EU Regulation 910/2014 eIDAS – Electronic Identity, Authentication and Signature – has the delicate task of facilitating and stimulating the creation of a single technical and legal framework, which shall be consistent and interoperable at a European level, regarding the Electronic Trust Services. Services, where trust is crucial: electronic signatures, electronic seals, electronic time marking, electronic documents and certification services for Web authentication.
These services are supervised and controlled by the Member States, in order to guarantee the security and confidence in the European electronic market.
First, the Regulation lays down the conditions under which the Member States must recognize the electronic identification means of individuals in another Member State.
While preserving the autonomy of the Member States to decide which electronic identification systems are used in their territory to allow access to online services, it establishes the obligation to ensure the mutual recognition of electronic means of identification adopted in another state, provided that such identification systems have been notified by the country which prompts it to the Commission and are published on a special list of ” notified electronic identification schemes ” (under Article 9), and that they comply with the conditions relating to the levels of guarantee required in each online service.
In this way, once the notification procedure has been carried out, in a cross-border transaction, it will fall on the state that notifies responsibility for the damage caused intentionally or negligently to any person or entity, if there is a breach of its obligations ( letters d and f of Article 7 of the Regulation).
Chapter III deals with trusted services and establishes a common legal platform for electronic signature, electronic stamp, electronic time marking, electronic transmission services and website authentication services.
It accurately establishes the conditions to start a qualified trust service and the requirements that must be fulfilled by the Providers in order to be able to issue qualified certificates and to provide other services of digital trust and even the security requirements that must be fulfilled by the providers of these services.
Finally, it is determined that Member States should establish a supervisory body with the task of supervising qualified and not qualified service providers.
Among other interesting aspects included in the eIDAS Regulation, it is worth stressing the forecasts for the issuance and maintenance of trusted lists and the possibility of using a EU trustmark for qualified trust services.
The European legislator requires the establishment, in each Member State, of a trust list which lists all the Trust Service Providers for whom the “qualified” status is verified and guaranteed from the time of the application ( the qualified status must be maintained by the provider through biennial conformity assessments and other subsequent monitoring activities).
Once included in the trust list, a Trust Electronic Services Provider may use the EU trustmark, including a link to that list, to present the services it offers in a simple and recognizable way.
This confirms the willingness of the EU legislator to promote a high level of transparency in the market and to increase the confidence in online services and their viability for the benefit of all users.
The fact that the legal status corresponds to a Regulation implies that it is a legislative measure with general scope, binding in its entirety and directly applicable in each Member State, without the need for transposition into its legal framework.
Although it has already come into force in its definitions and some aspects, the Regulation will be fully implemented from 1 July 2016, in order to allow time for Member States to get prepared for the new Regulation. Certain forecasts require additional legislative developments and others, such as the requirement to accept notified identification systems, will apply from 2018.
In Spain, the Cl@ve system is a good example of an identity accreditation system that could be developed to meet EIDAS requirements with greater alignment with ISO 29115.
Cl@ve is a system oriented to unify and simplify the electronic access of citizens to public services. Its main objective is for the citizen to be able to identify himself / herself at the Public Administration through agreed codes (user and password), without having to remember different keys to access the different services.
Cl@ve complements the access systems through e-ID and electronic certificate, and offers the possibility of signing in the cloud with personal certificates preserved in remote servers.
It was formalized by Order PRE/1838/2014, of October 8, which publishes the Council of Ministers Agreement, dated September 19, 2014, which approves Cl@ve, the common platform of the Public Sector State Administration for the identification, authentication and electronic signature through the use of concerted keys.