=Paper=
{{Paper
|id=Vol-3863/invited1
|storemode=property
|title=eIDAS Regulation: History, Key Success Factors, and Future Developments
|pdfUrl=https://ceur-ws.org/Vol-3863/invited1.pdf
|volume=Vol-3863
|authors=Paolo Campegiani
|dblpUrl=https://dblp.org/rec/conf/tdi/Campegiani24
}}
==eIDAS Regulation: History, Key Success Factors, and Future Developments==
https://ceur-ws.org/Vol-3863/invited1.pdf
eIDAS Regulation: History, Key Success Factors, and
Future Developments
Paolo Campegiani1
1
Namirial SpA, Italy
Abstract
The European Regulation on Digital Identity and Trust Services (eIDAS) underwent a major revision and
entered full effect in May 2024. It culminates almost 25 years of regulatory, technical, and commercial
developments. This article considers what has worked well to support this ambitious development and
what we could do to ensure the successful adoption of this new revision.
Keywords
eIDAS, digital identity, regulation, standardization
1. A brief history of the European regulations on digital identity
The current eIDAS Regulation (2024/1183) [1] has come into full force in May of 2024. It resulted
from a revision of the previous version, Regulation 910/2014 [2], and it has such informally
called eIDAS2.
Its development lasted almost four years, following the declaration made by the then (and
still) President of the European Commission, dr. Ursula Von der Leyen, in her State of the Union
speech of September 2020: “This includes control over our personal data which still have far too
rarely today. Every time an App or website asks us to create a new digital identity or to easily
log on via a big platform, we have no idea what happens to our data in reality. That is why
the Commission will soon propose a secure European e-identity. One that we trust and
that any citizen can use anywhere in Europe to do anything from paying your taxes to renting
a bicycle. A technology where we can control ourselves what data and how data is used.” [3]
The development of this new European e-identity would have then taken four years for a
variety of reasons, including the complexity and scope of the new revision and the emergence
of some unforeseen priorities related to the COVID pandemic and the war in Ukraine.
The original eIDAS Regulation, published in 2014, was not the first EU-led regulation on the
field of digital identity. The first act was the Directive 1999/93/CE that, almost 25 years ago,
defined a core set of principles. The directive focused on digital signature, which was developed
with the goal of supporting international electronic e-commerce. It defined the concept of
digital signature and advanced digital signature, and the idea of provider of certification services
(digital certificates). Looking at this directive with our 2024 eyes provides for some tender
moments. The directive was very small and compact, with 28 recitals (eIDAS2 has 78), 15 articles
TDI 2024: 2nd International Workshop on Trends in Digital Identity, April 9, 2024, Rome, Italy
Envelope-Open p.campegiani@namirial.com (P. Campegiani)
© 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR
Workshop
ceur-ws.org
ISSN 1613-0073
1
Proceedings
�(eIDAS2 has 51 articles, with many of them containing sub-articles), and four annexes (eIDAS 2
has seven annexes: on this metric, the two-piece of legislation are more on par).
One of the first things that one could ask is why there was such a vast development of the
legislation. The eIDAS2 is a complex piece of legislation that inherits from the original eIDAS
Regulation some key concepts:
1. Trusted service providers, specialized companies that provide trust services with a mone-
tary compensation
2. Trust services. From the original digital signature of the Directive, now this set has
expanded to include 14 different services, ranging from digital signature (that now has
several specializations, considering if it is created locally or remotely, for people or
organizations) to timestamps, delivery, archiving, and the brand new European Digital
Identity Wallet, the first in the world self-sovereign identity (SSI) system [4]
This massive growth in the scope and the ambition of eIDAS2 was not the result of the
over-regulation problem that affects the European Union, especially when it comes to small
and medium enterprises [5]. It is more the consequences of the relevance of digital identity in
today’s life, and the recognition that Europe has a huge internal market for related services and
products, with a recognized international positioning. The European Commission has made a
bold move with the eIDAS2 Regulation, pushing for the adoption of some new concepts, not
only the SSI approach to digital identity but also with an initial regulation for the concept of the
electronic ledger, a more general concept encompassing blockchains and distributed ledgers.
The original Directive sets the context, and the eIDAS Regulation of 2014 has successfully
created a thriving public-private ecosystem that has worked very well. It is worth investigating
what has worked very well and how the different stakeholders have collaborated to create a
fundamental piece of today’s online business transactions.
2. The key ideas of the original eIDAS Regulation
When the European Commission started drafting the eIDAS Regulation of 2014, it had to consider
some relevant political constraints and the institutional context. The European Commission
is tasked with supporting the internal market, removing all barriers to the free movement of
goods and services in the European Union. So, the eIDAS Regulation was a part of the Single
Digital Market [6], an overarching political strategy of the Commission in the ’10s-’20s that
included, among others, the abolition of the roaming charges and the modernization of data
protection.
2.1. Notification
In pursuing the goal of the Single Digital Market, the Commission had to consider that it had
(and still has) some legal limits on what it could legislate upon. The identity of citizens, including
their digital identity, is an exclusive competence of the 27 Member States comprising Europe.
The Commission cannot dictate how a single state provides (digital) identity to its citizens. Still,
it could on the contrary define interoperability frameworks that help use such identity in a
cross-border fashion.
2
� The eIDAS Regulation of 2014 introduced the notification concept for electronic identification
means. Each Member State could implement as many digital identities as it wants to. Still,
some rules have to be followed to enable citizens to access an online service located in another
Member State using one of this state-provided digital identities. The Member State must notify
its electronic identity system to a group composed of representatives of all the Member States,
plus the Commission. The group will analyze the system and classify it according to its Level
of Assurance (LoA), which expresses the system’s robustness, labeling it as low, substantial,
high [7]. The single citizen, equipped with a specific notified means of authentication, could
access cross-border services only if the LoA of the authentication means is compatible with the
provided service.
This simple idea brilliantly transformed a weakness (having many different systems with
a national footprint) into a federated digital identity system, the biggest in the world. Today
there are dozens of notified means from many, but not all, the European Member States [8].
2.2. Qualified and not qualified trust services
The original eIDAS Regulation defined the concept of trust services, including not only the
basic version but also a qualified version of them. The qualified digital signature, as an example,
has legal value and produces a legally binding effect. However, the “simple” digital signature
is not discriminated per se: it could create legal effects, except that they have to be evaluated
on a single basis, should a controversy arise. This idea has helped a lot in structuring the
market in two tiers, with different operators working on both tiers with a more complete offer
or specializing in just one.
2.3. Trusted List
Private companies operating as (qualified) trust service providers are registered in a trusted
list, which provides for a basic building block for interoperability. Once a digital signature
is embedded in a digital document, by looking at the certification authority that has emitted
the certificate, it is possible to determine whether the signature is qualified by checking the
trusted list. When a user opens up Adobe Acrobat Reader and gets the message that all the
signatures are valid, it is the result of such consultation. It is uncommon for software made by
an American big tech company to follow European protocols.
Also, the trusted list is expandable, allowing pointers to similar databases managed by other
countries. Experimental integrations with countries like Japan and Ukraine are based on such
premises.
2.4. Standardization
The relevant articles defining a qualified trust service in the original eIDAS Regulation could
fit within a single page, as they state the essential characteristics of the service. Later, the
Commission publishes one or more Implementing Acts, that are similar to high-level technical
regulation clarifying some elements. However, the real work that makes it possible to have
interoperable trust services is made by the standardization committee. For all the trust services,
the unstoppable force behind the standardization process is the ETSI Electronic Signature and
3
�Trust Infrastructure (ETSI ESI) committee [9]. Its standards, continuously updated, define the
technical infrastructure of the system. ETSI ESI develops its standard in the form of a series
of documents, each consisting of up to hundreds of pages. ETSI ESI is mainly composed of
technical stakeholders.
3. Lessons for eIDAS2
If eIDAS was so successful, it was because of the combination of many different elements. Each
stakeholder played its part with uncommon dedication to the cause, and the Regulation was
very well placed in time and within a favorable technical, economic, and political context.
While the Commission set up the framework with this strong idea of accepting and integrating
different approaches to digital identity, allowing for two tiers of services has helped in structuring
the market, and the flexibility of trusted lists has laid out a simple extension mechanism.
The open standardization process that is constantly under public scrutiny has given a lot of
confidence to companies willing to invest and develop products in this market.
eIDAS has been quite a success, defining the gold standard of digital identity worldwide
and attracting many countries outside of Europe that see it as an open model that they could
implement in their countries.
eIDAS2 is ambitious. It is placed in a very different world than the original Regulation, as the
competition between blocks and regions is strong, reshoring is impacting and restructuring
many critical supply chains, and the twin transition is posing phenomenal challenges. Strong
cooperation between the different stakeholders should be considered a priority to make it a
success. Open development and standardization processes should attract competent developers
and scholars, and public funding for the digital transition must be assured for a long time,
considering that the switching of digital identity systems is quite a long process.
The European Union should be proud of what it has accomplished insofar in the realm of
digital identity. eIDAS2 could give Europe another strategic advantage if the lessons learned
with the original regulation are applied and the fundamental integral cooperation between the
different stakeholders is pursued.
References
[1] European Union, Regulation (EU) 2024/1183, in: Official Journal of the European Union,
OJ L, 2024. URL: http://data.europa.eu/eli/reg/2024/1183/oj.
[2] European Union, Regulation (EU) 910/2014, in: Official Journal of the European Union,
OJ L, 2014. URL: http://data.europa.eu/eli/reg/2014/910/oj.
[3] European Commission, State of the Union 2020, 2020. URL: https://state-of-the-union.ec.
europa.eu/state-union-2020_en.
[4] A. Preukschat, D. Reed, Self-Sovereign Identity, Manning Publications, 2021.
[5] European Commission, EU competitiveness: Looking ahead, 2024. URL:
https://commission.europa.eu/topics/strengthening-european-competitiveness/
eu-competitiveness-looking-ahead_en.
4
�[6] The European Council and the Council of the European Union, Digital single market for
Europe, 2020. URL: https://www.consilium.europa.eu/en/policies/digital-single-market.
[7] European Commission, eIDAS Levels of Assurance (LoA), 2024. URL: https://ec.europa.eu/
digital-building-blocks/sites/display/DIGITAL/eIDAS+Levels+of+Assurance.
[8] European Commission, Overview of pre-notified and notified eID schemes under eIDAS,
2023. URL: https://ec.europa.eu/digital-building-blocks/sites/display/EIDCOMMUNITY/
Overview+of+pre-notified+and+notified+eID+schemes+under+eIDAS.
[9] ETSI, Technical Committee (TC) Electronic Signatures and Trust Infrastructures (ESI), 2024.
URL: https://www.etsi.org/committee/esi?jjj=1728561494473.
5
�