purple hex pattern
Learn

What is the eIDAS Regulation?

The Electronic Identification, Authentication, and Trust Services (eIDAS) Regulation is one of the most impactful and comprehensive laws in the European Union (EU). Under eIDAS, any EU citizen can use their country’s national electronic identification scheme and generate electronic signatures in any EU country without complication.

But what exactly is eIDAS? How does it work? And, most importantly, what can your organization do to manage it?

Read on to learn the basics of eIDAS, what it entails, and how you can future-proof compliance with certified and secure solutions.

What is eIDAS?

eIDAS is an EU regulation that established a legal framework for ensuring electronic transactions are safer, faster, and more efficient, no matter the EU country they occur in. The goal of the eIDAS Regulation is to encourage the creation of a single European market for secure e-commerce.

For context, eIDAS is not the first EU regulation on electronic transactions. The 1999 Electronic Signatures Directive had a much different purpose, which was to formally declare an electronic signature the legal equivalent of a handwritten signature in all member states.

However, the directive also gave every EU country the freedom to decide its own rules regarding electronic transaction security. Each had its own legal requirements, data handling policies, and trust service infrastructure, but most didn’t work across borders.

For instance, an electronic document signed in one country may not have had the same legal effect in another. Problems like these created a disjointed landscape across the region and confusion about the legality and validity of electronic identification. Even worse, it made cross-border commerce extremely difficult.

The EU decided to fix this issue in 2014 when it enacted eIDAS. The legislation took full legal effect in 2016, at which point every EU member state was subject to consistent standards for electronic identities, authentication, and signatures.

Ultimately, the eIDAS framework:

  1. Ensures people and businesses can use their own national electronic identity scheme to access public services online.
  2. Creates a single European market for trust services by ensuring all identity schemes work across borders, carrying the same legal status as a traditional handwritten signature.

Who and what are affected by the eIDAS Regulation?

Broadly speaking, eIDAS impacts:

  • Citizens of EU countries.
  • Organizations headquartered in the EU, or dealing with other EU organizations and/or citizens.
  • EU trust service providers (TSPs) protect EU transactions over a public network, particularly those concerning commercial or legal matters where digital identity authentication is important. A TSP includes any entity involved in the creation, validation, and preservation of electronic identities, e-signatures, electronic seals, or digital certificates.

Here’s a non-exhaustive list of digital transactions that are covered by eIDAS:

  • Travel-related transactions.
  • Business-to-business electronic invoicing.
  • Government services, such as voting ballots or tax filing.
  • Banking agreements, investments, and loans.
  • Website authentication.
  • Third-party payment services.

The eIDAS regulation also requires that government, commercial, and public services recognize standard signature formats and cross-European identities. In other words, a citizen’s electronic ID must be recognized equally well in any EU member state. Notably, the burden of compliance falls squarely on TSPs — not the consumers themselves.

What are the benefits of eIDAS?

Introducing electronic identification and trust services can have many advantages. According to the European Commission, these benefits include:

  1. Better user experience: The types of authentication services enabled by eIDAS ensure smooth product delivery for consumers. More importantly, they increase trust and satisfaction by providing customers with a higher level of assurance during the transaction process.
  2. Increased security: eIDAS allows individuals to conveniently access a wide range of online services without compromising their information. Businesses are subject to more stringent data protection requirements, ensuring they handle consumers’ personal data with utmost care and in compliance with their legal obligations.
  3. Streamline cross-border efficiency: With eIDAS, there’s no need for organizations to navigate complex and varied schemes that differ by location, which used to be a common pain point for international e-commerce. Now, businesses can conduct transactions regardless of which EU member state they happen to be in.

Of course, eIDAS has also generated a positive socioeconomic impact. The regulation promotes digital economic growth by removing e-commerce barriers that otherwise complicate online services.

In April 2024, the European Commission updated the eIDAS Regulation. This update, commonly referred to as eIDAS 2 or eIDAS 2.0, introduces some new trust services and provides a strong framework for the deployment of EU Digital Identity Wallets. Learn more about eIDAS 2 here.

Want to learn more about eIDAS compliance? Download our ebook today.

Download

What is electronic identity?

An electronic identification, or “eID,” is an electronic means of verifying someone’s digital identity. According to the European Commission, a secure electronic ID is essential to daily life in the digital world.

It can be used to check email, shop online, unlock devices, and many other regular activities. Electronic identification can also guarantee the unambiguous identification of a person, ensuring the right service is delivered to the person who is actually entitled to it. In turn, eIDs are a vital aspect of online banking and other sensitive digital transactions.

eIDAS assurance levels

The term “assurance level” refers to how certain a service provider can be that a person’s claimed identity is accurate. In other words, it’s the degree of confidence you have that someone is who they say they are when using an eID to access an online service.

Under eIDAS, an eID scheme must be classified according to three assurance levels:

  1. Low: This level of identification gives only a small amount of confidence that a person is who they say they are. This level does however require some rules and controls to help reduce the risk of someone misusing or changing the identity information.
  2. Substantial: This level gives a good amount of confidence that a person is who they say they are. This level also requires specific technical rules and controls that greatly reduce the risk of someone misusing or changing the identity information.
  3. High: This level gives a very high level of confidence that a person is who they say they are. It uses strict technical rules and controls to prevent anyone from misusing or changing the identity information.

All three levels rely heavily on authentication, which is essentially the process of verifying an electronic identification. This involves the collection of relevant identity data, which is information about an individual or entity that only the real person could share. Generally, authentication methods use three identity proofing factors:

  1. Knowledge-based authentication: The signer provides something only they would know, such as a password or code.
  2. Possession-based authentication: The signer provides something only they would have, such as an identity document or smart card.
  3. Biometric-based authentication: The signer is verified by their physical characteristics, such as through fingerprinting or facial recognition.

Notably, the eIDAS regulation doesn’t specify which technologies or authentication methods are required to meet each assurance level. This is why EU countries develop their own eID systems. Although they’re based on eIDAS principles, each state is free to design its system in a way that reflects its unique technological landscape.

A 2022 study sheds light on how EU member states create their schemes. According to the results:

  • 25 countries' eID schemes support high assurance.
  • 20 support substantial assurance.
  • 12 support low.

As you can see, the EU skews toward greater assurance, underscoring the importance of secure electronic identification.

What are eIDAS trust services?

Trust services refer to a broad range of authentication and signature activities for protecting electronic transactions. Some of the most common trust services include:

  • Certificates: One method to ensure someone’s identity is for a third-party authority to issue them a digital certificate. In short, a certificate is a file that proves the authenticity of a device, server, user, or entity through public key cryptography. It works by containing a copy of a public key from the certificate holder, which must be matched to a corresponding private key to verify it’s real.
  • Electronic timestamp: Timestamping is a process whereby a date and time are electronically and cryptographically bound to a document, its signature, and other information, therefore certifying its existence at a given time. The date and time accuracy is guaranteed by the trust service provider, it cannot be compromised by third parties. This can be legally important for many reasons, but is especially helpful when contractual agreements are in dispute.
  • Electronic signature and seal: An electronic signature, like its handwritten counterpart, is a way to certify the authenticity of a legal document and establish intent to be bound by the terms therein. An electronic seal, by contrast, represents an entire organization rather than one person.
  • Digital signature: A digital signature is a type of e-signature that’s created using a digital certificate and private signing key. Because digital signatures are tamper-proof, they ensure that a document hasn’t been altered after it’s been signed.
  • Registered e-delivery: This trust service provides the digital equivalent of sending a registered letter with tracking and acknowledgement of receipt.
  • Electronic archiving: This trust service provides a digital archiving vault to keep records in a way that won’t damage them over time and that will retain their legal value.
  • Electronic ledgers: This trust service provides an official (legally recognized) and secure way to record information (typically digital transactions and agreements), just like a notary would.
  • Management of remote electronic signature- and seal-creation devices: This may be the least obvious trust service, because it’s designed for TSPs and not for citizens and businesses. This trust service enables e-signature vendors to manage digital signing and sealing processes remotely, in a way that is secure and that ensures the signatories retain full control of the signing process even if they aren’t physically performing the signature.
  • Issuance of electronic attestation of attributes (EAAs): This trust service enables the issuance of EAAs, which are then stored in a digital identity wallet. An EAA is like a digital stamp of approval that confirms that a piece of information is true.

Any organization that facilitates any of the above is considered a trust service provider, and is therefore subject to eIDAS compliance.

Types of electronic signatures under eIDAS

eIDAS defines three types of electronic signatures that a service provider can offer:

1. Simple electronic signature

The European Commission considers a simple electronic signature as the most basic of the three. It’s defined as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.” In essence, something as easy as scribbling your name on an electronic document might constitute a simple electronic signature.

2. Advanced electronic signature

An advanced electronic signature has more precise requirements. For example, it must be:

 

  • Uniquely linked to and capable of identifying the signer
  • Created in a way that allows the signer to remain in control
  • Linked to the document so that any subsequent change is detected

Normally, an advanced electronic signature is created using digital certificates and cryptographic keys, meaning it may also be considered a digital signature. However, they may also use biometrics, access codes, and other electronic means.

 

3. Qualified electronic signature

As the most sophisticated of the three, a qualified electronic signature offers the highest level of assurance. However, there are two additional requirements to consider:

  1. A qualified electronic signature can only be created using a qualified signature creation device (QSCD). A QSCD is a type of cryptographic hardware, such as a hardware security module (HSM), that has undergone an eIDAS certification process.
  2. A qualified signature must also be based on a qualified certificate. Under eIDAS, a qualified certificate follows stricter requirements than a typical digital certificate. Moreover, it can only be issued by a qualified trust service provider (QSTP), such as Entrust. QSTPs are organizations that have been audited and granted a qualified status by a national competent authority, as reflected in the EU’s Trusted List.

Strengthen your eIDAS alignment with Entrust solutions

At Entrust, we know navigating compliance isn’t easy, and the eIDAS regulation is no different. Whether you are an EU organization or a trust service provider, you want to provide consumers with a safe and seamless transaction experience regardless of when or where it occurs.

QSCD for Remote Signing

Get an eIDAS-compliant Qualified Signature Creation Device with an nShield HSM and the Entrust Signature Activation Module (SAM).

Learn More

Digital Signing Engines

Digital signature solutions for governments and trust service providers.

Learn More

QWAC eIDAS Certificates

Entrust's eIDAS-compliant Qualified Website Authentication Certificates (QWACs) help enable your compliance with eIDAS guidelines.

Learn More

Onfido Compliance Suite

Meet complex local regulatory needs and remotely onboard customers with a simple, seamless, and eIDAS-compliant onboarding solution.

Learn More

EU organizations: Generate advanced and qualified signatures and seals with Entrust

Entrust offers an e-signature service, available via a web portal or a REST API. We can help you to create eIDAS advanced or qualified signatures and seals.

Check out our signing portal, and try it for free at signhost.com.

Trust service providers: Build an eIDAS trust service

Running your trust services will require a strong root of trust. Entrust can help you to deploy an eIDAS-certified qualified signature creation device with nShield HSMs combined with the Entrust Signature Activation Module.

Our HSMs allow TSPs to maximize trust and enable legally binding transactions across borders — all while hardening security. Service providers can leverage nShield HSMs to issue digital certificates, time stamps, or digital signatures as part of their eIDAS compliant solutions.

Entrust can also provide digital signing engines for the generation of eIDAS-aligned digital signatures. Combined with Entrust PKI solutions and Entrust Identity and Access Management solutions, you will have everything needed to set up your own signing service.

This content does not constitute legal advice. Although definitions provided are based on the Official Journal of the European Union definitions and requirements for electronic and digital signatures are typically more elaborate than how they are described in this content and there may be variations to take into consideration. The suitability, enforceability, or admissibility of electronic documents will likely depend on many factors such as the country or state where you operate, the country or state where the electronic document will be distributed, as well as the type of electronic document involved. Appropriate legal counsel should be consulted to analyze any potential legal implications and questions related to the use of electronic documents and the use of suitable and/or required solutions to generate and/or authenticate an electronic signature for each use case.