|
[To Eurosmart members only]
eIDAS 2: Member States continue amending the proposal
On 5 April, representatives from the Member States discussed again their common position on eIDAS 2 (“compromise text”). More particularly, the exchanges focused on a new set of modifications proposed by the French presidency. These proposed modifications stem from earlier discussions among Member States.
The text remains close to the one presented in a previous briefing sent to Eurosmart members. However, there are some additions, including requirements for non-qualified trust providers. It seems that Member States focused on trust services for this second compromise text.
The following points are worth noting:
Definition of “data record”
The definitions are very similar to those presented in the earlier version of the compromise text. One notable change is the introduction of a definition of “data record”: “an electronic data recorded with related meta-data (or attributes) supporting the processing of the data”.
Level “Substantial”: still in discussion
In the previous version of the compromise, Member States had introduced the possibility to notify a Wallet at level “Substantial”. However, Member States also indicated that the level “Substantial” was subject to discussion. This point does not seem to be cleared in the current version.
New requirements for non-qualified trust service providers
The French presidency proposed a new article (Article 19a) to introduce requirements for non-qualified trust service providers.
A non-qualified trust service provider providing non-qualified trust services shall have appropriate measures to manage the direct or indirect risks, including:
-measures related to registration and on-boarding procedures to a service
-measures related to procedural or administrative checks
-measures related to the management and implementation of services
They shall notify the supervisory body of any breaches or disruption in the implementation of the measures. The Commission will adopt implementing acts.
New requirements for qualified trust service providers
The French presidency added a recital to state that the security of qualified trust services should be ensured regardless of the place where the operations are conducting. If a qualified trust service provider outsources any of its operations outside the EU, it should provide the guarantees that supervisory activities and audits can be enforced as if these operations were carried in the EU. Otherwise, the qualified status might be withdrawn.
In addition, the French presidency added that if a qualified trust service provider fails to fulfil any of the requirements of NIS 2 or GDPR, the supervisory body may withdraw the qualified status of the provider or affected service. Such an explicit provision was missing in the Commission’s proposal.
The French presidency also added that qualified trust service providers can rely on the European Digital Identity Wallets for the verification of identity of the person to whom they issue qualified certificates or qualified electronic attestation of attributes. However, it sems that here again the level of assurance is still in discussion. Should the Wallet or notified eID be level “Substantial” or level “High” for such identity verification? It seems that Member States have not decided yet.
Qualified trust service providers and third countries: new approach
The French presidency’s new compromise modifies Article 14 on international aspects. It notably introduces safeguards to ensure a fair competition between qualified trust service providers established in the EU and trust service providers established in third countries.
Those non-EU trust services can be recognised as legally equivalent to qualified trust services established in the EU via an implementing decision or an international agreement. However, the implementing decision and the agreement shall ensure that the qualified trust services provided by an EU-based qualified trust service provider are also recognised as qualified in that third country. This is an improvement compared to the Commission’s proposal. In the Commission’s proposal there was a risk of having third country services recognised in the EU without having reciprocity for EU-based trust services in that third country.
Moreover, the French presidency added conditions for such a recognition of non-EU trust services. Those services and their providers must comply with GDPR, Article 24 of eIDAS (requirements for qualified trust service providers), NIS 2, and supervision and enforcement must be effective.
No modification of the certification-related articles
The articles on the certification of the Wallets and certification of electronic identification schemes have not been modified -compared to the previous version of the compromise.
Advanced eSignatures and advanced eSeals
The French presidency added that the Commission may adopt implementing acts to reference standards for advanced electronic signatures and advanced electronic seals. Applying those standards would entail presumption of conformity.
Legal effects of ledgers
The French presidency modified the wording of the article on the legal effects of ledgers. The compromise text stipulates that “data records contained in a qualified electronic ledger shall enjoy the presumption of their unique sequential chronological ordering and of their integrity”. By contrast, the Commission’s proposal stated that “a qualified electronic ledger shall enjoy the presumption of their uniqueness, the correctness of their origin, and authenticity of the data it contains, the accuracy of their date and time, and their sequential chronological ordering within the ledger”.
The Member States seemed keen on promoting ledgers. They added in the recitals that electronic ledgers “can also provide solutions for digital credentials and support more efficient and transformative public services. The process of creating an electronic ledger depends on the type of ledger used (centralised or distributed). Common to all is that the creation of an electronic ledger presupposes both software and hardware components”.
Transition shortened for certain services
The French presidency considerably shortened the transition time for qualified electronic signature creation devices and qualified certificates (for electronic signatures). The Commission’s proposal stated that those should remain qualified for four years following the entry into force of the new eIDAS Regulation. The French presidency reduced it to one year.
|
