Discover how eIDAS 2.0 aims to streamline online transactions while facing concerns over privacy and centralization.
Electronic Identification, Authentication, and Trust Services (eIDAS) is a regulation established by the 27 countries of the European Union (EU), making it more convenient and safer to conduct business electronically. It regulates digital certificates, electronic signatures, and electronic seals, and it controls the services that establish trust between two entities engaging in an electronic transaction in the EU.
The eIDAS 2.0 regulation is designed to make it easier to authenticate websites, get documents signed, and perform a vast array of online transactions. For instance, you can purchase a vehicle, apply for a car loan, obtain insurance, register the vehicle, and add it to your insurance policy without ever having to sign a piece of paper.
But eIDAS also has raised concerns. Many stakeholders feel it may unnecessarily expose citizens and businesses to risks due to its centralized nature. Others feel eIDAS oversteps by dictating the types of digital certificates browsers can trust, and some think eIDAS makes it easier for EU member countries to spy on their citizens.
While eIDAS 1.0 helped make digital spaces safer, it didn’t provide comprehensive protection. For example, each member state could choose how to implement eIDAS, resulting in inconsistent policies from one country to another. Additionally, its trust services only included electronic signatures, seals, and timestamps. The regulation didn’t protect users from fake sites looking to steal identities.
eIDAS 2.0 seeks to remedy these issues by introducing the European Union Digital Identity (EUDI) Wallet, which is expected to make digital transactions more consistent across individuals and organizations.
Users can store identification information in the EUDI Wallet, such as name, birth date, signature, place of residence, and phone number. Then, when applying for a loan and the lender asks for ID information, for example, they can send the data straight from their wallets. No need to sign documents, fax them, or use third-party e-signature software.
Also, by introducing new mechanisms and trust services, eIDAS 2.0 covers a wider range of digital transactions. One notable feature is the Qualified Website Authentication Certificate (QWAC), the equivalent of the SSL digital certificates used today to validate website authenticity. Version 2.0 also includes electronic archiving and ledgers, as well as management systems for remote electronic signatures.
The main objectives of eIDAS 2.0 include:
There are three primary categories of entities in the eIDAS ecosystem:
After co-legislators reached an agreement on its contents on June 29, 2023, eIDAS came into full force in September 2023.
EU businesses and citizens stand to experience more convenient, faster, and potentially more secure electronic transactions under eIDAS 2.0.
For citizens, transactions are much quicker. For instance, when buying a home, they may not have to provide copies of their passports or have it certified by a justice of the peace or other certifying entity. They simply present their EUDI Wallets with their digital ID information and choose the data they want to share. Similarly, businesses can enjoy faster, smoother, more secure transactions. They have instant access to a variety of identification information to verify customers are who they say they are.
Online transactions are also more secure and convenient for both businesses and customers, even for major purchases. Customers can share their identification, payment, and shipping information straight from their wallets, enabling smoother revenue streams for businesses that sell online.
Cross-border transactions benefit as well. Historically, countries had their own data protection laws, which hindered transactions requiring data sharing. eIDAS 2.0 operates in alignment with GDPR principles, which apply to all 27 countries.
A qualified trust service provider (QTSP) is a natural or a legal person who provides one or more qualified trust services. There are hundreds of QTSPs, many of which are country-specific. Ensuring the reliability and cybersecurity measures of each QTSP can be challenging. This issue, along with other provisions of eIDAS 2.0, has sparked some controversies:
All this adds up to the potential for overregulation. In the future, the government could even choose to certify QTSPs based on questionable criteria, such as the number of employees or the country it operates out of.
eIDAS 2.0 is still in its early phases. The EUDI Wallet began pilot testing in April 2023, focusing on several use cases, including:
As officials, businesses, and citizens learn from these tests, the future of eIDAS will become clearer. It’s poised to improve the fluidity and security of digital transactions and eliminate time-consuming, paper-based ID verification systems across the board.
At the same time, some stakeholders believe eIDAS 2.0 may threaten the security of website authentication systems and user data. It could also pave the way for government spying and overregulation.
Sectigo offers eIDAS-compliant digital certificates that allow both individuals and businesses to secure documents and use digital signatures more effectively. To know more, connect with Sectigo today.
Guide to the eIDAS Regulation and Compliance
Root Causes 343: The EIDAS 2.0 Controversy
*** This is a Security Bloggers Network syndicated blog from Sectigo authored by Tim Callan. Read the original post at: https://www.sectigo.com/resource-library/eidas-2-0-the-concerns-surrounding-this-new-standard