Home » Regulations » eIDAS 2.0: What it says, what’s new, and the roadmap
| Reading time: 8 min

eIDAS 2.0: What it says, what’s new, and the roadmap

16 November 2022

The revision of the regulation is progressing quickly. Here is where it has come and the points still to be clarified.

The European Union, too, must come to terms with a constantly changing market and socio-economic fabric and review its objectives and directives in the light of these transformations.

In this article:

Established in 2014, the eIDAS regulation aimed to provide all citizens with access to highly secure digital trust services and digital identities usable across Europe. While this objective has been achieved, the distribution of digital identity is uneven across EU member states. Despite Italy being among the virtuous countries with widespread digital identity adoption, only 14 member states have notified at least one digital identity system to the Commission. Currently, only 59% of European citizens possess a digital ID. Additionally, within the EU, there is limited interoperability and coherence in the accreditation of Qualified Trust Service Providers and the delivery of services.

eIDAS 2.0 Roadmap: Current Status

Due to these challenges, in June 2021, the Commission announced the revision of the eIDAS regulation. The anticipated changes include the implementation of the European Digital Identity Wallet (EUDI Wallet) and the inclusion of compliant archiving in qualified trust services. Since the announcement in June, the revision has made swift progress. In early February 2022, a public hearing on the topic took place at the European Parliament. On February 22 of the same year, the Union opened a call for proposals for the implementation of the European Digital Identity Framework.

As of early 2024, the revision has been approved by the “Trilogue” (composed of representatives from the European Parliament, the Council of the European Union, and the European Commission), and we are awaiting publication in the Official Journal. Subsequently, within 12/24 months, the so-called “Implementing Acts” will be published, and the new eIDAS regulation will officially come into force.

Most Anticipated Innovation: EUDI Wallet

The European Digital Identity Wallet, as mentioned, is the most anticipated and discussed innovation in this regulation, impacting not only industry operators but also citizens. It will be a full-fledged digital identity, similar to SPID (Italy’s digital identity system), but mandatory across the EU. It will function as a digital “wallet” where verifiable certifications and documents, known as “attributes” (such as passport details, birth certificates, driver’s licenses, and voter IDs), can be stored.

By adopting a model similar to Self-Sovereign Identity based on blockchain, the EUDI Wallet aims to enhance privacy and data protection, giving users control over their identity and shared information.

Upcoming “Qualified e-Archiving”

The second major development in eIDAS 2.0 involves digital service providers and Qualified Trust Service Providers. Digital archiving (or “compliant archiving”) is included among trusted services. This choice promotes interoperability between countries, surpassing national regulations and opening a new market in trust services.

Based on available information, there seems to be significant alignment between eIDAS 2.0 and the CAD regulation on digital archiving that qualified archivists must adhere to. This presents a substantial competitive advantage for Italian service providers holding this certification.

Other Innovations

To achieve the goal of community digitization, eIDAS revision not only builds upon existing regulated services (electronic signatures, electronic seals, timestamps, website authentication certificates) but also adds new services and actors to the ecosystem, including:

  • Management of signature devices and Hardware Security Modules (HSM), becoming a standalone trusted service.
  • The possibility of registering and storing data on electronic ledgers (blockchain).
  • “Verifiers” of certificates, electronic signatures, seals, and attestations becoming qualified services.
  • Issuance of electronic attributes and attestations (spendable with the digital wallet).

Moreover, the new regulation will require all European countries to provide national databases to obtain meaningful information about citizens, currently lacking or unreliable in Italy.

The “Elephant in the Room”: The Role of SPID in the Digital Wallet

A significant point of discussion in the eIDAS revision relates to the security levels (Level of Assurance, LoA) of currently used digital identities in European countries (including SPID and CIE) for citizens’ access to the European digital wallet. While SPID can be used with all three security levels (Low, Substantial, and High), most SPID instances in Italy currently adhere to the Level 2 of Substantial. However, some European countries, different from Italy, require access to the wallet to be limited to digital identities with a high level, already achieved by CIE. A recent decree will also make UX changes to CIE, making it more similar to SPID. The concern is that with the eIDAS revision, a significant portion of SPID users in Italy may not be accepted to access the digital wallet, potentially limiting the future of SPID and dissipating investments, including private ones, made over the years.

In a recent article for Agenda Digitale, Matteo Panfilo, Chief Solutions Officer at Intesa, hopes for the definition of an Italian model for digital identities and the proper appreciation of the Italian experience.

“The legislative process will conclude in 2023, and – willingly or unwillingly – it could have significant impacts on our country, which, built over these years, we hope can continue to be a European reference point in the future.”

However, the EuDI Wallet already appears to be a significant innovation in digital identities, not only for its numerous applications and use cases but also for its high focus on citizen privacy. The wallet allows users to share only the necessary information to access the service, presenting a new paradigm in privacy management, surpassing current use cases and approaching the Self-Sovereign Identity model.

Priority Theme: Economic Sustainability of the Model

A crucial aspect tied to the eIDAS revision, particularly considering the experience of SPID in Italy, is the economic sustainability of the model. It will be essential to understand the opportunities the legislature intends to provide for the remuneration/costs for various entities connected to the wallet (Wallet providers, PID, QTSP, Attribute Authorities, and Relying parties), along with accounting/convention rules, considering privacy constraints and the confidentiality of exchanged information.

In conclusion, a significant shift in the management of digital identities is imminent. Private service providers need to initiate investments and strategies for adopting this new tool.

Why the eIDAS Revision?

On a broader scale, the aim of the eIDAS revision is much more extensive. Besides unifying digital identity aspects in terms of distribution, user experience, and security, the new eIDAS regulation also aims to restore sovereignty over personal data to citizens, aligning with GDPR principles and contrasting with big tech’s data management. Additionally, it seeks to ensure equal conditions in the use of trust services within the EU. While Italy leads in the presence of Qualified Trust Service Providers, other countries have a limited number.

In essence, the ultimate goal of the eIDAS revision is to enhance interoperability and integrability of trust services within the EU, taking another step towards the unification of countries and laying the foundation for creating the European digital market.

Potrebbero interessarti

Voglio essere informato su prodotti, servizi e offerte di INTESA.
Ho letto e accetto l'informativa sulla privacy.

È possibile ritirare il proprio consenso in qualsiasi momento inviando una e-mail al seguente indirizzo: privacy_mktg@intesa.it. Oppure, se non si desidera ricevere più le e-mail di marketing, è possibile annullare la sottoscrizione facendo clic sul relativo link di annullamento sottoscrizione, in qualsiasi e-mail.
Per confermare l'iscrizione, controlla la tua email!