[To Eurosmart members only]

eIDAS 2: leading MEP published her draft report

Last Friday, MEP Romana Jerković (S&D, Croatia) published her amended version of the eIDAS 2 Regulation. MEP Romana Jerković is the leading MEP (rapporteur) for the eIDAS file in the European Parliament.

MEP Romana Jerković introduced several provisions focused on cybersecurity. Thus, the Wallet shall follow the principle of cybersecurity by design and provide the necessary security functionalities at state of the art. She also added an immunity requirement for data handled by providers of qualified attestation of attributes, i.e., data needs to be stored in the EU and protected from extra-territorial interference. All these amendments largely echo Eurosmart’s recommendations.

However, contrary to Eurosmart’s recommendations, MEP Romana Jerković chose to delete the provision making mandatory the recognition of QWACs by browsers.

One of the most significant changes relates to the governance of eIDAS 2. The rapporteur introduced detailed provisions to structure the governance. Member States would need to designate competent authorities and a single contact point. The rapporteur also would like to establish a European Digital Identity Board with far-reaching competencies.

Please find below the link to the draft report and an analysis of this document.

Definitions

MEP Romana Jerković redefined “person identification data” as follows: “qualified electronic attributes composed of a set of data establishing the identity of a natural or legal person, or a natural person representing a legal person to be established”. Overall, the rapporteur makes clear in her report that person identification data take the shape of electronic attestation of attributes.

The rapporteur specified that a European Digital Identity Wallet operates like electronic identification means. However, European Digital Identity Wallets and identity cards are no longer mentioned in the definition of electronic identification means.

MEP Romana Jerković introduced the definition of a “user”: “a natural or legal person, or a natural person representing a legal person using trust services, electronic identification means and European Digital Identity Wallets, provided according to this Regulation”.

Wallet issuance

Member States shall issue at least one Wallet. The rapporteur modified the three situations of issuance of a Wallet. European Digital Identity Wallets shall be issued:

a) by a Member State

b) under a mandate from a Member State

c) independently but recognised by a Member State   by an organisation established in the Union

The first interpretation of this modification is that an organisation established in the EU could issue a European Digital Identity Wallet without any recognition from a Member State. However, Wallets still need to be issued “under a notified electronic identification scheme of level of assurance high”.

The report further states that the Commission shall keep a public register of all issuers of Wallets, including their main specifications, to ensure transparency and facilitate their comparison. Member States shall make this information publicly available.

The use of the Wallets shall be free of charge to all natural and legal persons. The Commission’s proposal only mentioned gratuity for legal persons.

In addition, Member States are tasked with the promotion of the benefits of the European Digital Identity Wallets through communication campaigns.

Wallet features

New recovery and synchronisation features

The Wallet shall provide a recovery mechanism in case of unavailability, loss or stealing of the device. The Wallet shall provide a synchronisation mechanism of Wallets belonging to the same user upon his or her request.

Cybersecurity by design

The rapporteur strengthened the security provisions of the Wallet. She introduced the requirement of “cybersecurity by design”, and the Wallets shall “provide the necessary security functionalities at the state of the art and offer resistance to skilled attackers". Wallets shall also ask the secure, explicit and active user confirmation of its operation.

In the new Recital 27, MEP Romana Jerković underlines that different technical solutions should be considered, “including the use or combination of various cryptographic techniques, such as cryptographically verifiable identifiers, unique user-generated digital pseudonyms, self-sovereign identities and domain-specific identifiers using state of the art encryption technology.”

Privacy by design and transparency

Additionally, the Wallet shall be built on the “privacy by design principle”. In particular, it shall be technologically impossible for Wallet issuers to receive any information on the use of the Wallet or its attributes. Encrypted synchronisation and encrypted backup functions shall be permitted with the previous explicit consent of the user.

For issuers of attestation of attributes, it shall be technologically impossible to receive any information about the use of these attributes and the use of the Wallet.

For relying parties, it shall be technologically impossible to receive any information other than that that the user has consented. The rapporteur introduced zero knowledge proof (ZKP) as a feature of the Wallet. The Wallet shall enable relying parties to request attestation of attributes or zero knowledge proof inferred from them. A definition of ZKP can now be found in Article 3.

The Wallet shall have the functionality to record all transactions and provide the user with a compilation of the recorded data.

Self-sovereign identities

MEP Romana Jerković added a new feature to the Wallet. It shall enable to receive and exchange electronic attestations of attributes directly from other European Digital Identity Wallets.

Effective portability of the Wallet

MEP Romana Jerković insisted on the requirement for the Wallet to be portable. Lock-in effects shall be avoided.

Minimum list of attributes

MEP Romana Jerković modified the minimum list of attributes from Annex VI. Among other things, “age” has been changed into “date of birth” and “financial and company data” into “company data”. “Identity photo” and “email address” were added.

For this minimum list of attributes, Member States shall grant access to authentic sources to qualified providers of attestations of attributes.

Non-discrimination

MEP Romana Jerković wished to ensure that people not using the Wallet would not be discriminated against in their access to government services, the labour market or the freedom to conduct business. Natural and legal persons using the Wallet shall not be granted privileged access to public and private services.

Cybersecurity certification of Wallets and eID schemes

For cybersecurity certification of the Wallet, MEP Romana Jerković deleted the reference to “statement of conformity” when European certification schemes are used, only “certificates” shall be issued. These European certificates give a presumption of conformity with the cybersecurity requirements of eIDAS 2. The Commission shall adopt implementing acts to define a harmonised procedure for the accreditation of the certification bodies.

For certification of electronic identification schemes, the rapporteur added that certification schemes shall include a two-year vulnerability assessment and a continuous threat monitoring unless such certification scheme has been established pursuant to Regulation 2019/881 (Cybersecurity Act).

Unique and persistent identifier

MEP Romana Jerković deleted the requirement of having a unique and persistent identifier (Article 11a). Instead, Member States shall provide a minimum set of person identification data which can unequivocally identify the user.

Cloud / secure elements

MEP Romana Jerković introduced immunity requirements for data handled by providers of qualified electronic attestations of attributes. They shall ensure that personal data are stored and processed in the EU and that only EU and national law applies to those personal data.

In the rapporteur’s view, storing information from the Wallet in the cloud should be an optional feature only active after the user has given explicit consent. Biometric data should not be stored in the cloud. The cryptographic material of the Wallet should be stored in the secure elements of the device when available. However, these three last points are only present in non-binding recitals, not in the Regulation itself.

Relying parties

Relying parties shall be clear regarding the purpose for each request to access an attribute attestation, including person identification data. The rapporteur also added that mutual authentication between the Wallet and the relying party shall take place before any transactions take place.

Relying parties shall provide competent national authorities with the justification of the data being requested. Member States shall scrutinise requested use cases of the Wallet in regard to the potential privacy implications of the data exchanged.

Trust service providers

The draft report states that a non-qualified attestation of attributes can be issued by any trust service provider or directly through a Wallet. Authentic sources shall be able to issue non-qualified attestations of attributes.

The rapporteur made the transition smoother for qualified trust service providers. They shall continue to be considered qualified trust service providers until the renewal of their audit.

Remote identity proofing

The rapporteur amended Article 24, which relates to the verification of identity by trust service providers when issuing a qualified certificate or a qualified electronic attestation of attributes for a trust service. She added that when alternative identification methods are used, they shall “comply with the up-to-date standards on ID proofing with a view of ensuring a high level of security and interoperability of electronic identification and trust services in the Union.”

QWACs

MEP Romana Jerković deleted Article 45 on Qualified Website Authentication Certificates (QWACs), meaning that she deleted the mandatory recognition of QWACs.

Governance

MEP Romana Jerković completely reshuffled the governance aspects of eIDAS in a new Article 46a. Each Member State shall designate one or more new national competent authorities and one national single point of contact. The national competent authorities are in charge of supervising issuers of Wallets established in its territory through ex-ante and ex-post supervisory activities. They also supervise relying parties and qualified trust service providers. The single point of contact ensures cross-border cooperation with the other Member States, the Commission and ENISA.

Another major novelty brought by the rapporteur is the creation of the European Digital Identity Board. It is composed of national competent authorities and the Commission. The Board will assist the Commission in the preparation of legislative proposals. This includes the preparation of implementing and delegated acts pursuant to this Regulation. The Board will also support the Commission in identifying technical specifications and standards for the common interface for Wallets and for validation mechanisms.

IoT

The rapporteur introduced a (non-binding) recital to state that the implementing technologies and standards developed in the application of the Regulation could be extended to establish digital identities for connected objects in order to develop a trust layer for the development of the Internet of Things.

Next steps

The other MEPs from the Committee for Industry, Research and Energy (ITRE) will amend MEP Jerković’s draft report.

If you have any questions on this topic, please contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com