Eurosmart’s feedback on an EU Digital Identity scheme (EUid)

Eurosmart’s feedback on an EU Digital Identity scheme (EUid)

Answer to the European Commission’s public consultation on an EU digital ID scheme for online transactions across Europe

Executive Summary

Eurosmart, the voice of the Digital Security Industry, is committed to enhancing security solutions that enable European citizens to enjoy a reliable and trustworthy digital experience.

eIDAS is a valuable milestone in this respect, as (1) it provides a common basis for electronic identification and electronic authentication, and (2) ensures that Trust Services appropriately fulfil their missions.

The eIDAS Regulation enables cross-border eID for over 50% of the European citizens.  Efforts should be made to unleash the full potential of eIDAS solutions, in particular for identification and electronic authentication across Europe (eIDAS Chapter II). The eIDAS trusted model has been showing its benefits on business in countries where solutions have been developed, despite the persistence of diverging national rules impeding the de-facto mutual recognition of eID schemes in Europe. The trust services part (eIDAS Chapter III) is also a key achievement: worldwide players such as ADOBE or Global Sign now propose trusted solutions for the public at large.

Option 1:

Eurosmart supports option 1 as a necessary step to consolidate the eIDAS framework. Further enhancements and extended usages of eIDs under eIDAS should be fostered. In particular, deeper harmonisation of certifications will bring more confidence and trust to stakeholders. This will also clarify the eIDAS security requirements and Levels of Assurance (LoAs). The recent adoption of the Cybersecurity Act and the coming EU CC scheme can support a smooth harmonisation.

Option 2:

The use of eIDAS solutions by private actors could be an incentive to boost the European Digital Single Market. However, the approach proposed in option 2 may damage the current electronic identification framework as provided by chapter II of the Regulation. The system has been designed for Sovereign eIDs only. Sovereign eIDs are assets that the private sector could advantageously leverage on to develop its own identification frameworks. Eurosmart strongly believes that eIDAS should not be revised but complemented: option 1 should be favoured.

However, as stated by the European Commission in its inception impact assessment, private actors can make a better use of eID solutions. Typically, if banks were given the capability to rely on national eID solutions to implement strong digital ID verification, this would bring trust and convenience to their KYC procedures. Better synergies between the eIDAS Regulation and AML and PSD2 directives would accelerate the deployment of national eID solutions at assurance level “High” and would stimulate their adoption by private actors.

In addition, Eurosmart recommends to the Commission not to limit the revision to option 1, but to combine option 1 with another legislative act establishing a complementary framework for:

  • private eIDs and attribute providers;
  • private services (also called relying parties) accepting them.

Furthermore, to strengthen harmonisation, Eurosmart recommends to the Commission to opt for a regulation rather than a directive. This approach is an alternative to option 2 as currently envisioned in the impact assessment. Through this dedicated regulation, the Commission should give a mandate to the European standardisation organisations (ESOs) to define all the necessary harmonised standards, such as standards for the reuse of notified eID schemes by the private sector. In addition, this regulation should identify or request the development of a European Certification Scheme, under the Cybersecurity Act, when it comes to the evaluation of private eID schemes.

This new framework could be adopted through a new proposal for a regulation based on eIDAS. This approach should consider dedicated rules and procedures for data privacy, identity and attribute proofing; and should require harmonised standards. Such a framework will create market incentives for the use of eID schemes. It will provide the necessary means to ensure a clear legal framework and the legal certainty that relying parties need. Eurosmart proposes 9 recommendations as listed hereunder (pages 6-12).

Option 3:

The EUid could quickly be achieved with a European label on national eIDs notified by Member States.