eIDAS 2.0: The concerns surrounding this new standard
Discover how eIDAS 2.0 aims to streamline online transactions while facing concerns over privacy and centralization.
Table of Contents
eIDAS 2.0: What it is and the controversies surrounding it
Electronic Identification, Authentication, and Trust Services (eIDAS) is a regulation established by the 27 countries of the European Union (EU), making it more convenient and safer to conduct business electronically. It regulates digital certificates, electronic signatures, and electronic seals, and it controls the services that establish trust between two entities engaging in an electronic transaction in the EU.
The eIDAS 2.0 regulation is designed to make it easier to authenticate websites, get documents signed, and perform a vast array of online transactions. For instance, you can purchase a vehicle, apply for a car loan, obtain insurance, register the vehicle, and add it to your insurance policy without ever having to sign a piece of paper.
But eIDAS also has raised concerns. Many stakeholders feel it may unnecessarily expose citizens and businesses to risks due to its centralized nature. Others feel eIDAS oversteps by dictating the types of digital certificates browsers can trust, and some think eIDAS makes it easier for EU member countries to spy on their citizens.
The evolution from eIDAS to eIDAS 2.0
While eIDAS 1.0 helped make digital spaces safer, it didn't provide comprehensive protection. For example, each member state could choose how to implement eIDAS, resulting in inconsistent policies from one country to another. Additionally, its trust services only included electronic signatures, seals, and timestamps. The regulation didn’t protect users from fake sites looking to steal identities.
eIDAS 2.0 seeks to remedy these issues by introducing the European Union Digital Identity (EUDI) Wallet, which is expected to make digital transactions more consistent across individuals and organizations.
Users can store identification information in the EUDI Wallet, such as name, birth date, signature, place of residence, and phone number. Then, when applying for a loan and the lender asks for ID information, for example, they can send the data straight from their wallets. No need to sign documents, fax them, or use third-party e-signature software.
Also, by introducing new mechanisms and trust services, eIDAS 2.0 covers a wider range of digital transactions. One notable feature is the Qualified Website Authentication Certificate (QWAC), the equivalent of the SSL digital certificates used today to validate website authenticity. Version 2.0 also includes electronic archiving and ledgers, as well as management systems for remote electronic signatures.
What is eIDAS 2.0?
The main objectives of eIDAS 2.0 include:
- Expanding the number of services that the regulation applies to, such as e-certificates for authentication
- Making implementing electronic transactions more consistent, particularly via the EUDI Wallet
- Incorporating safer, more convenient electronic transactions across a wider range of daily activities, such as filling out a rental agreement, booking a flight, or applying for a job
There are three primary categories of entities in the eIDAS ecosystem:
- Identity issuer: For instance, a government entity can issue personal identification data from a user’s birth certificate, attesting to the user’s birth location, name, date, and parents.
- The user: This is the person or business entity that receives the identification data from the issuer and can be a citizen or an owner of a website that receives a QWAC.
- The relying party: The relying party is the entity that uses the identification provided by the user. This can be an airline accepting a flight booking, a hospital performing intake procedures, or an employer interviewing a candidate.
After co-legislators reached an agreement on its contents on June 29, 2023, eIDAS came into full force in September 2023.
Benefits of eIDAS 2.0 for EU citizens and businesses
EU businesses and citizens stand to experience more convenient, faster, and potentially more secure electronic transactions under eIDAS 2.0.
For citizens, transactions are much quicker. For instance, when buying a home, they may not have to provide copies of their passports or have it certified by a justice of the peace or other certifying entity. They simply present their EUDI Wallets with their digital ID information and choose the data they want to share. Similarly, businesses can enjoy faster, smoother, more secure transactions. They have instant access to a variety of identification information to verify customers are who they say they are.
Online transactions are also more secure and convenient for both businesses and customers, even for major purchases. Customers can share their identification, payment, and shipping information straight from their wallets, enabling smoother revenue streams for businesses that sell online.
Cross-border transactions benefit as well. Historically, countries had their own data protection laws, which hindered transactions requiring data sharing. eIDAS 2.0 operates in alignment with GDPR principles, which apply to all 27 countries.
eIDAS 2.0 controversies
A qualified trust service provider (QTSP) is a natural or a legal person who provides one or more qualified trust services. There are hundreds of QTSPs, many of which are country-specific. Ensuring the reliability and cybersecurity measures of each QTSP can be challenging. This issue, along with other provisions of eIDAS 2.0, has sparked some controversies:
- eIDAS could pave the way for a central repository of site certificates, one with all the QWACs issued by some or all member states. That means that a single hack could result in breaches across thousands of sites around the EU.
- eIDAS limits the freedom of browser manufacturers by forcing them to work with QWACs from any of the approved trust service providers. If a browser developer has concerns about the cybersecurity practices of a QTSP, it still has to recognize the QWACs issued by that QTSP.
- If a European government wanted to start spying on citizens or businesses, it could feasibly obtain certificate and key information from QTSPs.
- eIDAS specifies how browsers display information about organizations. The information must be easy for consumers to identify, understand, and verify. Some stakeholders believe this hampers browser producers' ability to design interfaces and make their own creative decisions.
All this adds up to the potential for overregulation. In the future, the government could even choose to certify QTSPs based on questionable criteria, such as the number of employees or the country it operates out of.
What’s next?
eIDAS 2.0 is still in its early phases. The EUDI Wallet began pilot testing in April 2023, focusing on several use cases, including:
- Accessing government services
- Opening a bank account
- Registering SIM cards
- Storing driver's license information
- Signing contracts
- Claiming prescriptions
- Traveling across borders
- Issuing organizational digital identities
- Accepting payments
- Certifying educational degrees
- Accessing Social Security benefits
As officials, businesses, and citizens learn from these tests, the future of eIDAS will become clearer. It’s poised to improve the fluidity and security of digital transactions and eliminate time-consuming, paper-based ID verification systems across the board.
At the same time, some stakeholders believe eIDAS 2.0 may threaten the security of website authentication systems and user data. It could also pave the way for government spying and overregulation.
Sectigo offers eIDAS-compliant digital certificates that allow both individuals and businesses to secure documents and use digital signatures more effectively. To know more, connect with Sectigo today.