Regulation (EU) No 910/2014, also known as “eIDAS”, entered into force on July 1 2016 with the consequent repeal of the previous rule (Directive 1999/93 / EC).
As a result, the European Union has become the first and only region in the world that offers a viable and common framework that allows the cross border use of trust and electronic identification services, which include electronic seals, timestamps, electronic signatures, email certificates and web authentication services.
To understand the main changes introduced by Regulation 910/2014 with respect to the previous rule as well as its benefits for both businesses and European citizens, we interviewed Andrea Servida, leader of the eIDAS Legislation Team and in charge of overseeing the deployment of the proposed regulation.
This interview is also available in Spanish.
Interview with Andrea Servida, Head of Unit "eGovernment and Trust" at DG CONNECT for the European Commission
1. What is the origin of Regulation 910/2014 (eIDAS) and why it was considered appropriate to replace Directive 1999/93?
Andrea Servida: When the work on the draft eIDAS Regulation started, the eSignature Directive (Directive 1999/93/EC) had already been in existence for over a decade. The Directive was a good first step towards facilitating the use of electronic signatures and contributing to their legal recognition in order to ensure the proper functioning of the internal market. However, with time, it revealed a number of shortcomings.
For example, being a Directive, it allowed for a different national interpretation and implementation by each EU Member State. This led to a situation where every Member State had its own rules and means for electronic signature creation and verification, electronic identification and levels of assurance, etc. These were not interoperable and mutually recognised across the EU. This created a fragmentation which went against the EU goals of creating a true Digital Single Market.
Furthermore, while the eSignature was important, it was no longer a sufficient tool in order to ensure the security and legal validity of electronic transactions in cross-border scenarios. Additional trust services had emerged meanwhile (such as eSeals, time stamps, eDelivery and website authentication) the legal validity of which had to be specified.
In order to overcome these weaknesses and to support the development of the Digital Single Market, on 23 July 2014 the co-legislators adopted the new eIDAS Regulation. By providing a predictable regulatory environment for the cross-border recognition of electronic identification (eID) and electronic trust services, it enables secure and seamless electronic interactions between businesses, citizens and public authorities.
- Andrea Servida, Head of Unit "eGovernment and Trust" at DG CONNECT for the European Comission
2. What are the main changes introduced by the new regulation?
Andrea Servida: In the area of electronic identification, the previous lack of common legal basis had prevented Member States from recognising and accepting eIDs issued in other Member States. The insufficient cross-border interoperability of national eIDs prevented citizens and businesses from benefiting fully from the Digital Single Market. The eIDAS Regulation provides a solution to these issues by ensuring the cross-border mutual recognition of eID means and creates a framework to support their technical interoperability.
With the respect to trust services, in addition to eSignatures, eIDAS regulates at EU level additional trust services which have emerged in a number of Member States since the eSignature Directive was adopted in 1999. These include:
- Electronic seals (eSeals): The electronic equivalent of a seal or stamp which is applied on a document to guarantee its origin and integrity;
- Verification and validation: this is an ancillary service to eSignatures and eSeals. It is the process of confirming the validity of a (qualified) eSignature or eSeal;
- Time stamping: The date and time on an electronic document which proves that the document existed at a point-in-time and that it has not changed since then;
- Electronic registered delivery (eDelivery): A service that, to a certain extent, is the equivalent in the digital world of registered mail in the physical world;
- Website authentication: Trusted information on a website (e.g. a certificate) which allows users to verify the authenticity of the website and its link to the entity/person which owns the website.
Since 1 July 2016, when the trust services provisions under the eIDAS Regulation entered into application, an eSignature can only be used by a natural person to "sign", i.e. to express consent on the data where the eSignature is put. This is a very significant change compared to the provisions of the eSignature Directive where the eSignature (which could also be used by legal persons) was defined as a means for authentication.
The eIDAS Regulation sets the principle of non-discrimination of the legal effects and admissibility of electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and electronic documents as evidence in legal proceedings.
Another important aspect of the Regulation is the establishment of a supervisory regime, as well as a liability regime, for all trust service providers. The aim is to ensure a level playing field for the security and accountability of their operations and services, thus contributing to the protection of users and to the functioning of the internal market.
3. The eIDAS regulation has updated and improved the existing legal framework for electronic signatures. What kinds of electronic signatures does it recognize and what is their specific legal status?
Andrea Servida: The Regulation introduces the notion of qualified trust services and qualified trust service provider to indicate the compliance with certain requirements and obligations which ensure a high level of security.
The general principle of non-discrimination applies to all trust services under the eIDAS Regulation, including eSignatures. Therefore, from a legal point of view, both qualified and non-qualified eSignatures benefit from a non-discrimination clause as evidence in Courts. This means that they cannot be discarded as evidence by the judge only on the ground that they are electronic. Courts have to assess these electronic tools in the same way they would do for their paper equivalent.
However, because of the more stringent requirements applicable to qualified trust service providers, qualified trust services provide a stronger specific legal effect than non-qualified ones as well as a higher technical security. This is why a qualified eSignature benefits from the same legal effect as a handwritten signature.
4. The eIDAS ensures full interoperability of trust and electronic identification services, such as the use of electronic signatures. In practice, how can companies benefit from the interoperability of electronic signatures?
Andrea Servida: It is worth clarifying, that under eIDAS, certificates for eSignatures cannot be issued to legal persons anymore. The signatory can only be a natural person who creates an eSignature. Legal persons can use certificates for eSeals instead (whose aim is not to sign but are means to ensure the integrity and origin of data). Similarly to the paper world, an authorised representative of a company would sign a contract using his/her own eSignature. The contract could then be "stamped" with the company's eSeal.
By using eSignatures (and eSeals), which are interoperable and legally recognised across the EU, companies can operate online in a more convenient and secure manner, benefitting from less red tape and administrative costs, as well as higher productivity – whether it comes to conducting business transactions or dealing with various Member State administrations. For example, a company from Italy can sign contracts electronically with a counterpart based in Sweden; a company based in Germany could participate electronically in a public call for tenders launched by the Greek administration, etc.
5. And what are the advantages of this interoperability of eSignatures for European citizens?
Andrea Servida: As more and more EU citizens live in another Member State or travel frequently abroad for business and leisure, it is important that they have trusted and convenient tools to conduct electronic transactions across borders. By making use of interoperable eSignatures, as well as other trust services and eID, citizens can save money and time when completing administrative procedures (e.g. signing a tax declaration); expand their consumer choice and convenience by shopping online beyond their national markets; enrol to a university or sign a work contract in another country. The possibilities are countless.
6. Regarding cross-border recognition of electronic ID cards (eID), could you mention any concrete examples of how member states will facilitate online access to public services to both businesses and European citizens?
Andrea Servida: A fast, secure and convenient way for a citizen to establish their identity is increasingly important as more and more systems and services that we use in our daily life have moved online. An eID can guarantee the unambiguous identification of a person and make it possible to get the service delivered to the person who is really entitled to it.
The eIDAS Regulation ensures the cross-border mutual recognition of eID means. Since 29 September 2015, following the adoption of the necessary implementing acts on cooperation between Member States on eID, on interoperability framework, on assurance levels for eID means and on notification, EU Member States may notify and recognise, on a voluntary basis, national eID means. As of 29 September 2018 the recognition of notified eID will become mandatory.
In addition, in order to support operationally the cross-border use of eID, the European Commission and EU Member States are rolling out the eID technical interoperability infrastructure and components under the Connecting Europe Facility (CEF).
What does this mean in practice? For example, if Croatia notifies one or more eID schemes by September 2018, a Croatian citizen will be able to access on-line a public administration services in all the other Member States and ask for official documentation with his/her own eID.
Furthermore, in order to reap the full benefits of interoperable eID means, Member States are invited to allow and encourage the private sector to integrate them in their business models and processes. This can create greater efficiency and cost savings, growth and innovation on the business side and a better experience or greater access to services for the customer.
7. The text of the new regulation gives the feeling that its legislative framework gives preference and encourages the use of qualified electronic signatures. In your opinion, what role does the regulation assign to advanced electronic signatures?
Andrea Servida: The Regulation does not give preference or prescribe the use of any type of eSignature over another. On the contrary, it grants the benefit of non-discrimination to all types – be it qualified or non-qualified – and lets the organisations choose the level of security which is optimal for them, provided that relevant sectorial legislations and requirements are respected. The same applies to all other trust services defined in the Regulation.
For example, an electronic document bearing an advanced eSignature cannot be rejected as such by Courts because it is in electronic form or for not being a qualified eSignature.
Nevertheless, a certain type of eSignature may be discarded if, for instance, there is a law which requires only a paper process or the use of a higher level of eSignatures for the given transaction.
8. In the private sector, what you think are the use cases of advanced electronic signatures that can give higher added value to companies?
Andrea Servida: As already mentioned, the principle of autonomy of choice fully applies to all types of eSignatures, provided that no specific requirements are prescribed by EU or applicable national laws to the particular cross-border transaction. However, the level of the eSignatures would certainly impact its probative value in case of a dispute.
When deciding on which type to implement, companies need to weigh the costs and benefits in the context of their particular processes and needs.
For many business and consumer processes a simple eSignature could be sufficient. For others, due to the high value or importance of the transaction – a qualified eSignature may be considered to ensure the highest probative value. At the same time, the possible high cost and administrative burden of implementing qualified eSignatures may outweigh the potential benefits, in which case a lower, but still relatively secure level of eSignatures, such as advanced, may be used.
This really is a business choice, based on economic and risk assessment.
9. The new eIDAS regulation is technologically neutral. What does this mean and what does technological neutrality imply for companies and certification bodies?
Andrea Servida: Recognising the fast pace of technological change, the Regulation has adopted an approach which is open to innovation. It does not discriminate between any specific technical solutions. It leaves the freedom to develop and adopt any technical means, as long as these meet the requirements of the Regulation and achieve the required legal effects.
10. Finally, once the Regulation has entered into force, what are the European Commission’s next objectives? How will you measure the success of this project?
Andrea Servida: With the adoption of the Regulation and the relevant implementing acts we have completed the legal aspects of the work. Now our focus is on the implementation and boosting the take-up of the eIDAS tools and services. Promoting the uptake by the private sector is particularly important in this regard.
We are already working closely with the banking/financial sector where eID and trust services may play a key role in meeting their regulatory obligations – under the Payment Services Directive 2 (PSD2) and the Anti-Money Laundering Directive 4 (AMLD4) – on security and identification related to know-your-customer (KYC) in digital on-boarding activities, as well as strong authentication of parties to electronic payment transactions. Ensuring regulatory alignment between eIDAS and relevant sector-specific legislations is key in this regard.
We will continue our work in this context as well as explore the best possible use of eID and trust services in other fields, for example in the context of the eGovernment Action Plan 2016-2020 which foresees further "[...] actions to accelerate cross-border and cross-sector use of eID (including mobile ID) in digitally enabled sectors (such as banking, finance, eCommerce and sharing economy) […]. The Commission will also explore the need to facilitate the usage of remote identification and secure authentication in the retail financial services".
Furthermore in the framework of the initiative on Online Platforms, the Commission will work with relevant stakeholders developing principles and guidance on eID interoperability, in order to encourage online platforms to recognise other eID means — in particular those notified under the eIDAS Regulation.
We would like to measure the success of eIDAS in terms of simplified access to public administrations and reduced administrative burden, emergence of secure and transparent services, improved user trust, convenience and online experience demonstrated by increased number of cross-border electronic transactions.
We will continue our engagement with all stakeholders, via the eIDAS Observatory or other channels, in order to jointly explore and exploit the full potential of what eIDAS has to offer.
Thank you very much Mr. Servida for this interview. We wish you all the best in your new role as head of DG Connect’s eGovernment and Trust initiative.
At Signaturit we firmly believe that both citizens and EU companies can greatly benefit from the new eIDAS Regulation. From our side, we will continue working to encourage the use of electronic signatures in the European Union, providing a quick, safe and transparent service.
This interview is also available in Spanish.