Eurosmart’s feedback on the revision of eIDAS

Eurosmart’s feedback on the revision of eIDAS

Last June, the European Commission proposed a text amending the current version of the eIDAS Regulation. This proposal is a breakthrough in the eIDAS ecosystem. It will bring every Member State to notify at least one electronic identification scheme level High. Furthermore, the proposal introduces the concept of European Digital Identity Wallet. Every Member State will have to issue a Wallet that will be linked to this trustworthy digital identity and fed with attributes.  

Eurosmart welcomes this proposal and particularly appreciates the possibility to use a European cybersecurity scheme to demonstrate compliance with the cybersecurity requirements for Wallets and electronic identification schemes. The strong focus on data protection is also much welcome.

The European Commission makes possible a large uptake of the Wallet by mandating its use when strong user authentication is required (finance, energy etc.). Large platforms will also have to recognise it. Eurosmart supports these provisions, they address one major issue that the current version of eIDAS faces: the lack of use in the private sector and, hence, in the daily life of EU citizens.

Eurosmart drafted a set of recommendations for this proposal. These comments were already addressed to the European Commission in the context of the open feedback period.

Eurosmart would like to underline the following points:

  • Transition to the new framework will require time. Member States, trust service providers, and other stakeholders will need to implement considerable changes. The proposal lacks sufficient safeguards to avoid disruption of service during this transition period.

  • It is not clear how the concepts of “attribute”, “credential” and “personal data” interact with each other.

  • The Cybersecurity Act is under-used even though it is an ideal complement to eIDAS. This could lead to fragmentation and diverging levels of trust. Thus, the European Commission should mandate the use of a certification scheme level High for an electronic identification scheme level High. Likewise, the new EUCC scheme is perfectly suitable for certification of qualified signature creation devices.

  • To preserve Europe’s sovereignty, the European Commission should avoid having a Wallet purely in the Cloud and, when the Cloud is used, ensure it is a sovereign one (exclusively ruled by EU laws and not accessible from a third country).

  • CEN-CENELEC and ETSI should be requested to start the standardisation work.

  • The European Commission should leverage existing standards, including ISO/IEC 18013-5 and its correlated ISO/IEC 23220 series.

You can find below the complete set of recommendations.