Written by Dr. Carlos Galán, PhD in Informatics, lawyer specialized in IT law and advisor for Addalia
1. The required cross-border harmonization
The content of the European Directive 1999/93/EC of the European Parliament and the Council, which establishes a community framework for the electronic signature and its heterogeneous transposition to the regulation of the member states, meant that the original desire to have a fluid and rights-based cross-border relation between people and organizations did not materialize adequately.
Effectively, the relationship between states requieres, in most cases, reliable and homogenous mechanisms in terms of identification and electronic signatures. For example, a coherent development of the electronic public procurement is not possible if the involved parties (contracting authorities and tenderers, from any European state) don’t have identification and signature mechanisms recognized likewise by all of them.
Conscious of this reality, the European Union institutions have worked over the last years on a regulation which, with a mandatory nature for its European addressees, points out in a harmonized way the identification and signature mechanisms which must be accepted by all in their cross-border relations.
YOU ALSO MAY LIKE
WHAT IS IDENTITY AND HOW IS IT USED IN DIGITAL TRANSACTIONS
The result of this is the Regulation (EU) 910/2014 of the European Parliament and of the Council, relative to electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/CE, known as eIDAS Regulation.
In this way, the eIDAS Regulation seeks to assure the interoperability in the UE:
- Of Electronic Identification (of people and institutions)
- Of Trust Services (among them the generations and issue of electronic certificated and other trust services)
Its legal status (European Regulation) concedes the eIDAS Regulation the power to be directly applicable in the member states (displacing, for example, the Law 59/2003 of electronic signature.
The following graph shows a scheme of the services regulated by the eIDAS Regulation.
A new national law of Trust Services, which as these lines are being written is still a draft, will regulate those aspects the eIDAS Regulation leaves to the free regulation of the member states.
2. Electronic identification in EU Law
One of the reasons that prompted the European Institutions to publish the regulation (EU) 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market, known as eIDAS Regulation, was the desire to maintain the principles of the interior market. In this way, a trust service provider established in a Member State can offer those services in another Member State without restriction, allowing free movement within the internal market for trusted products and services conforming to the aforementioned Regulation.
These principles relating to the interior market allow and oblige the mutual recognition of the electronic identification solutions issued and notified
- The identification solution has been issued by virtue of an electronic identification system included in the list published by the Commission in accordance with the article 9 in eIDAS Regulation.
- The level of security of the electronic identification solution correspond to an equal or higher level of security than the one required by the public sector body to access to that online service in the first member state, as long as the level of security of the electronic identification solution corresponds to a substantial or high level of security.
- And the public sector body at issue uses a substantial or high level of security in relation to the access to that online service.
As shown in the chart below, the eIDAS Regulation considers three levels of security: low, substantial and high, according to the level of trust of a identification solution in the alleged or declared identity of a person, levels of security regulated in the Implementing Regulation (EU) 2015/1502.
Level of security | Description |
Low | It will refer to an electronic identification solution, in the context of an electronic identification system, that establishes a limited degree of trust in the alleged or declared identity of a person and is described with reference to the technical specifications, the rules and procedures of it, among other technical controls, which aims to reduce the risk of wrongful use or identity alteration. |
Substantial | It will refer to an electronic identification solution, in the context of an electronic identification system, that establishes a substantial degree of trust in the alleged or declared identity of a person and is described with reference to the technical specifications, the rules and procedures of it, among other technical controls, which aims to reduce the risk of wrongful use or identity alteration. |
High | It will refer to electronic identification solution, in the context of an electronic identification system, that establishes a degree of trust in the alleged or declared identity of a person superior to the electronic identification solution with a substantial level of security, and is described with reference to the technical specifications, the rules and procedures of it, among other technical controls, which aims to reduce the risk of wrongful use or identity alteration. |
The mutual recognition of the electronic identification solutions will be mandatory from the 29th of September 2018 onwards, meaning the member states must encourage the use of electronic identification solutions also in the private sector.