Quick reference guide to eIDAS-Regulation 910/2014
The regulation (EU) No 910/2014 on electronic identification and Trust Services for electronic transactions in the internal market, which is commonly known as eIDAS-Regulation has been fully in force since July, 1st 2016. It is an important part of the legal framework concerning various electronic forms, functions and services of electronic government and justice. This Art. gives an overview to the various rules, regulations and standards created to implement eIDAS and addresses questions regarding the technical recognition of qualified trust services.
(Dieser Beitrag wurde auch veröffentlicht unter Johannes ZD-Aktuell 2021, 05268)
1. Reference Guide
The eIDAS-Services comprise the eID Service for electronic identification regulated by Chapter II and a variety of Trust Services according to Art. 3(16) – in particular regarding the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services – and regulated by Chapter III of the eIDAS-Regulation.
1.2 Implementation regulations and decision by the European Commission
The eIDAS-Regulation is subject to concretisation by implementing regulations as well as decisions by the European Commission. Those that concern eID are:
- Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Art. 8(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.
- Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Art. 12(8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.
- Commission Implementing Decision (EU) 2015/1984 of 3 November 2015 defining the circumstances, formats and procedures of notification pursuant to Art. 9(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.
- Commission Implementing Decision (EU) 2015/296 of 24 February 2015 establishing procedural arrangements for cooperation between Member States on electronic identification pursuant to Art. 12(7) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.
Those that concern Trust Services are:
- Commission Implementing Regulation (EU) 2015/806 22 May 2015 laying down specifications relating to the form of the EU trust mark for qualified trust services.
- Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Art. 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.
- Commission Implementing Decision (EU) 2015/1506 of 8 September 2015 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies pursuant to Art.s 27(5) and 37(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.
- Commission Implementing Decision (EU) 2016/650 of 25 April 2016 laying down standards for the security assessment of qualified signature and seal creation devices pursuant to Art.s 30(3) and 39(2) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance).
1.3 Implementation Laws by Member States
Since 2016, most provisions of eIDAS-Regulation are directly applicable in the 28 EU Member States‘ legal frameworks, overcoming problems of fragmented national regimes. Art. 288 of the Treaty on the Functioning of the European Union states that a Regulation – unlike a Directive – shall have general application. It shall be binding in its entirety and directly applicable in all Member States.
Nonetheless Member States are obliged to regulate and ascertain certain aspects of the Trust Service Chapter, e.g. they have to empower a national Supervisory Body. Member States can regulate these aspects according to their laws, e.g. Germany has enacted the Vertrauensdienstegesetz (VDG) and the Vertrauensdiensteverordnung (VDV).
The European Commission maintains various list as to the state of these national implementations as informative tools:
- Information by Member States with regard to the implementation of the Trust Services chapter of the eIDAS-Regulation.
- Compilation of Member States‘ notifications and information on:
- Designated Bodies under Art. 30(2) and 39(2) of Regulation 910/2014
- Certified Qualified Signature Creation Devices under Art. 31(1)-(2) and Certified Qualified Seal Creation Devices under Art. 39(3) of Regulation 910/2014 and
- Secure Signature Creation Devices benefiting from the transitional measure set in Art. 51(1) of Regulation 910/2014.
- List of conformity assessment bodies (CABs) accredited against the requirements of the eIDAS-Regulation.
- List of alternative processes notified to the Commission in accordance with Art.s 30(3)(b) and 39(2) of the eIDAS-Regulation.
1.4 Technical Standards
The eIDAS-Regulation is written in a technology-neutral way, see Art. 12(3)(a) and Recital 27, but the implementation decisions and regulations by the European Commission reference a variety of technological specifications. Important for Trust Services are those by the European Telecommunications Standards Institute (ETSI). ETSI has defined a set of standards which are recognized by many of the EU national supervisory authorities as best practices aimed at meeting the requirements of eIDAS and have been adopted as the basis for the national audit schemes. ETSI Standards usually make normative reference to various applicable standards from other standardisation organisations and bodies, e.g. IETF and ISO. Other standards have been put into effect by standardisation organisations like OASIS OPEN. A list to ETSI’s electronic signatures and infrastructures activities can be found here.
The standards for creating and validating advanced electronic signatures are defined in ETSI EN 319 102-1 and specified in ETSI EN 319 122-1, ETSI EN 319 122-2, ETSI EN 319 132, ETSI EN 319 142-1 and 2 as well as ETSI EN 319 162.
The same standards apply, as a basis, to qualified electronic signatures. That follows Art. 26(1)h eIDAS. In addition, qualified electronic signatures are created by (i) including a qualified certificate (ii) issued by a qualified Trust Service Provider. The standards for Trust Service Providers and Provider Conformity Assessments are defined in ETSI EN 319 401, ETSI EN 319 403-1 and ETSI 319 411-1. The Requirements for Trust Service Providers issuing EU qualified certificates are set in ETSI EN 319 411-2. A final draft of ETSI TS 119 172-4, a signature validation policy for eIDAS qualified electronic signatures and seals using trusted lists, has been published.
Important for eID Services are the technical specifications that have been developed by Member States and the European Commission collaborating in the technical subgroup on eID of the eIDAS Cooperation Network. The Commission also provides a sample implementation based on these technical specifications which Member States can adopt as an „off-the-shelf“ implementation. The current version was endorsed by Opinion No. 5/2019 of the Cooperation Network on 27 September 2019. It consists of four separate documents, each concerning a specific area: eIDAS Message Format v1.2; eIDAS Interoperability Architecture v.1.2, eIDAS Cryptographic Requirement v.1.2 and eIDAS SAML Attribute Profile v1.2.
2. Technical Recognition of qualified signatures among EU Member States
The eIDAS-Regulation provides a regulatory environment for (i) electronic identification of natural and legal persons and (ii) for a set of electronic Trust Services, e.g. creation and validation of electronic signatures and seals. It sets the principle of non-discrimination of the legal effects and admissibility of these Trust Services as evidence in legal proceedings, see Art. 46 eIDAS. Mutual recognition of qualified signatures, seals and time stamps among Member States is enshrined in eIDAS itself, see Art. 25(3); Art. 35(3) and Art. 41(3) eIDAS.
The required mutual recognition is secured by trusted lists in accordance with Art. 22. Each Member State has to establish, maintain and publish trusted lists, including information related to the qualified Trust Service Providers for which it is responsible, together with information related to the qualified Trust Services provided by them.
To allow access to the trusted lists of all Member States in an easy and trustworthy manner, the European Commission publishes a central list with links to the locations where the trusted lists are published as notified by Member States to the European Commission for informative purposes. The European Commission maintains a secure public record to these lists. The lists are suitable for automatic processing. This central list, called the List of trusted lists (LOTL), is available as a signed or sealed XML machine-processable form here.
The trusted lists of Member States include, as a minimum, information specified in Art.s 1 and 2 of Commission Implementing Decision (EU) 2015/1505, where the technical specifications defined in ETSI TS 119 612 v2.1.1 are referenced. Trusted lists allow users to determine the qualified status and the status history of Trust Service Providers and their services. Under eIDAS, national trusted lists have a constitutive effect. According to Art. 21(3) a qualified Trust Service provider may only begin to provide the qualified Trust Service after its qualified status, as granted by the supervisory body pursuant to Art. 21(2), has been indicated in the trusted lists.
Trusted lists are also electronically signed XML files, as specified by ETSI TS 119 612, which enable in practice any interested party to determine whether a Trust Service is or was operating in compliance with relevant requirements, currently or at a given time in the past (e.g. at the time the service was provided or at the time at which a transaction reliant on that service took place).
In order to fulfil this requirement, trusted lists contain information from which it can be established whether the Trust Service Provider’s service is, or was, known by the Trusted List Scheme Operator and if so the status of the service at a given time. Trusted lists therefore contain not only the service’s current status, but also the history of its statuses. Following Art. 22(1) and Annex I of Commission Implementing Decision (EU) 2015/1505, EU Member States have to include in their national trusted list the information related to the grant of a qualified status to a Trust Service Provider and to maintain over time the information on any change of that status. This information is required to be kept and maintained forever from the date of the grant of a qualified status.
The validation requirements for qualified electronic signatures are defined by law in Art. 32 eIDAS. They apply mutatis mutandis to the validation of qualified electronic seals, Art. 40 eIDAS: In order to validate that a Trust Service (e.g. signature service) is qualified under eIDAS, a relying party would need to check the qualified status of the given Trust Service at the time of use and that it was provided by a qualified Trust Service Provider. Provided a Trust Service is included in the trusted list, it provides the relying party with the necessary information about the given Trust Service, its status and status history and potentially additional relevant information helping the relying party to validate the Trust Service or its outputs (i.e. signature or seal). The relying party would additionally verify the qualified electronic signature against the information provided by the Trust Service provider.
The validation process of the electronic signature itself is described by the European Commission in the qualified electronic signature (QES) validation algorithm. The algorithm focuses on determining whether the certificate is qualified, what is the type of this certificate and whether the corresponding private key is protected by a qualified signature/seal creation device. ETSI has published a draft to signature applicability rules (validation policy) for European qualified electronic signatures/seals using trusted lists, TS 119 172-4. Signature validation itself should be set out according ETSI EN 319 102-1 using an appropriate validation policy.
3. Verification of certificates issued by providers from multiple states
Validation is an ancillary service to electronic signatures and electronic seals. It is the process of confirming the validity of a (qualified) electronic signature or electronic seal, that is, that the certificate used to create the signature or the seal was valid at the moment of creation (it was not revoked, suspended, or expired). The validation of qualified Trust Services can itself be a qualified Trust Service, see Art. 33 eIDAS.
There are no centralized portals for verifications of certificates issued by providers from multiple states. There are however trusted lists / the LOTL that enable to verify the status of Trust Service Provider at a given time as verified by the national supervisory body in accordance with Art. 21(2) eIDAS. The European Commission offers here an online eSignature validation tool for implementers to help them validate their solutions.
4. Information to the specific individual
Qualified Trust Service Providers are required by law (Art. 24(1) eIDAS) to verify the identity and, if applicable, any specific attributes of the natural or legal person to whom the qualified certificate is issued afterwards. The validation of a qualified electronic signature usually does not provide or disclose additional information, that is not already provided within the electronic signature or the qualified certificate. Processing of personal data shall be carried out in accordance with European Data Protection laws (Art. 5(1) eIDAS).
The link to the specific individual is the certificate issued by the qualified Trust Service Provider. The requirements for certificates are set force by Annex I of eIDAS. They must contain at least the name of the signatory, or a pseudonym, see lit. c). Moreover, they must contain the certificate identity code, which must be unique for the qualified Trust Service Provider, see lit. f). This complies with Art. 26(b) eIDAS concerning advanced electronic signatures. Advanced and qualified electronic signature need to be capable of identifying the signatory.
No further personal information needs to be disclosed by the Trust Service Provider nor are unique national ID numbers available in all Member States.
5. Unilateral recognition of eIDAS-eSignatures by a non-EU Member states
As to date there is no example by a third country for a unilateral recognition of all Trust Service Providers, qualified electronic signatures and eID Services available under the eIDAS-Regulation. However, such a rule is currently being discussed, for example in the context of a future global trust architecture and international, global trust lists. ETSI also mentions the possibility of recognition of Trust Services by third countries and their authorities (pp. 77 and 78). In practice, there solutions where national authorities in third countries have recognised and listed certain EU-providers of eID Services and Trust Services under the conditions of their national laws, e.g. Switzerland and Israel.