24 Sep 2020 Eurosmart answers public consultation on eIDAS
The eIDAS Regulation establishes a framework for the cross-border use of notified digital identities (eIDs). It ensures that EU citizens can access online public services with their national eID when they are in other EU countries. The legislation also creates a European internal market for electronic trust services – namely electronic signatures, electronic seals, time stamp, electronic delivery service and website authentication. eIDAS h as been instrumental in promoting online trust.
The European Commission is in the process of reviewing the eIDAS Regulation. It launched a public consultation to gather stakeholders’ views on the strengths and weaknesses of eIDAS.
Eurosmart provided an answer to this consultation to highlight the need for technical optimisations of the Regulation, rather than a complete revision. Furthermore, Eurosmart strongly believes that eIDAS should be complemented by a new regulation for the private sector.
Main points of Eurosmart’s answer
Digital identity:
- The European Commission should strongly encourage Member States to notify at least one eID scheme of level “Substantial” or “High”.
- Mutual recognition should be effective.
- There is a need for harmonisation as Member States prescribe diverging rules, in particular on the Levels of Assurance (LoA). A legally binding document on LoA is needed to bring convergence.
- A link with the Cybersecurity Act must be established for the certification of eID means. Cybersecurity certification schemes developed pursuant to the Cybersecurity Act should be used for certification of eID means, hence bringing harmonisation.
- There is a market need for private actors to use privately issued eIDs. A dedicated regulation should regulate 1) private eIDs and attribute providers, and 2) private services accepting them (called relying parties).
- Private solutions should build on notified eIDs at level “Substantial” or “High”, in particular on national identity cards.
- An adequate liability framework should be created for the private sector. Accepting entities should not be held liable in case of fraud and subsequent damage. It should be established that eID providers are those liable in case of fraud.
Trust services
- The current scope for trust services in eIDAS is sufficient, there is no need for additional trust services.
- The European Commission should make mandatory the use of EU standards to demonstrate conformity with the provisions of eIDAS.
- The European Commission should harmonise the security assessment of server-based Qualified Signature Creation Ddevices by (1) relying on Common Criteria methodology, and (2) referencing mandatory protection profiles covering all the needed components for server signing.
Please find below the full answer to this consultation on eIDAS.
You can also consult here Eurosmart’s position on the revision of eIDAS.
Eurosmart_answer_consultation_eIDAS