|
Major changes for definitions
The French presidency compromise introduces the definition of “user”: “a natural or legal person or a natural person representing a legal person using trust services, electronic identification means and European Digital Identity Wallets, provided according to this Regulation”.
Interestingly, Member States deleted the definition of “credentials”. Credentials are now absorbed in the definition of “attribute”. An attribute is defined as “the characteristic, right or permission of a natural or legal person or of an entity”.
The definition of “person identification data” has also been amended. In the compromise text, they are defined as “a set of data, issued in accordance with national law, enabling the identity of a natural or legal person, or a natural person representing a legal person to be established”.
The definition of the “European Digital Identity Wallet” has also been significantly redrafted. A Wallet is now “a material or immaterial unit that allows, in accordance with Article 6a, the user to:
-present personal identification data and electronic attestations of attributes to relying parties on request
-perform electronic identification and authentication for a service
-create qualified electronic signatures and seals.”
By contrast, the Commission’s definition of the Wallet starts as follows: “a product and a service that allows the user to store identity data, credentials and attributes linked to her/his identity, to provide them to relying parties on request […]”.
Wallets are no longer quoted as an example of “electronic identification means”. Identity cards are no longer cited as such examples either.
The definition of trust services is also reshuffled. Interestingly the French presidency added a definition of “remote electronic signatures”, i.e. “an electronic signature where the electronic signature creation environment is managed by a trust services provider on behalf of the signatory”.
Mutual recognition from eIDAS 1
The article on mutual recognition of electronic identifications means from eIDAS 1 is reinstated.
New wording for the Wallets
The French presidency compromise states that “each Member State shall ensure that a European Digital identity Wallet is issued within 12 months after the entry into force of this Regulation”. This version replaces the Commission’s proposal that states that each Member State “shall issue” a Wallet.
The features of the Wallets are re-phrased. The French presidency makes a distinction between:
-the presentation of attestations of attributes and person identification data to relying parties
-identification and authentication of the user to public and private services, through the use of an electronic identification means
Level of Assurance “Substantial” introduced
A significant change is the introduction of level “Substantial” for the Wallet. The Wallet shall meet level of assurance “High” or “Substantial”. However, it seems that this change requires further discussion within the Council.
Relying parties: Additional safeguards
The compromise text introduces a new requirement for the Wallet: it shall “ensure that the identity of relying parties is validated by implementing a common authentication mechanism”. Overall, it seems that the text focuses more on allowing the user to authenticate relying parties and less on allowing relying parties to verify the validity of the attestations.
The text also aims to ensure that the use of Wallet by relying parties is consistent with the intended use. Relying parties shall register in the Member States where they are established and shall inform the Member State of the intended use of the Wallet. Member States shall check eligibility with the requirements set out in the EU or national law.
User control not only of the Wallet but also data
The users shall be in full control “of the use of the European Digital Identity Wallet and of their data”. This is an interesting addition compared to the Commission’s version that stated that “the users shall be in full control o the European Digital Identity Wallet”.
Slight changes for certification
The article on certification of the Wallets has not been substantially modified in content. However, the article on the certification of electronic identification schemes has been modified to refer to Regulation 765/2008 (on accreditation and market surveillance).
Security breach clarified
In case of a security breach, “the issuer of the concerned Wallet” shall suspend the issuance and use of Wallet. The Commission’s proposal referred to “the issuing Member State”. In addition, the issuer of the Wallet shall inform not only the Member States and the Commission but also relying parties and the users.
Liability: Re-introduction of the burden of proof
The French presidency re-introduced subparagraphs 2 and 3 on the burden of proof in case of damage caused by a trust service. The distinction between a qualified and non-qualified trust service provider is essential here. The burden of proving intention or negligence of a non-qualified trust service provider lies with the natural or legal person claiming the damage. By contrast, the intention or negligence of a qualified trust service provider is presumed.
Qualified electronic attestation of attributes
In the French presidency’s text, qualified electronic attestation of attributes shall rely on a “qualified” electronic signature or “qualified” electronic seal, and not just “advanced” ones. This is an improvement in the security level of these qualified electronic attestations.
Next steps
A new version of the Council’s compromise will circulate soon.
The Working Party for Telecommunications discusses the eIDAS text today.
If you have any questions on this topic, please contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com
|
