Commission. It is fully open sourced, published as a set of repositories on Github. Idea of this implementation is to make it ready to be used by member states and other stakeholders to build their own wallets.
  4. Large Scale Pilots: these projects are a truly huge undertaking, with over 360 participating private companies and public authorities across 26 member states. The effort is divided into 4 pilot projects with the aim of testing the ARF and the reference implementation in different real-life scenarios before rolling it out to Member States.
    Large Scale Pilot projects are:

🔹EWS – joint effort to successfully leverage the benefits of the proposed EU digital identity in the form of Digital Travel Credentials across the member states.

🔹Potential – aims to test the following EUDI Wallet use-cases: governmental services, banking, telecommunications, mobile driving licenses, electronic signatures and health.

🔹DC4EU – provides tangible support to the public and private sectors in the educational and social security sectors.

🔹NOBID – set of Nordic and Baltic countries with the addition of Italy and Germany who are piloting the use of EUDI Wallet for the authorization of payments for products and services.

Large Scale Pilots will continue though 2024 and 2025, possibly even beyond.

  1. Member States Wallets: member states should use experience and outputs of all previously listed activities to implement their own national wallets and offer it to EU citizens by November 2026. EUDI Wallet issuance and usage will be voluntary and free for the citizens.

Conclusion

lady on a laptop eIDAS 2.0 represents a significant evolution from the original framework, addressing many of the previous challenges through more advanced and inclusive solutions like the European Digital Identity Wallet.

By focusing on interoperability, user experience and broadening the scope of use cases, eIDAS 2.0 aims to create a more unified and secure digital identity ecosystem across the EU. The successful implementation of this regulation, supported by ongoing legislative processes, architectural guidelines, and large-scale pilot projects, will be crucial in ensuring its acceptance and effectiveness.

With these efforts, the EU is moving towards a future where digital identity is more accessible, secure, and widely accepted, benefiting both citizens and businesses alike.

Unlock the power of secure digital signatures with Secure Sign

Ready to simplify your document workflows while ensuring compliance with eIDAS? Experience the ease and security of digital signing with Secure Sign.

Start your free trial today and join countless businesses that trust us for their secure digital transactions.

Start your free trial
Home
Account
Cart
Search