The European Regulation on Digital Identity and Trust Services (eIDAS) underwent a major revision and entered full efect in May 2024. It culminates almost 25 years of regulatory, technical, and commercial developments. This article considers what has worked well to support this ambitious development and what we could do to ensure the successful adoption of this new revision. from a revision of the previous version, Regulation 910/2014 [2], and it has such informally called eIDAS2.
CEUR
ceur-ws.org (eIDAS2 has 51 articles, with many of them containing sub-articles), and four annexes (eIDAS 2 has seven annexes: on this metric, the two-piece of legislation are more on par).
One of the first things that one could ask is why there was such a vast development of the
legislation. The eIDAS2 is a complex piece of legislation that inherits from the original eIDAS
Regulation some key concepts:
1. Trusted service providers, specialized companies that provide trust services with a
monetary compensation
2. Trust services. From the original digital signature of the Directive, now this set has
expanded to include 14 diferent services, ranging from digital signature (that now has
several specializations, considering if it is created locally or remotely, for people or
organizations) to timestamps, delivery, archiving, and the brand new European Digital
Identity Wallet, the first in the world self-sovereign identity (SSI) system [
The original Directive sets the context, and the eIDAS Regulation of 2014 has successfully created a thriving public-private ecosystem that has worked very well. It is worth investigating what has worked very well and how the diferent stakeholders have collaborated to create a fundamental piece of today’s online business transactions.
When the European Commission started drafting the eIDAS Regulation of 2014, it had to consider some relevant political constraints and the institutional context. The European Commission is tasked with supporting the internal market, removing all barriers to the free movement of goods and services in the European Union. So, the eIDAS Regulation was a part of the Single Digital Market [6], an overarching political strategy of the Commission in the ’10s-’20s that included, among others, the abolition of the roaming charges and the modernization of data protection.
In pursuing the goal of the Single Digital Market, the Commission had to consider that it had (and still has) some legal limits on what it could legislate upon. The identity of citizens, including their digital identity, is an exclusive competence of the 27 Member States comprising Europe. The Commission cannot dictate how a single state provides (digital) identity to its citizens. Still, it could on the contrary define interoperability frameworks that help use such identity in a cross-border fashion.
The eIDAS Regulation of 2014 introduced the notification concept for electronic identification means. Each Member State could implement as many digital identities as it wants to. Still, some rules have to be followed to enable citizens to access an online service located in another Member State using one of this state-provided digital identities. The Member State must notify its electronic identity system to a group composed of representatives of all the Member States, plus the Commission. The group will analyze the system and classify it according to its Level of Assurance (LoA), which expresses the system’s robustness, labeling it as low, substantial, high [7]. The single citizen, equipped with a specific notified means of authentication, could access cross-border services only if the LoA of the authentication means is compatible with the provided service.
This simple idea brilliantly transformed a weakness (having many diferent systems with a national footprint) into a federated digital identity system, the biggest in the world. Today there are dozens of notified means from many, but not all, the European Member States [ 8].
The original eIDAS Regulation defined the concept of trust services, including not only the basic version but also a qualified version of them. The qualified digital signature, as an example, has legal value and produces a legally binding efect. However, the “simple” digital signature is not discriminated per se: it could create legal efects, except that they have to be evaluated on a single basis, should a controversy arise. This idea has helped a lot in structuring the market in two tiers, with diferent operators working on both tiers with a more complete ofer or specializing in just one.
Private companies operating as (qualified) trust service providers are registered in a trusted list, which provides for a basic building block for interoperability. Once a digital signature is embedded in a digital document, by looking at the certification authority that has emitted the certificate, it is possible to determine whether the signature is qualified by checking the trusted list. When a user opens up Adobe Acrobat Reader and gets the message that all the signatures are valid, it is the result of such consultation. It is uncommon for software made by an American big tech company to follow European protocols.
Also, the trusted list is expandable, allowing pointers to similar databases managed by other countries. Experimental integrations with countries like Japan and Ukraine are based on such premises.
The relevant articles defining a qualified trust service in the original eIDAS Regulation could ift within a single page, as they state the essential characteristics of the service. Later, the Commission publishes one or more Implementing Acts, that are similar to high-level technical regulation clarifying some elements. However, the real work that makes it possible to have interoperable trust services is made by the standardization committee. For all the trust services, the unstoppable force behind the standardization process is the ETSI Electronic Signature and Trust Infrastructure (ETSI ESI) committee [9]. Its standards, continuously updated, define the technical infrastructure of the system. ETSI ESI develops its standard in the form of a series of documents, each consisting of up to hundreds of pages. ETSI ESI is mainly composed of technical stakeholders.
If eIDAS was so successful, it was because of the combination of many diferent elements. Each stakeholder played its part with uncommon dedication to the cause, and the Regulation was very well placed in time and within a favorable technical, economic, and political context.
While the Commission set up the framework with this strong idea of accepting and integrating diferent approaches to digital identity, allowing for two tiers of services has helped in structuring the market, and the flexibility of trusted lists has laid out a simple extension mechanism. The open standardization process that is constantly under public scrutiny has given a lot of confidence to companies willing to invest and develop products in this market.
eIDAS has been quite a success, defining the gold standard of digital identity worldwide and attracting many countries outside of Europe that see it as an open model that they could implement in their countries.
eIDAS2 is ambitious. It is placed in a very diferent world than the original Regulation, as the competition between blocks and regions is strong, reshoring is impacting and restructuring many critical supply chains, and the twin transition is posing phenomenal challenges. Strong cooperation between the diferent stakeholders should be considered a priority to make it a success. Open development and standardization processes should attract competent developers and scholars, and public funding for the digital transition must be assured for a long time, considering that the switching of digital identity systems is quite a long process.
The European Union should be proud of what it has accomplished insofar in the realm of digital identity. eIDAS2 could give Europe another strategic advantage if the lessons learned with the original regulation are applied and the fundamental integral cooperation between the diferent stakeholders is pursued. [6] The European Council and the Council of the European Union, Digital single market for
Europe, 2020. URL: https://www.consilium.europa.eu/en/policies/digital-single-market. [7] European Commission, eIDAS Levels of Assurance (LoA), 2024. URL: https://ec.europa.eu/ digital-building-blocks/sites/display/DIGITAL/eIDAS+Levels+of+Assurance. [8] European Commission, Overview of pre-notified and notified eID schemes under eIDAS, 2023. URL: https://ec.europa.eu/digital-building-blocks/sites/display/EIDCOMMUNITY/ Overview+of+pre-notified+and+notified+eID+schemes+under+eIDAS. [9] ETSI, Technical Committee (TC) Electronic Signatures and Trust Infrastructures (ESI), 2024.
URL: https://www.etsi.org/committee/esi?jjj=1728561494473.