What is the legislation?
Introduction to the eIDAS Regulation in regard to eID
Electronic identification (eID) and electronic Trust Services (eTS) are key enablers for secure cross-border electronic transactions and central building blocks of the Digital Single Market. Trust services include electronic signatures, electronic seals, time stamps, electronic delivery service and website authentication, and, together with eID, these elements are essential for the establishment of legal certainty, trust and security in electronic transactions.
The eIDAS Regulation foresees that if a Member State offers an online public service to citizens/businesses for which access is granted based on an electronic identification scheme, then they must also recognise the notified eIDs of other Member States by 29 September 2018. This applies to online services that correspond to an assurance level of 'substantial' or 'high' in relation to accessing that service online. Member States remain free, in accordance with EU law, to recognise electronic identification means that have lower identity assurance levels. The eIDAS Regulation thus ensures that people and businesses can use their own national eIDs to access online public services in other EU countries, where eIDs are available.
Who has an obligation under the eIDAS Regulation?
EU and EEA countries
Each country is ultimately responsible for eIDAS-Node implementation, the (optional) notification and integration of national eID schemes, and the connection of online public services by 29 September 2018. Member States are liable for damage caused to any natural or legal person, resulting from a failure to ensure:
- That the electronic identification means is attributed, in accordance with the technical specifications, standards and procedures for the relevant assurance level, to the natural or legal person at the time the electronic identification means under that scheme is issued.
- That the person identification data uniquely representing the person in question is attributed in accordance with the technical specifications, standards and procedures for the relevant assurance level.
- The availability of authentication online, so that any relying party established in the territory of another Member State is able to confirm the person identification data received in electronic form
eIDAS Node implementers and operators
As the parties responsible for the eIDAS-Nodes in each country, eIDAS-Node implementers and operators assume much of the responsibility of ensuring that Member States are able to meet their obligations. Broadly, they must ensure that each eIDAS-Node:
- Works as it should (interoperable according to the eIDAS eID Profile)
- Is legally compliant (enables the mutual recognition of foreign eIDs)
- Observes the correct security measures (e.g. notification of security breach, ISO/IEC 27001 certification or equivalent).
Identity providers participating in a notified eID scheme become a part of the eIDAS Network. They are responsible for operating the authentication procedure of the end user, and are thus liable to the same extent as Member States for damage caused to any natural or legal person, due to a failure to ensure the correct operation of the authentication process. They must also support Member States by providing relevant information when required during the notification process.
Public Service Providers
All online public services requiring electronic identification assurance corresponding to a level of 'substantial' or 'high' must connect to the eIDAS Network, in order to be able to accept the notified eID schemes of other EU countries by 29 September 2018.