lessons learnt from eidas : key success & limits · alban feraud - standardization &...
TRANSCRIPT
Alban FERAUD - Standardization & regulatory affairs director
Lessons learnt from eIDAS : key success & limits
22/12/2017
What is eIDAS?→1
→2
→3
→4Key success
Limits
Main findings
Lessons learnt from eIDAS : key success & limits22/1
2/2
017
Public
2
eIDAS : European regulation to foster digital economy
Electronic identity and trust services
• Define a classification of electronic identityassessing their quality& trust
• Define a particular subset of trust service,with legal value, named Qualified trustservices (QTS)
• Solve (some) flaws of previous eSignaturedirective (1999/93/CE)
Foster internal market by bringing trust& provide building blocks for DigitalSingle Market
• Organize cross recognition of electronic Identity and trustservices
• Define trust classification for better visibility
• Define role, obligations and responsibility of each party
• Organise free circulation of devices used to perform Trustservice
• Organize trans national usage of electronic ID and trustservices
Key principles
• Technology neutral, so that it does not exclude any technology
• Legal effects are bound to metrics of quality, expressed in technology neutral terms
22/1
2/2
017
Public
4
Uniform framework for digital identity and trust services
eIDAS : European regulation to foster digital economy
2014 July 23rd –adoption of the regulation
2015 september 29th -Voluntary recognition of
identities
2016 july 1st – Trust services rules apply
2018 september 29th –Mandatory recognition of
notified identities
Trust services
Qualified vs non qualified• Electronic signature/eSeals
• Time stamping
• Website authentication
• Verification & validation of eSignature/eSeals(Q)
• Preservation of eSignatures, eSeals or certificates related to trust services (Q)
• Electronic registered delivery service (Q)
22/1
2/2
017
Public
5
Electronic identity
• National choice for the characteristics
• Recognition on a commonly agreed level (Low, Substantial, High)
• Recognition on a voluntary principle (opt-in principle) : notification
• BUT all the countries shall accept notified identities
Key success
Strong interest of the private sectors
• Many benefits of digital identities
• Main sectors : mobile operators, banking
Foster digital identity programs in member states
• The automatic recognition of notified identities foster the development of national program
• Multiplication of electronic identity scheme to increase penetration
• Development of market of identity provider (e.g. eResidency in EST)
Incentive to increase trust in digitalidentity & trust service
• Digital identity : higher trust & larger numberof acceptor
• Qualified Trust service : shift of the liabilitythat brings trust to citizen
• Digital Signature/seal with legal value :shall be combined with validation/preservationto give trust to the acceptor
• Virtuous circle to create trust in digital world
Interoperability of electronic identity ispossible starting from a fragmentedlandscape
• Shift from the eID means to the eIDscheme
• Interoperability through “nodes”interconnecting the infrastructure (backend)
22/1
2/2
017
Public
7
Digital identity in Europe on the move
• Development of digital identityscheme
• Take up of eIDAS=>developmentof “nodes”
• First notification on September2017. More to come in 2018
22/1
2/2
017
Confidential /
Restr
icte
d /
Public
Pre
senta
tion o
r part
title
8
Limits
Strong demand from the privatesectors, but slow transformation
• Very narrow scope of application of theregulation. Does not cover private sectors.
• Embarking and engaging private sector aswell as the extent and the conditions relieson the country will
• Still a fragmented approach
Lack of attributes management
• The exchange of attributes would havebeen a key enabler to foster even moreusage
• Current experience shows it is difficult toleverage on the digital identityinfrastructure when specific attributes arerequired (eHealth,…)
Incomplete provision for privacy services
• Qualified electronic signature underpseudonym is allowed but…
• No word about the anonymity lifting
• Not covered by the current work on the“nodes”
Still a lot to do for electronic identity oflegal persons
• Important use case concerning a targetthat could easily be mobilized
• Not covered by the current work on the“nodes
22/1
2/2
017
Public
10
Which lessons?
Cross recognition of digital identityand trust services betweencountries is possible…
• Successful law
• Virtuous circles• notification mechanism
• Incentive to increase trust in digital identity &trust service
• For the citizen
• For the electronic signature/seal
• Successful model for close cooperation ofcountry wiling to develop internal marketand raise trust
..but take into account the limits
• From the very beginning think aboutidentity attributes exchanges to foster allusages
• Embark & engage from the very beginningthe private sectors in digital identityecosystem
• Include it in the provision of the law so thatit can contribute & benefit from the crossrecognition
• Treat with the same level of importancedigital identity for legal person
22/1
2/2
017
Publii
c
12
CONTACT
Alban FERAUD
Standardization & regulatory affairs director
Citizen Identity Business Unit