eIDAS 2: Everything you need to know

Electronic identification (eID) is a digital method of proving a person's identity. It allows individuals to access online services, conduct electronic transactions, and interact with government platforms securely. An eID system ensures that the individual using the services is who they claim to be, mitigating the risk of identity theft and fraud.

As a form of digital identity verification, eIDs rely heavily on various authenticators. In short, authentication is the process of ensuring a user or device’s claimed identity is valid.

Typically, digital identity verification uses a combination of up to three authentication factors:

1. Knowledge-based authentication: The user provides something only they would know, such as a password or code.
2. Possession-based authentication: The user provides something only they would have, such as an electronic document, passport, or smart card.
3. Biometric authentication: The user’s physical characteristics are verified using fingerprinting or facial recognition.

Once verified, the individual is granted access to the desired online services and their digital identity can be used for subsequent verifications.

This is notably more efficient than traditional, paper-based processes. Instead of performing manual or in-person checks, organizations can streamline the workflow and eliminate human error. Not only does this create a more convenient user experience, but it also supports risk management and data protection at scale.

Electronic identification use cases

Countless industries are leveraging digital identification to rapidly and seamlessly authenticate customers, citizens, and employees.

• Online banking: eID systems empower financial institutions to ensure only authorized individuals can access accounts, thus protecting against potential fraud.
• Public sector: Digital identity services allow citizens to access essential government services online, such as filing taxes, applying for social benefits, and accessing personal records. This eliminates the need for physical visits to government offices, reducing administrative burdens and improving overall service delivery.
• Professional services: Lawyers, accountants, and other professionals can use eID to verify client identities remotely, ensuring compliance with legal and regulatory requirements. This secure verification process streamlines client onboarding, document signing, and the provision of sensitive services, enhancing trust in professional relationships.
• Online retail: By verifying the identity of customers during digital transactions, eID ensures that purchases are authorized. It also simplifies checkout processes, allowing customers to complete transactions quickly and securely without repeatedly entering personal information. This improved user experience can lead to higher customer satisfaction and loyalty.

eIDAS stands for electronic IDentification, Authentication, and Trust Services. As a comprehensive EU regulation, it unifies all European eID and trust services under a common legal framework.

Before eIDAS, there wasn’t a consistent approach to verifying electronic identities. Each EU Member State had its own legal requirements and trust service infrastructure, but they didn’t work in other jurisdictions. This fragmented landscape made it difficult to secure transactions across borders, hindering the effectiveness of online services and e-commerce platforms.

The European Commission passed the eIDAS Regulation in 2014, establishing three unifying principles:

1. Mutual recognition: Under eIDAS, all EU countries are legally required to recognize one another’s eID systems. That means a national eID or trust service issued in one EU Member State must be accepted in all others.
2. Interoperability: eIDAS also ensures compatibility between different electronic identification solutions. Individuals and organizations can use the same digital identity across various platforms and services without friction.
3. Security: The regulation also ensures that digital identities and electronic transactions are safeguarded against fraud and cyber threats, providing a secure and trustworthy environment across the EU.

This EU regulation applies to all 27 Member States. Compliance is also mandatory for EU organizations with digital offerings requiring secure identification, such as banking or e-commerce. Likewise, it applies to any trust service provider (TSP) operating in the European Union, which must obtain certification from a designated supervisory body, confirming the organization's services meet the eIDAS standards.

What is a trust service provider?

A trust service provider is a legal entity or person that creates, verifies, and preserves electronic signatures, seals, and certificates. TSPs also ensure the confidentiality and non-repudiation of information and authenticate websites or signatories.

Their services provide the necessary mechanisms for verifying the authenticity and integrity of an electronic document, identity, or communication. They’re a crucial component of the eIDAS Regulation, ensuring that online interactions are as secure and trustworthy as their paper-based counterparts.

Accordingly, eIDAS trust services can include:

1. Electronic signatures
   An electronic signature functions the same way as a handwritten signature. It’s used to sign documents digitally, providing a secure and verifiable way to ensure the signer is who they claim to be and that the document hasn’t been altered since the signature was applied. eIDAS classifies these signatures into three levels:

   • Simple electronic signature: Offers basic security suitable for low-risk applications.
   • Advanced electronic signature: Provides a higher level of security by linking the signature uniquely to the signer and allowing for the detection of any changes made to the signed data.
   • Qualified electronic signature: Issues the highest level of security and is legally equivalent to a handwritten signature. It must be created using a qualified signature creation device device and based on a qualified digital certificate.

   A QSCD is a type of cryptographic hardware, such as a hardware security module (HSM), that has undergone an eIDAS certification process.
    

2. Electronic seals
   An electronic seal is similar to an electronic signature but is used by legal entities (e.g. companies) rather than individuals. It ensures a document’s origin and integrity, verifying it was issued by a specific entity and hasn’t been altered.
3. Timestamps
   A timestamp proves that a specific electronic document or piece of data existed at a certain point in time. It’s a secure way to establish the origin of a document’s creation, submission, or receipt, adding another layer of integrity and trust.
4. Digital certificates
   In short, a digital certificate is a file that proves the authenticity of a device, server, user, or entity using public key cryptography. It contains a copy of a public key from the certificate holder, which must be matched to a corresponding private key to verify its provenance.

The European Digital Identity Regulation, also known as eIDAS 2, is an updated version of the original eIDAS legislation. It was published in the Official Journal of the European Union in April 2024 and came into force one month later.

Although the first iteration was successful in many ways, there was still much progress to be made. Notably, the original digital identity framework had varying levels of adoption in each EU Member State, leading to inconsistencies and difficulties in using eIDs and trust services. As of 2021, only 59% of EU residents could use a trusted eID across borders.

eIDAS 2 addresses these shortcomings by introducing a series of significant changes.

The European Digital Identity Wallet (EUDI Wallet)

Previously, EU countries could voluntarily notify national eID schemes, which other nations were obligated to recognize. However, it didn’t force any country to create an electronic identification system if it didn't already have one – hence the varying adoption rates.

Now, all Member States must offer a secure digital wallet to businesses and citizens, which can link their national eIDs with proof of other personal data, such as driver’s licenses, diplomas, and bank accounts. This enables the creation of a universal EU Digital Identity Wallet, which allows individuals to store, manage, and selectively share personal data, credentials, and attributes.

The goal is to give Europeans full control over their data when using online services, reducing unnecessary data sharing. Service providers that verify customer identities must accept these wallets for authentication.

Critically, the EU Digital Identity Wallet has three key features:

1. Security: The update aligns with existing cybersecurity laws, such as the General Data Protection Regulation (GDPR), requiring compliance with these standards. It also allows public bodies to issue electronic certifications, helping organizations recognize credentials across Europe while prioritizing data privacy.
2. Convenience: The EUDI Wallet makes it easier for citizens to access public services, apply for jobs, or travel across Europe. They can use this tool to share identity details with organizations for authentication purposes, streamlining access to essential cross-border activities.
3. Interoperability: The regulation also promotes a unified approach, making it easier for digital identities to be widely accepted across the EU. It provides a common technical structure and standards for citizens and online service providers. This harmonization ensures digital identity solutions are recognized and trusted throughout the EU.

Member States must make a national digital identity wallet available to citizens by 2026.

An expanded scope

The European Digital Identity Regulation significantly enhances the framework for qualified trust service providers (QTSPs) – entities certified to offer secure and reliable trust services. QTSPs must adhere to strict regulatory standards, which include mandates to implement security protocols, undergo regular audits, and obtain certification from a designated supervisory body.

Additionally, eIDAS 2 expanded the rule's scope to include three new qualified trust services:

1. Electronic archiving services: Archiving provides secure storage of electronic documents and data. These services ensure that archived data remains authentic and unaltered over time. Qualified electronic archiving services, introduced by eIDAS 2, must adhere to strict standards to preserve the integrity and legal value of electronic documents throughout their retention period.
2. Electronic ledgers: This service leverages blockchain technology to provide a secure and immutable record of transactions and data. This ensures electronic data can be reliably tracked and verified, supporting various applications and use cases such as financial transactions, supply chain management, and more.
3. Management of remote electronic signature- and seal-creation devices: This trust service enables e-signature vendors to manage signing and sealing processes remotely, in a secure way, and that ensures the signatories retain full control of the signing process even if they aren’t physically performing the signature.

eIDAS compliance will work differently depending on whether you’re an EU organization or a trust service provider. Here are essential tools either party can use to simplify regulatory requirements:

EU businesses

Organizations with services requiring identity verification must implement a robust authentication scheme. For European businesses in particular, whether focused on a particular local solution or a regional strategy, or a global approach, the EU regulatory landscape is rapidly changing – with harmonization as an ultimate goal. This involves using eIDAS certificates and qualified electronic signatures, which are attestations that confirm identity and verify authenticity. Digital verification processes should be integrated into the business’s operations to streamline onboarding and transaction authentication, ensuring that only authorized individuals can access sensitive services and data.

Trust service providers

TSPs must use QSCDs to create qualified electronic signatures. These devices ensure the signature creation data (such as private keys) is generated, managed, and stored in a secure environment, preventing unauthorized access.

Service providers should also implement a robust public key infrastructure (PKI) to manage digital certificates and cryptographic keys. PKI enables the secure issuance, distribution, and verification of digital certificates, ensuring electronic signatures and other services can be trusted. TSPs must ensure that their PKI operations comply with eIDAS requirements, including maintaining secure key management practices.

Identity and access management (IAM) systems are also crucial for TSPs to manage user identities and control access to their services. These systems should incorporate strong authentication methods, such as multi-factor authentication (MFA), to verify users' identities. IAM solutions can also ensure that only authorized individuals can perform sensitive operations, such as issuing certificates or creating electronic signatures.

As a founding member of the Cloud Signature Consortium, and a provider of infrastructure solutions for the deployment of trust services, Entrust is here to help you achieve eIDAS compliance. Our solutions empower you to generate qualified signatures and build compliant trust services with a strong, secure foundation.