European Digital Identity Wallet: Why do we need level “high” (eIDAS) & level “high” (Cybersecurity Act)?

European Digital Identity Wallet: Why do we need level “high” (eIDAS) & level “high” (Cybersecurity Act)?

The discussion around assurance level “high” is rightfully confusing for many following the revision of the eIDAS Regulation. What is meant by assurance level “high”? Does it mean resistance to skilled attackers, so a high level of cybersecurity for a given product? Does it mean that an electronic identification means needs to be entirely trustworthy, including the process of issuing identity credentials? Does it mean both?

 In this paper, Eurosmart would like to take on the ambitious task of bringing clarity to the debate. The needed starting point is to understand that there are two meanings of assurance levels “high”:

  • assurance level “high” in the meaning of the eIDAS Regulation
  • assurance level “high” in the meaning of the Cybersecurity Act (CSA)

In the first section, Eurosmart explains the difference between the two concepts (eIDAS assurance level “high” and CSA assurance level “high”) as well as how they overlap. In a second section, Eurosmart presents why the new eIDAS 2 regulation needs to rely on both assurance levels “high”.

Eurosmart_positionpaper_level_High_eIDAS_Final_public