July 2021 marks seven years since the adoption of the eIDAS Regulation and the fifth anniversary of its effective entry into force in all EU Member States. So what better occasion to reflect on its role in creating a Digital Single Market in the EU?
This article highlights the benefits that the EU has gained from the adoption of eIDAS and what we can expect moving forward.
What is the eIDAS Regulation?
eIDAS is the acronym for electronic IDentification, Authentication, and trust Services and refers to the EU Regulation 910/2014 regulating electronic transactions.
Being a regulation and not a directive, eIDAS has been enforced throughout the 27 Member States without them adopting national laws for internal implementation - and overrides national law in case of conflict.
Since eIDAS is of EEA relevance, the Regulation also applies to Norway, Liechtenstein, and Iceland, but only after national incorporation (i.e., after the adoption of an internal law that implements its provisions). Norway implemented eIDAS with the Lov om elektroniske tillitstjenester of 2018.
What does eIDAS regulate?
The goal of the eIDAS Regulation is to create a legal framework for digital transactions as a step to develop a modern European Market where people, businesses, and public authorities can interact safely online.
To this end, eIDAS created standards granting electronic signatures and e-identities the same legal standing as their physical counterparts. As a result, people can now conduct business electronically - which means no need for in-person meetings, but the same binding effect.
More generally, eIDAS regulated trust services, which are electronic services providing electronic signatures, seals, time stamps, etc.
To lay down standards for eIDs and trust services, several decisions have been adopted by the EU. Below is an overview of them:
|Term||What is it?||Examples|
|electronic identification||The process of using electronic identification means to authenticate a person online.||By logging in to Penneo with your eID, you are authenticating your identity electronically online.|
|electronic identification means||Units containing data in an electronic form that uniquely identifies a person online.||Tokens used for online banking or eIDs (such as NemID, BankID, itsme®, FTN, etc.) used for authentication for online services.|
|electronic identification scheme||A system issuing electronic identification means to natural or legal persons. Under eIDAS, each Member State is encouraged to develop eID schemes and notify the EU Commission of their use to obtain their mutual recognition in the rest of the EU.||Examples of eID schemes are NemID in Denmark, BankID in Norway, and all other eIDs issued in EU countries and notified to the EU to be recognized by the rest of the Member States.|
|authentication||The electronic process of confirming the identity of a person or the origin and integrity of data.||When signing a document in Penneo via your eID, our software authenticates your identity. As a result, there is certainty on the origin of the data - since your identity was verified.|
|trust service||An electronic service providing for the creation, verification, validation, or preservation of:|
electronic time stamps
electronic registered delivery services
and certificate services for website authentication.
A trust service is defined as qualified if it has been recognized as such following an audit by a conformity assessment body who certified its compliance with eIDAS requirements.
|The services offered by Penneo can therefore be defined as trust services.|
|trust service provider||A person or business who provides one or more trust services, such as electronic signatures, seals, or timestamps, etc.||As electronic signatures are one of the services we offer, Penneo can be defined as a trust service provider.|
|electronic signature||Data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.||It can be as simple as typing your name on an electronic document, drawing your signature on a tablet, or attaching a picture of a handwritten signature.|
|signatory||A natural person who creates an electronic signature.||Any person signing a document is called signatory. Documents can be signed on behalf of legal entities, but the signatory will always be a natural person, i.e., an individual.|
|advanced electronic signature||An electronic signature that meets the requirements set out in eIDAS Article 26, i.e.:|
it is uniquely linked to the signatory;
it is capable of identifying the signatory;
it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
it is linked to the data signed in such a way that any subsequent change in the data is detectable.
|As digital signatures created with Penneo meet all of these requirements, they are advanced electronic signatures.|
|electronic seal||Data in electronic form attached to other data in electronic form (such as a document) to ensure the latter’s origin and integrity.||You can see how the seal of the document looks like by opening a PDF signed via Penneo on a PDF reader.|
Penneo relies on a qualified trust service provider to secure our documents with eIDAS-compliant seals.
|electronic timestamp||Data in electronic form which binds other data in electronic form (such as a document) to a particular time establishing evidence that the latter data existed at that time.||When signing a document via Penneo, the signature is timestamped to the document, and you can see the time of the signature next to the signatory’s data on its final page.|
Penneo relies on a qualified trust service provider to secure our documents with eIDAS-compliant timestamps.
|validation||The process of verifying and confirming that an electronic signature or a seal is valid.||You can validate documents signed via Penneo through our Validator or the EU Validator.|
Why do we need the eIDAS Regulation?
The demand for updated, consistent legislation regulating e-interactions in the European Union came from three perspectives:
1. Build trust towards digital transactions
Despite our personal and professional lives being moved to the online world, the attachment to traditional paper-based methods led to a distrust of digital means. Even today, some companies prefer to rely on manual operations.
eIDAS addressed the demand for confidence, standardization, and safety in digital interactions by spreading a better public perception, acceptance, and trust towards electronic alternatives.
2. Ensure legal validity and binding force of electronic transactions
To build long-distance business relationships, we must ensure that our contracts will hold up in court, and our clients, partners, and suppliers are actually who they say they are. Legislation is essential for the creation of a trustworthy business environment.
With a consistent legal framework valid EU-wide, the eIDAS Regulation enabled digital identification and e-signatures across borders and provided them with the same legal standing as the corresponding manual transactions.
3. Allow Europe to keep up and compete with the rest of the world
The majority of countries worldwide had laid down rules for the use of crucial instruments to do business remotely, like e-signatures. A failure to regulate electronic transactions would have put Europe at risk of being left behind in the global market.
eIDAS was the first step towards creating a modern digital market and pursuing the EU’s broader digitalization plan to improve our competitiveness worldwide.
What are the benefits of the eIDAS Regulation?
eIDAS disrupted the way we think about identity, signatures, and business relationships. Its far-reaching impact affected both the private and public sectors by:
Making cross-border electronic transactions secure, standardized, and transparent
Reducing costs for businesses in all industries
Cutting bureaucracy and speeding up processes
Increasing convenience of government services.
What is the future of the eIDAS Regulation?
Despite having a game-changing role in creating a more digital single market, the eIDAS Regulation doesn’t seem to have reached its full potential. The doubts about its effectiveness have arisen mainly due to the limited number of Member States that implemented eID schemes.
Currently, about 59% of the European citizens - just over half of the EU population - are covered by eID schemes, and the actual cross-border use of eIDs is minimal and rarely works at all.
In light of these issues, the EU Commission launched a public consultation on the eIDAS Regulation in October 2020, aiming to collect feedback from a broad range of stakeholders on a possible revision of eIDAS.
Furthermore, on June 3rd 2021, the European Commission has adopted a "Proposal for a Regulation amending eIDAS as regards establishing a framework for a European Digital Identity".
The Proposal unveiled the EU plan for an European Digital Identity Wallet, designed as a pan-European app that all EU citizens will be able to apply for and install on their smartphones. With the EU Digital Identity Wallet, people will be able to store in a single digital place all their ID documents and electronic identification data (including driving license, academic records, bank account details).
The Member States are invited to discuss the EU Wallet initiative and prepare a set of technical standards by September 2022 to then launch pilot projects.
Penneo: eIDAS-compliant digital signatures
Playing a role in the digital transformation of European businesses is a core part of Penneo’s mission. As we strive to provide our users with a safe digital experience, our services comply with local, national, and international legal requirements and security standards - including eIDAS rules and subsequent implementations.
Digital signatures created with Penneo meet the eIDAS requirements for advanced e-signatures (art. 26) and are, therefore, just as legally valid and binding as handwritten signatures.
Electronic seals and electronic timestamps
Our signing solution uses Certification Authority services and timestamps provided by Intesi Group, an EU Qualified Trust Service Provider certified under eIDAS standards.
Thus, a document signed via Penneo is now secured through a seal certificate issued by a Qualified Certification Authority that guarantees the origin and integrity of the document, as well as the authentic date and time of the creation of digital signatures.
PAdES standard and Long Term Validation (LTV)
Penneo's digital signatures are built on the ETSI PAdES standard. PAdES (Advanced Electronic Signatures for PDF documents) is the best-defined standard for the implementation of digitally signed documents through cryptographically secured electronic signatures in compliance with the eIDAS regulation.
The main benefit of PAdES is most likely a feature called Long Term Validation (LTV). Long Term Validation is a signed document's ability to stay valid for years or even decades after signing. To ensure that the document never loses its legal reliability and trustworthiness, the technical proof of the signature's validity is stored as a form of attachment in the completed PDF.
Penneo uniquely identifies signers by using digital IDs issued by Trusted Service Providers (TSPs) or Certificate Authorities (CAs) that are included in the EU Trusted List. This is how we ensure signers' authentication and provide certainty on users' identities.
Penneo looks forward to the next developments of eIDAS and the broader use of eIDs and e-services. We will continue to stay on top of legal news in the European landscape and adapt our services to ensure constant compliance.