Electronic identification and trust services (eIDAS) refer to a range of services that include verifying the identity of individuals and businesses online and verifying the authenticity of electronic documents. Since 2014, such services provided in the EU have been subject to the eIDAS Regulation, which aimed to create a predictable regulatory environment across the EU and ensure that interoperability across different EU Member States. The eIDAS Regulation’s complexity, inflexibility and perceived limitations resulted in limited adoption, while the COVID-19 pandemic simultaneously fueled an increased demand for electronic identification. Consequently, the European Commission committed to revising the eIDAS Regulation to establish an EU-wide attribute-based electronic identity framework, incorporating a government-issued digital identity wallet to eliminate the dependence on commercial authentication providers.
The revised eIDAS Regulation, often referred to as “eIDAS 2.0,” was adopted by the European Parliament at the end of February, and formally adopted by the Council on March 26, 2024. Following this, the text of the regulation will be published in the EU’s Official Journal in a matter of weeks, with eIDAS 2.0 set to enter into force 20 days thereafter. eiDAS 2.0 will be fully implemented by 2026.
eIDAS 2.0 introduces digital ID wallets (eID Wallets) which can be issued by either a Member State or a certified private entity designated by a Member State. The eID Wallets will need to be made available by EU Member States by 2024 to every citizen who wants one.
The aim of the eID Wallet is to allow citizens to link their national identity documentation and other electronic documents to their mobile phones. The purpose of the eID Wallet extends beyond identity verification, as they also serve as repositories for personal attributes and credentials, such as education certificates, birth certificates and bank cards. Moreover, EU citizens will be able to utilize the eID Wallet for digitally signing documents with a qualified electronic signature, offering enhanced security and identity verification, especially in banking transactions.
Although 14 out of the EU’s 27 countries (accounting for 60% of the EU population) currently have existing national digital identity systems, these systems are often limited to public services and lack cross-border interoperability given the variances in how the separate Member States’ digital identity programs work. Consequently, a significant portion of the EU population remains without any form of digital identification. The introduction of the eID Wallet at an EU level aims to address these limitations, providing an interoperable solution that shares common features, while also giving Member States the flexibility to pursue their own designs and functionality.
The potential benefits of implementing this single solution for digital identification are substantial. The European Commission estimates businesses could benefit from cost savings exceeding €11 billion per year, and that by 2030, at least 80% of EU citizens will adopt the eID Wallet.
Part of the EU’s motives for the introduction of the eID Wallet is to ensure that the processing of personal data can be minimized through the harmonized framework, with the highest level of security to be maintained when personal data is used for authentication purposes. eIDAS 2.0 purports to ensure compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and includes specific data protection safeguards for the eID Wallets, e.g., by improving the options to share data and to enable discretional disclosures of data.
One of the biggest use cases for the eID framework will be businesses with stringent “know your customer” processes. For example, many banks in the EU continue to rely on time-consuming in-person verification procedures for onboarding new customers. However, by adopting an eID solution, banks can instantly and securely receive verified documents electronically, thereby facilitating a seamless online onboarding process. Furthermore, when banks are providing loans, an eID solution eliminates the need for multiple in person meetings and physical document verification, streamlining the process and reducing transaction costs. This shift not only enhances the overall customer experience but also aims to mitigate against the risk of identity fraud, provided stringent verification processes are put in place. The eID framework would also simplify the on-boarding process for online platforms with existing e-verification processes, as potential customers would be able to sign up in one click using their eID Wallet and mitigate the risk of applications being abandoned.
eIDAS 2.0 also presents a commercial opportunity for providers of eID solutions, as Member States will seek collaborations with the private sector to develop functional and secure digital wallets for their citizens.
Some of the key aspects of the eIDAS 2.0 include the following:
- The use of e-signatures will be free of charge for EU citizens; however, Member States may introduce measures to specify that the free-of-charge use is limited to non-professional purposes.
- The eID Wallet business model will not impose fees for issuing, using or revoking signatures and validation mechanisms (to verify the validity and authenticity of the eID Wallet and identity of the parties relying on the eID Wallet).
- The application software components used for the code for the eID Wallets will be open source; however, Member States may not disclose specific components if there is justification for doing so.
- The scope of qualified web authentication certificates (QWACs) allows individuals to verify who is behind a website and maintains the current industry standards and security rules.
eIDAS 2.0 marks a significant leap toward a unified digital identity landscape in the EU, offering a robust framework that blends security, interoperability and user convenience. By addressing the shortcomings of the previous system and leveraging the potential of eID Wallets, eIDAS 2.0 aims to streamline online transactions, enhance privacy protections and foster economic growth. Both businesses operating in the EU and international businesses with EU customers should start taking steps to review and adapt their internal policies and procedures to be compatible with eiDAS 2.0. The need to engage and contract with any third-party service providers should also be assessed in the coming months to ensure that the benefits offered by eIDAS 2.0 can be leveraged efficiently.
The authors would like to thank trainee solicitor Elinor Lee for her contributions to this blog.
[View source.]