/What is eIDAS 2 and how to prepare your business

Regulation (EU) 910/2014, known as eIDAS Regulation (“electronic Identification, Authentication, and trust Services”), is a European regulatory framework that establishes a set of rules and standards for electronic identification and trust services in the member countries of the European Union.

This update aims to renew and improve the original eIDAS regulation to adapt it to technological advances and the new needs of the EU digital market.

What is the eIDAS 2 regulation in the EU?

eIDAS 2 heralds a significant evolution in the management of electronic identification and signature within the European Union. Its primary aim is to enhance safety and flexibility, ensuring seamless utilization of digital identities across various contexts, including border crossings, online document signing, and accessing public services. Notable innovations brought forth by eIDAS 2 include:

1. Universal Digital Identity Wallets: Picture a digital repository akin to your physical wallet, but residing conveniently on your smartphone or computer. This digital vault empowers users to securely store their identification proofs and utilize them effortlessly anywhere within the EU.
2. Streamlined Cross-Border Access: Bid farewell to the cumbersome processes associated with utilizing digital IDs across EU member states. eIDAS 2 streamlines this experience, facilitating smoother access to services irrespective of geographical boundaries.
3. Enhanced Data Protection Measures: With eIDAS 2, stringent regulations are implemented to bolster the security and confidentiality of personal data. Importantly, individuals are endowed with greater autonomy over their data, enabling selective sharing based on the specific requirements of each service.
4. Expanded Service Accessibility via Digital IDs: The scope of services that can be accessed using digital IDs is broadened under eIDAS 2. This expansion aims to inclusively embrace more individuals within the digital realm, fostering widespread participation in digital transactions and interactions.

eIDAS 2 stands as a pivotal advancement, redefining the landscape of digital identity management within the EU while prioritizing security, accessibility, and user empowerment.

eIDAS, laying the foundations for electronic identification

The eIDAS regulation came into force on July 1, 2016. Until then, Directive 1999/93/EC had regulated electronic identification services.

This regulation recognized the validity of electronic signatures, which were considered equivalent to handwritten signatures and were given validity in court.

However, as with directives at the European level, these are interpretable for each Member State, so the recognition and validity of electronic signatures between different countries and their courts was a complication.

With the creation of the eIDAS Regulation, a direct application of the regulations has been achieved, and a common framework for all member states.

It should be noted that although the eIDAS regulation came into force in 2016, some of its requirements have been implemented progressively following the deadlines set out.

Since entering force, eIDAS has significantly impacted the EU digital single market by establishing a framework for electronic identification, electronic signatures, and trust services that enable secure and frictionless cross-border electronic transactions.

What is the new eIDAS Regulation?

The European Union’s pioneering eIDAS regulation, formally enshrined as EU Regulation 2014/914, has played a pivotal role in establishing benchmarks for electronic identification and trust services throughout the EU. Now, building upon this foundational framework, the updated iteration, referred to as eIDAS 2 under EU Regulation 2024/1183, has been officially unveiled, poised to elevate digital interactions to new heights.

eIDAS 2 represents a significant milestone in the ongoing evolution of digital identity governance within the EU, promising heightened efficiency, security, and interoperability across digital realms.

When will eIDAS 2 be released?

While eIDAS 2 will enter into force on May 20, 2024, this date marks the beginning of a phased implementation period. Member States will have various deadlines to fully adopt and apply the new measures, ensuring a gradual and structured integration of the updated digital identity standards.

Once the eIDAS 2 Regulation is adopted, it must be published in the Official Journal of the European Union and will enter into force 20 days after publication.

September 2024 marks the crucial deadline for Member States to integrate eIDAS 2 into their national legislative frameworks, ensuring uniformity and compliance across the European Union.

Throughout Q4 2024 and H1 2025, dedicated efforts will be directed towards the implementation of Qualified Trust Service Provider (QTSP) initiatives aimed at facilitating the adoption of the European Union Digital Identity (EUDI) Wallet within member states. This phase encompasses comprehensive processes and technical developments to enable seamless integration.

By September 2026, trusted service providers are mandated to align with the updated eIDAS 2 requirements, while EU member states are expected to deploy the EUDI Wallet, marking a significant milestone in the broader adoption of digital identity standards.

The years 2025 to 2026 are designated for the initial stages of development, refinement, and monitoring overseen by the European Commission. Concurrently, citizens, businesses, and institutions will undergo an adaptation period. Additionally, stringent measures outlined in Article 45e of eIDAS 2 necessitate the verification of authentication system attributes within 24 months of approval.

From 2025 to 2027, there will be focused efforts on specifying and developing requirements for Strong Customer Authentication (SCA) in online identification, particularly with the integration of the EUDI Wallet. This period also involves defining requirements for large online platforms and fostering the acceptance of the EUDI Wallet as a recognized means of authentication across all public administrations, as mandated by Article 5f.

Looking ahead to 2030, the ambitious target is set to achieve 80% adoption among EU citizens and companies utilizing the EUDI Wallet under the standardized eIDAS 2.0 framework. This adoption is contingent upon the proactive adaptation efforts undertaken by organizations, companies, and institutions across the EU.

Why is eIDAS 2 important?

eIDAS is important because it provides a unified framework that ensures secure and seamless electronic transactions across the European Union. Here’s why it’s crucial:

1. Enhanced Security: It introduces stricter standards for data protection and verification. Strengthening the security framework helps prevent identity theft and fraud while ensuring the safe handling of personal data.
2. Unified Digital Identity: eIDAS 2 gives EU citizens a universal digital identity wallet. This wallet allows individuals to store and use their digital IDs and signatures across different services and borders, making identification and authentication seamless throughout the EU.
3. Cross-Border Interoperability: It facilitates easier access to public and private services across EU member states, streamlining business and individual transactions. This framework ensures that electronic signatures and identification are recognized uniformly across the EU, reducing administrative burdens.
4. User Empowerment: It gives individuals greater control over their data. Users can choose what personal information to share based on the requirements of each service, giving them autonomy over their digital identity.
5. Expanded Use Cases: The updated regulation broadens the range of services that accept digital identities, from banking and healthcare to accessing governmental services. This helps more people and businesses participate in the digital economy.

Stimulating Innovation: By standardizing digital identity rules and practices, eIDAS 2 fosters a more predictable and stable environment for businesses and tech developers, encouraging them to create innovative identity solutions and services.

What are the differences between eIDAS and eIDAS 2?

The main new features that eIDAS 2 will introduce over the current framework of the eIDAS Regulation are:

1. Expand the scope of the regulation to include additional cross-border digital services, such as authentication and device identification.
2. Strengthen the security and privacy of electronic identities and trusted services.
3. Establish a framework for the creation and use of digital identities. These so-called identity wallets allow individuals and businesses to create and use digital identities without government verification.
4. Simplify digital identities and trust services in public procurement processes and improve interoperability between national systems.

How do I get an eIDAS certificate?

To obtain an eIDAS certificate, you typically need to follow these steps:

1. Select a Qualified Trust Service Provider (QTSP): Choose a QTSP that is accredited to issue eIDAS certificates. These providers are authorized to issue certificates compliant with eIDAS regulations.
2. Choose the Type of Certificate: Determine the specific type of eIDAS certificate you require based on your needs, such as for electronic signatures, seals, or website authentication.
3. Provide Identification and Documentation: You’ll need to submit identification documents and any other required documentation to the QTSP. This may include personal identification, business registration documents, or other relevant paperwork.
4. Verification Process: The QTSP will verify your identity and the information provided. This process may involve in-person verification, online verification, or a combination of both, depending on the type of certificate and the QTSP’s procedures.
5. Certificate Issuance: Once your identity and documentation are verified, the QTSP will issue the eIDAS certificate to you. This certificate will typically include cryptographic keys that will enable you to digitally sign documents, authenticate websites, or perform other relevant actions depending on the type of certificate obtained.
6. Installation and Configuration: After receiving the certificate, you’ll need to install it on your devices or systems and configure any necessary software to use it for electronic transactions or authentication purposes.

Remember to adhere to any specific guidelines or requirements set forth by the QTSP during the application process to ensure a smooth and successful issuance of your eIDAS certificate.

How does eIDAS work?

eIDAS, which stands for Electronic Identification, Authentication, and Trust Services, is a regulation implemented by the European Union to establish a framework for electronic transactions across member states. Here’s how eIDAS works:

• Standardization: eIDAS sets common standards for electronic identification and trust services, ensuring consistency and interoperability across EU countries. This allows individuals and businesses to use their electronic identities (eIDs) and digital signatures across borders with legal recognition.
• Electronic Identification (eID): eIDAS facilitates the issuance and recognition of electronic identification by member states. Individuals can use their eIDs to access online services, sign documents, and authenticate themselves securely in various transactions.
• Trust Services: eIDAS defines various trust services, including electronic signatures, electronic seals, time stamping, and electronic registered delivery services. These services help ensure the integrity, authenticity, and confidentiality of electronic transactions, providing a legal framework for their use.
• Mutual Recognition: One of the key principles of eIDAS is mutual recognition, meaning that member states must recognize and accept eIDs, electronic signatures, and other trust services issued by other EU countries. This simplifies cross-border transactions and enhances digital interactions within the EU.
• Qualified Trust Service Providers (QTSPs): eIDAS regulates the activities of QTSPs, which are authorized to issue qualified certificates for electronic signatures, seals, and other trust services. These certificates comply with strict security and reliability requirements set forth by eIDAS.

Overall, eIDAS aims to promote trust, security, and efficiency in electronic transactions within the EU by providing a harmonized legal framework for electronic identification and trust services.

How do I comply with eIDAS?

Complying with eIDAS involves ensuring that your electronic transactions and identity management practices adhere to the regulations outlined in the legislation. Here are some steps to help you comply with eIDAS:

1. Understand eIDAS Requirements: Familiarize yourself with the specific requirements and obligations outlined in the eIDAS regulation. This includes provisions related to electronic identification, electronic signatures, trust services, and the role of qualified trust service providers (QTSPs).
2. Assess Your Current Practices: Conduct a thorough assessment of your current electronic identification and trust service practices to identify any gaps or areas where compliance may be lacking. This may involve reviewing your procedures for electronic signatures, authentication methods, and data protection measures.
3. Select Qualified Trust Service Providers (QTSPs): If you require qualified trust services, such as qualified electronic signatures or seals, choose QTSPs that are accredited and authorized under eIDAS to provide these services. Ensure that any certificates or services obtained from QTSPs comply with eIDAS requirements.
4. Implement Technical and Organizational Measures: Implement appropriate technical and organizational measures to ensure the security and integrity of electronic transactions and identity management processes. This may include encryption protocols, access controls, authentication mechanisms, and data protection measures.
5. Train Employees: Provide training and awareness programs for employees involved in electronic transactions and identity management to ensure they understand their responsibilities and how to comply with eIDAS requirements. This may include training on electronic signature processes, authentication procedures, and data protection practices.
6. Document Compliance Efforts: Maintain detailed documentation of your compliance efforts, including policies, procedures, and evidence of adherence to eIDAS requirements. This documentation will be valuable in demonstrating compliance to regulatory authorities if required.
7. Stay Informed: Stay up-to-date with any changes or updates to eIDAS regulations and guidance issued by regulatory authorities. This will help ensure ongoing compliance with evolving requirements and best practices in electronic identification and trust services.

By following these steps and ensuring ongoing vigilance and adherence to eIDAS requirements, you can effectively comply with the regulation and promote trust, security, and efficiency in your electronic transactions and identity management practices.