a. eIDAS Governance and Implementation
Building trust in the online environment is key for the development of digital economy and society. This is the very purpose of the eIDAS Regulation – to provide Member States a safe and secure environment for the use of digital identities, so that European
citizens and companies are enabled to use their national eIDs when accessing public services or when doing business in another EU country. Some The Regulation (EU) N°910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) was adopted by the co-legislators on 23 July 2014. The rules on trust services entered into force on 1 July 2016 and the Regulation became fully applicable only on 29 September 2018 when the obligation on cross border recognition of electronic identification means entered into force.
Cooperation Network, peer review and notifications
The main forum to ensure the necessary cooperation between Member States and to engage them in a formalised manner to cooperate vis-à-vis the practicalities of the maintenance of the interoperability framework is within the Cooperation Network. One of the most important dimensions of this cooperation is the peer-review process, preceding the formal notification of the eID schemes, which is a mechanism designed to ensure interoperability and security of notified electronic identification schemes. The peer-review process should
result in building sufficient trust and provide reassurance to the Member States that the notified eID schemes can be used in full confidence at cross border level.
Out of the 13 MS that, to date, have undertaken the notification process, 9 MS have completed it (DE, IT, HR, EE, ES, LUX, BE, PT and UK) while 4 MS (CZ, NL, LV and SK) are in different stages of the pre-notification and peerreview.
IT and BE have launched their second notification process. In terms of coverage, more that 60% of the EU citizens are already today or will soon be able to use their eIDs to access online public services in other EU countries.
The rolling out of eIDAS Regulation is based on technical interoperability infrastructure for eID (under CEF) and for trust services is supported by the use of technical standards (by ETSI, CEN/CENELEC and ISO), and often anchored in secondary legislation.
eIDAS Infringements, state of play
No cases concerning the infringement of the eIDAS Regulation has been referred to the Court.
b. eIDAS Mainstreaming: an intergrated approach with other key EU legislations
eID and financial sector
- eIDAS plays a role in the fight against money laundering. In the revised Anti- Money Laundering Directive that was published on 19/06/2018, the eIDAS Regulation has been injected, recognising eIDAS notified eIDs as a possible tool for providing a legal proof of identity of the eID holder/customer, equivalent to in-person verification. This means that eIDAS eIDs could be used as a possible way to fulfil "Know-Your-Customer" and other customer due diligence requirements for non-face-to-face interactions.
- On 13 March 2018, the Delegated Regulation on Regulatory Technical Standards on strong customer authentication and common and secure communication under Payment Services Directive II (PSD2) were published on the basis of the draft submitted by the European Banking Authority (EBA).
- Thanks to close cooperation with DG FISMA, eIDAS is now referenced in the RTS both in relation to notified eID means as a possible solution for strong customer authentication as well as for the use of qualified electronic seals or qualified website authentication certificates which are mandatory for the communication between payment providers.
- On 14 December 2017 the Commission adopted the Decision C(2017) 8405 final setting up the Commission joint expert group on electronic identification and remote Know-Your-Customer processes. The expert group is co-chaired by DG CONNECT, FISMA and JUST and composed by composed of up to 36 members comprising regulators, supervisors, identity experts, financial institutions as understood for compliance with the Anti-Money Laundering Directive, as well as consumer organisations. The purpose of the expert group is
- to further explore by the end of 2019 how to facilitate the use of eID across borders and "Know-Your-Customer" portability, on the basis of the identification and authentication tools under eIDAS to enable financial institutions to identify customers digitally for onboarding purposes. The reuse of KYC data held by financial institutions cross-border through eIDs under eIDAS is an example of the possibilities to apply the OOP in the private sector.
eID and on-line platforms
- The Commission drafted the “Principles and Guidance on ID interoperability for Online Platforms" in order to to allow and facilitate online platforms users, if they wish so, to rely on their own government-issued/recognised eID means whenever the access to online platforms may require electronic identification or authentication steps.
- The once-only principle (OOP) entails that citizens and businesses should not have to supply the same information more than once, greatly reducing the administrative burden and increasing efficiency in the delivery of public services in the EU. Most Member States have adopted legislation calling for the application of the OOP in the delivery of public services at the national level.
- To support the implementation of the once only principle for the cross-border sharing of data, the TOOP project (Horizon 2020) was launched in 2017 as an initiative of about 51 organisations from 21 EU Member States and Associated Countries. TOOP implements multiple sustainable pilots for the exchange of business related data connecting registries and e-Government architectures in 21 countries across Europe. The associated SCOOP4C project (Horizon 2020) supports the implementation of the once only principle through the guided exchange and generation of good practices in a stakeholder community.
- At the EU policy level, the once-only principle was for the first time introduced as a guiding principle for the cross-border delivery of public services with the adoption of the Single Digital Gateway Regulation on 2 October 2018. Article 14 of this Regulation entails that Member States, by December 2023, will have to apply the once only principle and make evidence in electronic format required for the fulfilment of certain online procedures available for cross-border automated exchange.
- The Single Digital Gateway Regulation is only the first among many initiatives at the EU level adopting the once only principle. Other examples include the making available of crew certificates, procurement, student and business mobility. To promote the re-use of assets, the once-only infrastructure will be made available as a building block under the Digital Europe Programme.