eIDAS 2.0: What changes and news will it bring?

Article content

eIDAS 2.0: What changes and news will it bring?

Revision of the eIDAS regulation no. 910/2014 on electronic identification and trusted services for electronic transactions in the internal market, which is simply called eIDAS 2.0, brings with it several modifications in the field of electronic communication. What will not change, what will be added and when will it happen?

What will not change in eIDAS 2.0?

eIDAS 2.0 retains the various levels of electronic signatures and seals as well as the existing trusted services. We will continue to recognize the different levels of electronic signatures and seals and trusted services:

Levels of electronic signatures and seals according to eIDAS Trusted services according to eIDAS
  • Simple electronic signature
  • Advanced electronic signature without qualified status
  • Advanced electronic signature with qualified status
  • Qualified electronic signature
  • Issuance of certificates for electronic signatures (QCert for ESig, QCert for ESeal)
  • Issuance of certificates for electronic seals (QWAC)
  • Trusted validation of certificates for electronic signatures and seals (QWal for QESig, QWal for QESeal)
  • Preservation of qualified electronic signatures and seals (QPres for QESig, QPres for QESeal)
  • Timestamp (QTimestamp)
  • Trusted delivery service (Slovensko.sk)

New in eIDAS 2.0: eWallet – Documents in mobile

Although the text of eIDAS 2.0 has already been published, individual countries have not yet adopted the directive. Therefore, we do not yet know exactly what the specific implementation in our legislation will look like.

However, we already know that eIDAS 2.0 will primarily introduce the EU Digital Identity Wallet (EUDIW), also known as eWallet, which will provide mobile documents. This is a new means of electronic identification in the online space, serving to access trusted state or commercial services. This digital wallet should not only allow login to Slovensko.sk but also provide an identity for registration in other sectors.

Each EU member state will be required to provide at least one eWallet. The state can choose whether to implement a government solution or provide a solution through a selected private provider, purchasing it as a service.

For eWallet users, the following applies:

  • the use of eWallet is not mandatory – users can choose whether or not to use eWallet (it will function similarly to the current QES and not every citizen will need to have it);
  • eWallet can also be used for in-person identification – users will not need to carry all documents with them but can present themselves via their mobile phone (this, of course, depends on the types of documents the state has digitized and the conditions set by legislation);
  • users decide which data they provide about themselves – they can choose which data to share (for example, when purchasing goods and services restricted to those over 18, they may only need to provide their date of birth).

Member states may, but are not required to, take measures to provide the qualified electronic signature (QES) through eWallet free of charge for non-commercial purposes. If all citizens were to start using remote signing for commercial purposes, it would mean a huge financial burden for the state. Therefore, eWallet is primarily intended for non-commercial purposes. Use for commercial purposes will likely require integration by private trusted service providers.

What else will be added in eIDAS 2.0?

In connection with the eWallet, eIDAS 2.0 also addresses:

  • Creation of pseudonyms: If a user does not want to share their personal data, for example, when shopping at an adult online store, they can use a pseudonym instead of their real name. This way, the store only confirms the user’s age, ensuring the commercial entity complies with legal obligations.
  • User access to a dashboard: Users will have access to a dashboard where information about their completed transactions will be available. On the dashboard, users can see to whom they have provided their personal data and can efficiently communicate with the data protection authority to protect their privacy.
  • Option to request the deletion of personal data under GDPR: Users can see to whom they have given consent for processing their personal data and can not only request its deletion but also track whether the entity has complied with their request.
  • Reporting incidents and potential incidents of personal data misuse: If a user notices a suspicious request, such as an excessive demand for personal data from an online store, they can reject this request, define the data to be provided, and report the suspicious request to the data protection authority.
  • Peer-to-peer communication, or eWallet-to-eWallet: For example, when buying on an online marketplace, users can verify if they are buying from a real person and confirm their identity without needing to send a scan of their ID card. This will increase transparency and security in such transactions.

New Trusted Services in eIDAS 2.0

eIDAS 2.0 will introduce several new trusted services:

  • Issuance of electronically attested attributes: In addition to the information currently available in certificates, it will be possible to verify other attributes, such as the type of driver’s license, level of education achieved, and similar details.
  • Management of tools for creating remote electronic signatures and seals: Depending on the implementation, it will likely be possible to create qualified identities remotely without the need for a physical meeting, significantly simplifying electronic signing processes.
  • Trusted electronic archiving service: A provider certified to offer trusted electronic archiving services will be able to ensure the long-term storage of electronic documents themselves, not just the archiving of electronic signatures and seals.
  • Electronic ledger: A tool to ensure the integrity and sequence of electronic records, ensuring that, for example, a particular digital asset cannot be sold more than once. It is anticipated that this tool will be operated by the state rather than a commercial entity.
  • QWAC (Qualified Website Authentication Certificate): Although certificates for trusted web services already exist, web browser providers have not yet recognized them as trusted. eIDAS 2.0 introduces an obligation for web browser providers to recognize EU authorities and the qualified certificates they issue for website authentication.

For completeness, a few technical details:

  1. Providers will also need to comply with the NIS2 directive on cybersecurity, which increases security within the EU.
  2. Compatibility between QTS (Qualified Time Stamps) services will be enhanced, allowing them to function portably so that users can change providers annually according to their preferences.
  3. The validity of QSCD (Qualified Signature Creation Device) certification will be limited to 5 years. If a device loses its security standard and validity, the certificates on it cannot be considered qualified, thereby increasing the security of providing trusted services.

When will it happen?

The first draft of eIDAS 2.0 was published in the Official Journal of the European Union in 2021. The necessary processes took place in the European Council, the European Parliament, and the European Commission. In April 2024, the text of eIDAS 2.0 was published in the journal. The updated version of eIDAS 2.0 will come into effect in September 2024.

Throughout this year, the so-called implementation acts for the eWallet ecosystem will still be developed. Following this, the directive will be implemented in individual EU member states, which are required to provide their citizens with at least one eWallet by the end of 2026.

In Slovakia, given the amount of digitized agenda (which is at a higher level compared to other EU countries), rapid implementation is expected. It is possible that documents in mobile will be available by the end of this year. However, after the publication of the implementation acts, they will still need to comply with EU regulations.

The author of the article is

Miroslav Rechtorík