What is the eIDAS regulation?

Who and what are affected by eIDAS regulation?

Broadly speaking, eIDAS impacts:

• Citizens of EU countries.
• Organizations headquartered in the EU, or dealing with other EU organizations and/or citizens.
• EU trust service providers (TSPs) protect EU transactions over a public network, particularly those concerning commercial or legal matters where digital identity authentication is important. A TSP includes any entity involved in the creation, validation, and preservation of electronic identities, e-signatures, electronic seals, or digital certificates.

Here’s a non-exhaustive list of digital transactions that are covered by eIDAS:

• Travel-related transactions.
• Business-to-business electronic invoicing.
• Government services, such as voting ballots or tax filing.
• Banking agreements, investments, and loans.
• Website authentication.
• Third-party payment services.

The eIDAS regulation also requires that government, commercial, and public services recognize standard signature formats and cross-European identities. In other words, a citizen’s electronic ID must be recognized equally well in any EU member state. Notably, the burden of compliance falls squarely on TSPs — not the consumers themselves.

What are the benefits of eIDAS?

Introducing electronic identification and trust services can have many advantages. According to the European Commission, these benefits include:

1. Better user experience: The types of authentication services enabled by eIDAS ensure smooth product delivery for consumers. More importantly, they increase trust and satisfaction by providing customers with a higher level of assurance during the transaction process.
2. Increased security: eIDAS allows individuals to conveniently access a wide range of online services without compromising their information. Businesses are subject to more stringent data protection requirements, ensuring they handle consumers’ personal data with utmost care and in compliance with their legal obligations.
3. Streamline cross-border efficiency: With eIDAS, there’s no need for organizations to navigate complex and varied schemes that differ by location, which used to be a common pain point for international e-commerce. Now, businesses can conduct transactions regardless of which EU member state they happen to be in.

Of course, eIDAS has also generated a positive socioeconomic impact. The regulation promotes digital economic growth by removing e-commerce barriers that otherwise complicate online services.

An electronic identification, or “eID,” is an electronic means of verifying someone’s digital identity. According to the European Commission, a secure electronic ID is essential to daily life in the digital world.

It can be used to check email, shop online, unlock devices, and many other regular activities. Electronic identification can also guarantee the unambiguous identification of a person, ensuring the right service is delivered to the person who is actually entitled to it. In turn, eIDs are a vital aspect of online banking and other sensitive digital transactions.

eIDAS assurance levels

The term “assurance level” refers to how certain a service provider can be that a person’s claimed identity is accurate. In other words, it’s the degree of confidence you have that someone is who they say they are when using an eID to access an online service.

Under eIDAS, an eID scheme must be classified according to three assurance levels:

1. Low: The eID scheme uses simple authentication, like passwords, with few checks on identity during the registration process.
2. Substantial: The scheme uses two-factor authentication with extra checks during the registration process.
3. High: The highest level of assurance uses sophisticated, multi-factor authentication mechanisms with comprehensive identity checks.

All three levels rely heavily on authentication, which is essentially the process of verifying an electronic identification. This involves the collection of relevant identity data, which is information about an individual or entity that only the real person could share. Generally, authentication methods use three identity proofing factors:

1. Knowledge-based authentication: The signer provides something only they would know, such as a password or code.
2. Possession-based authentication: The signer provides something only they would have, such as an identity document or smart card.
3. Biometric-based authentication: The signer is verified by their physical characteristics, such as through fingerprinting or facial recognition.

Notably, the eIDAS regulation doesn’t specify which technologies or authentication methods are required to meet each assurance level. This is why EU countries develop their own eID systems. Although they’re based on eIDAS principles, each state is free to design its system in a way that reflects its unique technological landscape.

A 2022 study sheds light on how EU member states create their schemes. According to the results:

• 25 countries' eID schemes support high assurance.
• 20 support substantial assurance.
• 12 support low.

As you can see, the EU skews toward greater assurance, underscoring the importance of secure electronic identification.

Trust services refer to a broad range of authentication and signature activities for protecting electronic transactions. Some of the most common trust services include:

• Certificates: One method to ensure someone’s identity is for a third-party authority to issue them a digital certificate. In short, a certificate is a file that proves the authenticity of a device, server, user, or entity through public key cryptography. It works by containing a copy of a public key from the certificate holder, which must be matched to a corresponding private key to verify it’s real.
• Electronic time stamp: Time-stamping is a process whereby a date and time are electronically and cryptographically bound to a document, its signature, and other information, therefore certifying its existence at a given time. The date and time accuracy is guaranteed by the trust service provider, it cannot be compromised by third parties. This can be legally important for many reasons, but is especially helpful when contractual agreements are in dispute.
• Electronic signature and seal: An electronic signature, like its handwritten counterpart, is a way to certify the authenticity of a legal document and establish intent to be bound by the terms therein. An electronic seal, by contrast, represents an entire organization rather than one person.
• Digital signature: A digital signature is a type of e-signature that’s created using a digital certificate and private signing key. Because digital signatures are tamper-proof, they ensure that a document hasn’t been altered after it’s been signed.

Any organization that facilitates any of the above is considered a trust service provider, and is therefore subject to eIDAS compliance.

eIDAS defines three types of electronic signatures that a service provider can offer:

1. Simple electronic signature

The European Commission considers a simple electronic signature as the most basic of the three. It’s defined as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.” In essence, something as easy as scribbling your name on an electronic document might constitute a simple electronic signature.

2. Advanced electronic signature

An advanced electronic signature has more precise requirements. For example, it must be:

• Uniquely linked to and capable of identifying the signer
• Created in a way that allows the signer to remain in control
• Liked to the document so that any subsequent change is detected

Normally, an advanced electronic signature is created using digital certificates and cryptographic keys, meaning it may also be considered a digital signature. However, they may also use biometrics, access codes, and other electronic means.

3. Qualified electronic signature

As the most sophisticated of the three, a qualified electronic signature offers the highest level of assurance. However, there are two additional requirements to consider:

1. A qualified electronic signature can only be created using a qualified signature creation device (QSCD). A QSCD is a type of cryptographic hardware, such as a hardware security module (HSM), that has undergone an eIDAS certification process.
2. A qualified signature must also be based on a qualified certificate. Under eIDAS, a qualified certificate follows stricter requirements than a typical digital certificate. Moreover, it can only be issued by a qualified trust service provider (QSTP), such as Entrust. QSTPs are organizations that have been audited and granted a qualified status by a national competent authority, as reflected in the EU’s Trusted List.

At Entrust, we know navigating compliance isn’t easy, and the eIDAS regulation is no different. Whether you are an EU organization or a trust service provider, you want to provide consumers with a safe and seamless transaction experience regardless of when or where it occurs.

EU organizations: Generate advanced and qualified signatures and seals with Entrust

Entrust is a founding member of the Cloud Signature Consortium, a globally trusted Certification Authority, a member of the Adobe Approved Trust List, and an EU eIDAS qualified Trust Service Provider. We can help you set up e-signatures services based on our eIDAS advanced and qualified signatures.

Check out our signing portal, and try it for free at signhost.com.

Trust service providers: Build an eIDAS trust service

Running your trust services will require a strong root of trust. Entrust can help you to deploy an eIDAS-certified qualified signature creation device with nShield HSMs combined with the Entrust Signature Activation Module.

Our HSMs allow TSPs to maximize trust and enable legally binding transactions across borders — all while hardening security. Service providers can leverage nShield HSMs to issue digital certificates, time stamps, or digital signatures as part of their eIDAS compliant solutions.

Entrust can also provide digital signing engines for the generation of eIDAS-aligned digital signatures. Combined with Entrust PKI solutions and Entrust Identity and Access Management solutions, you will have everything needed to set up your own signing service.