04 Jun 2021 European Digital Identity: Eurosmart welcomes the European Commission’s proposal
Building on eIDAS and making it available to all EU citizens
Eurosmart welcomes the European Commission’s proposal establishing a framework for a European Digital Identity – based on the solid principles established by the eIDAS Regulation. The European Commission takes stock of the situation at a time of concerns about the privacy and security aspects of digital identities. Keeping control of data and identities is crucial for Europe’s digital sovereignty.
The pandemic has made it clear to us that the time of member-states approaches is finally over. Any fragmentation should be eliminated as quickly as possible through European harmonization, standardization and cooperation. The review now proposed offers the opportunity to firmly anchor trust services and digital identities in the European economic area.
Eurosmart particularly appreciates the focus on data protection, whereby users will control which data they want to share with whom. The physical, legal and structural separation imposed on the actors providing digital identification services should remain a guiding principle in implementing the European Digital Identity framework. This separation will ensure fair competition among EU actors and avoid systemic risks.
Thanks to the first version of eIDAS, Members States with the Commission’s support have already built solid bases for allowing interoperability of notified digital identities, while ensuring a high level of security. The lessons learned from eIDAS, and the technical know-how of the Member States shall be used for the enhancement of this framework.
It is of the utmost importance that Member States oversee and keep control over notified solutions. In this respect, certification, including certification of electronic identification schemes and certification of the wallets, is a step forward in terms of security and consistency. Eurosmart warmly welcomes this aspect and calls on mandatory certification mechanisms and the introduction of pen-testing for critical security levels. The digital security industry will pay particular attention to the definition of certification schemes for digital identity wallets and for electronic identification schemes. These schemes should be developed by ENISA with relevant groups of experts.
“This new regulation is built upon the outstanding foundations set by the eIDAS Regulation. The reference to cybersecurity certification for eID schemes and Wallets is a clear signal that cybersecurity certification is of strategic importance and at the top of the EU political agenda,” said Alban Feraud, President of Eurosmart
Eurosmart calls on the European Commission to publish a new standardisation request on digital identity to support this approach. Standards in digital identities[1] are critical and should be developed in a fully transparent manner. The European standardisation approach for digital identity must prevent some actors from diverting the primary objectives of keeping personal data under citizens’ control and watering down the “security-by-design” principle promoted by Commissioner Breton.
Eurosmart has already extensively worked on digital identity, always guided by the will to strengthen Europe’s sovereignty. Our association will gladly keep providing insights on this essential topic.
[1] Eurosmart notes the only existing mandate related to eIDAS was initially targeting signatures (M/460). This mandate is now expired, with no clear guidance to CEN/CENELEC ETSI.