eIDAS 2.0: update
The review of the regulation that will usher in the European digital identity wallet is moving quickly forward. Here’s what we know right now, and what still needs clarification.
The EU, along with the rest of the world, is facing a changing marketplace – more than that, the very fabric of our society and global economy are transforming. This has prompted the EU to revisit its objectives and its directives.
In this article:
Back in 2014, which saw the promulgation of the European eIDAS (electronic IDentification, Authentic and trust Services) regulation, one of the EU’s key objectives was to give all citizens access to highly secure, digital trust services, and to grant them access to digital IDs allowing them to spend money throughout Europe.
This goal was achieved, albeit not on a consistent basis across the EU. Italy was on the “nice list”, with digital identities in widespread use amongst its population. As far as the rest of Europe goes, only 14 of the Member States submitted notice of a formal digital ID system to the Commission; currently, only 59% of European citizens holds a digital ID. Moreover, there is little interoperability and alignment (whether from a security or a user experience standpoint) amongst the digital IDs used by various member states. Likewise divergent is the method of accreditation and service delivery amongst Qualified Service Providers, which includes qualified e-signature providers.
Accordingly, in June of 2021, the Commission launched a review of the eIDAS regulation. The most anticipated and talked-about feature is the new European Digital Identity Wallet. Major steps have been taken following that June 2021 announcement. In early February of 2022, the European Parliament held a public hearing on the topic. On 22 February, the Union opened a call for proposals on the implementation of a European Digital Identity Framework. Now in October of 2022, the fourth review of the amendments to the new.
eIDAS revision: why now?
Viewed on a large scale, the goal of the eIDAS review is much broader. In addition to unifying the panoply of digital IDs in terms of implementation, user experience, and security, the new eIDAS regulation also intends to restore ownership of personal data to the citizenry. This accords with the GDPR, but runs counter to the trend of data being managed by Big Tech. The new regulation likewise aims to ensure equal opportunity access to fiduciary services within the EU. Italy is the leading European country in terms of availability of Qualified Trust Service Providers – in other countries, the number is quite low.
In a nutshell, the ultimate goal of the eIDAS revision is to increase interoperability and integration amongst fiduciary services within the EU, taking a further step towards unifying the countries, and laying a foundation for the European Digital Market.
Other new elements
As we have noted, in order to reach this objective, the eIDAS revision encompasses not only a series of efforts in the arena of digital identity, but adds some fiduciary services to the set subject to governance under the former version (electronic signatures, e-seals, timestamps, website authentication certificates):
- electronic archiving, which was already contemplated in Italy under CAD, but can now expand across Europe, opening new markets for some countries;
- managing signature-capture devices and HSMs, which will become a stand-alone trust service;
- the option to register and store data onto an electronic ledger (blockchain), something that appeared in the first version;
- certificate “verifiers”, e-signatures, seals, and certifications will become bona fide qualified services;
- the issuance of electronic attributes and certifications (which may be “spent” using one’s digital wallet).
Additionally, the new regulation will oblige all European countries to share data from their national databases to obtain salient data on the citizenry, something lacking or at best unreliable in Italy today.
The “elephant in the room”: the role of SPID in the Digital Wallet
The thorniest problem at the eIDAS revision roundtables is, however, the issue of security (Levels of Assurance, or LOAs) on the digital IDs currently in use in European countries (which would include SPID and CIE), in terms of those allowing citizens to access the European digital wallet. As it turns out, SPID can be used at all three of the contemplated security levels (Low, Substantial, and High), although most of the SPID currently in use in Italy are limited to Level 2 (Substantial). Some European countries, other than Italy, restrict digital-wallet access to those digital IDs offering a high security level, available with CIE. Furthermore, a recent decree has ushered in changes to the CIE user experience, making it much more akin to that of SPID. Essentially, the worry is that with the eIDAS revision, the vast majority of SPID accounts currently in use in Italy will not be acceptable for purposes of accessing a digital wallet, a move that could curtail SPID usage in the future, undoing a portion of the investments made (including by private citizens) over the past few years.
In a recent article for Agenda Digitale [Digital Diary], Matteo Panfilo, Chief Solutions Officer at Intesa, is confident that an Italian model for digital identities will at last be established, and that Italy’s expertise in this arena will finally be brought to bear.
“The legislative process will draw to a close in 2023 and may have a significant impact on our country, for better or for worse. With as much as has been built up in the past few years, the hope is that we can continue to be a stand-out amongst European countries”.
The EUDI wallet, regardless, is poised to become a major innovation in the field of digital identification, not only for the many settings and circumstances in which it can be used, but also because citizen privacy is paramount with this technology. These wallets allow users to share only the data strictly needed to access a particular service. This will be a new paradigm in privacy management, one that far outpaces current privacy protections, and which represents a major step towards Self Sovereign Identity.
An absolutely topical issue, especially in light of the experience of SPID in Italy, and one that is tied to the economic sustainability of the model. Moreover, we will be able to intuit how the Legislator envisions each “player” in the system to be compensated/remunerated (Wallet providers, PIDs, QTSPs, Attribute Authorities and Relying parties) and the attendant accounting/contracting rules, especially in light of current privacy regulations, and to ensure the requisite confidentiality for information exchanged between parties along the line.
Stated simply, this is a seismic shift in how digital IDs are handled. For service providers in the private sector, the time to make investments and launch strategies to embrace this new tool is now.