Language:
European flag

eIDAS 2.0: Our Changes at a Glance

Published 18.12.2023

In 2014, the European Union embarked on a new phase of its digital future under a somewhat clunky title: The purpose of the “Regulation on electronic identification and trust services for electronic transactions in the internal market” was to bring trust to digital business and administrative processes. To this end, the eIDAS Regulation – as it is known for short – set out requirements for secure identification and authentication on the Internet. It also defined a Europe-wide framework for trust services that digitise analogue processes such as signatures and seals in order to create a European digital trust space.

Why eIDAS 2.0?

The aim of the regulation has not changed to this day. However, both the digital habits of citizens and the range of online services available have changed considerably. The implementation of the eIDAS Regulation also fell short of expectations in some cases, as the European Commission found following an evaluation in 2020. For example, too few Member States had introduced an eID – an electronic proof of identity that citizens and legal entities can use to identify themselves for online services.

The report also criticised the fact that the eIDAS toolbox did not sufficiently address the needs of specific sectors. In 2021, the European Commission therefore felt compelled to initiate an amendment to the regulation with eIDAS 2.0 – and, as part of this, to oblige Member States to provide their citizens with access to a Europe-wide recognised digital identity in the form of a digital Wallet. The project is intended to make everyday processes in the EU significantly easier.

Objectives and Content of eIDAS 2.0

On 8 November 2023, the Commission, the EU Parliament and the Council of the European Union reached agreement on a revised regulation in a “trialogue”. The purpose of eIDAS 2.0, or the European Digital Identity Framework (the official name of the regulation), is to remedy the shortcomings of the “original” and at the same time to deepen the European area of trust without undermining the sovereignty of the Member States.

Central project:

  • All Member States must provide their citizens and legal entities with eID Wallets and recognise those of the others.
  • With the European Digital Identity Wallet (EUDIW), citizens will be able to authenticate themselves online for private and administrative services in the future.
  • Other digital credentials, such as driving licences or training certificates, can also be stored in the Wallet and shared as required.

To ensure that Wallets and digital identities can be used and recognised throughout Europe, the amendment sets out requirements regarding the interoperability, data protection and security of Wallets as well as the verification of digital attributes. The specific requirements for the Wallets are being worked out by the European standards committees.

eIDAS 2.0: Solutions in the Toolbox

Along with new trust services, eIDAS 2.0 also brings new regulations for the use of existing trust services. For example, web browsers such as Chrome, Edge and Firefox will be obliged to recognise qualified certificates for website authentication in future. These certificates, also called QWACs, will then show users, in line with the strict standards of the EU, whether the company behind the website they are accessing is actually the one displayed in the browser. This will strengthen consumer and data protection by preventing phishing attacks, for instance.

New Trust Services – Digital Credentials

New additions to the range of trust services include services for electronic archiving, and the management of electronic remote signature and seal creation devices.

In addition, there is the Qualified Electronic Attestation of Attributes (QEAA). The QEAAs play a special role in the eIDAS 2.0 toolbox. After all, the Commission’s evaluation report has already recognised that eIDAS fell short in many areas of life, such as education, banking and the travel industry.

Why? Because when people identify themselves online in those sectors, they not only have to prove who they are, but also what they are. In other words: Anyone applying for a place at a university should be able to prove that they have a general higher education entrance qualification besides their name, age and date of birth. When renting a car, the rental company also requires proof of a driving licence.

And this is where the QEAA comes into play: With these attributes, a qualified trust service provider checks and validates the corresponding data, such as on professional qualifications, educational qualifications, official permits or licences, which can then be issued to the EUDI Wallet. This basically means that QEAAs are the main prerequisite for a functioning Wallet. This is the only way to quickly and conveniently provide digital proof of documents and permits – from school reports and marriage certificates to driving licences.

The EUDI Wallet: Digital Identification with eIDAS 2.0

Holders of an EUDI Wallet should be able to manage their digital forms of evidence conveniently via their smartphones and always have them to hand when private service providers, authorities or educational institutions require them. The EUDI Wallet also plays a central role in current or planned European electronic identification projects. For instance, it is conceivable that patients in Germany will be able to access their electronic patient file from here or that doctors will be able to access their electronic health professional card, such as for authenticating themselves as members of their profession in the planned European Health Data Space (EHDS).

The planned ecosystem for the Wallet could work as follows: All identity credentials on the smartphone are checked and electronically signed by qualified trust service providers or authorised government sources, such as the residents’ registration office or the motor vehicle authority. They are stored on the smartphone of the Wallet holder, who must then approve the transfer to the relying parties, i.e. the end users, such as banks, car hire companies and certain authorities. The relying party that requires the data can then use an EU Trusted List to check whether it has actually been verified by the issuing authority. In contrast, the exhibitor is not aware of this – thus protecting the privacy of the owner.

How eIDAS 2.0 Ensures Security and Data Protection

eIDAS 2.0 and the EUDI Wallet as its core element are heavily based on the General Data Protection Regulation (GDPR) and the European Cybersecurity Act. For a Wallet to be recognised as a means of identification in a Member State, it must be certified – and notified to the highest trust level (“high”) according to eIDAS. The fact that only qualified trust service providers can provide the QEAA that is indispensable for Wallets is a further building block in the security architecture surrounding the EUDI.

The eIDAS 2.0 regulation also makes the state digital identity the central component of the Wallet on the smartphone. In Germany, this identity is the eID, the online ID function that will provide personal identification data at a high level of trust for the digital wallet. As the BMI states in a discussion paper, this data cannot be derived. It can either remain in the chip card of the ID card, the secure element on the phone or, in this case, in the permanently installed eSIM card.

With the EUDI Wallet, as with the Smart-eID, all personal data shall be stored in a secure environment on the smartphone – and only there. This also means that citizens explicitly authorise every data transfer from the Wallet themselves. In addition, the relying parties that authorise the Wallet for identification need to register for a differentiated access system. In the event of misuse, users will be able to report directly to the data protection authority via the Wallet.

It is also more data-efficient to use the EUDI wallet than an analogue counterpart. For example, checking the age with the Wallet would only transmit that the relevant person has exceeded the required age. Further information such as the full date of birth or address – currently shown with an ID card, for example – would not be disclosed.

eIDAS 2.0 and its Schedule

The question remains as to when such procedures will become a reality in Europe’s authorities, hotels and banks. The “trialogue” negotiations on eIDAS 2.0 between the European Commission, the Council of the European Union and the European Parliament have been concluded. The next step is official approval by the EU Council and Parliament. The lead ITRE Committee already voted in favour on 7 December, with the plenary scheduled to follow in February 2024. eIDAS 2.0 will then be published in the Official Journal of the EU. The regulation will enter into force 20 days later – and apply directly in all member states. However, the Member States will still have more than two years until they actually have to offer the digital wallet.

The Current eIDAS 2.0 Timetable

The Current eIDAS 2.0 Timetable
Dates Milestones
8. November 2023 Conclusion of the trialogue negotiations between the EU Commission, the Council of the EU and the EU Parliament
7 December 2023 Adoption of the agreement by the European Parliament’s lead Committee on Industry, Research and Energy (ITRE)
Expected in February 2024 Vote in the EU Parliament and in the Council of the European Union in plenary
Expected at the end of March 2024 Signature and publication in the Official Journal of the EU
Mid-April 2024 Entry into force of the eIDAS 2.0 Regulation
Around October 2026 Deadline for Member States to provide a Wallet

Implementation of the eIDAS 2.0 Regulation

The EU Commission must issue the necessary regulations for the technical implementation of the regulation within six to twelve months as part of implementing acts (around 50 in total). After their publication, the Member States will have two years to offer a Wallet to their citizens.

The Future of Electronic Identification in Europe

With eIDAS 2.0, the EU is setting a milestone for secure, self-sovereign identification in the digital space from which the entire European single market can benefit. The interaction between Qualified Electronic Attestation of Attributes (QEAA) and the EUDI Wallet will do more than just ensure that all forms of evidence are available digitally. It is also intended to allow natural persons and legal entities to benefit from a significantly increased range of digital services in public administration, education, banking and the travel industry.

Particularly in these areas, comprehensive identification requires the submission of attributes and evidence. By being available in a Wallet with just a few clicks, many processes that used to involve additional work on site could be handled completely digitally. This would also greatly speed up administrative and business processes. Without a doubt, eIDAS 2.0 promises many benefits. This makes it all the more important to ensure its rapid and comprehensive implementation.

Article
Article