Without too much fanfare, the European Commission has recently put forward plans that might cause the largest leap forward in the European digital identity scene in the past twenty years. Here, I explain what the plans tell us and what a pan-European digital identity means for individuals and organisations.
What’s in the proposal and who will it affect?
The Commission seeks to establish a European digital identity standard and a matching mobile electronic identity (eID) wallet app for citizens and organisations of all 27 EU member states. While implementing the standard will be mandatory to the member states, the usage of the eID app will not be enforced and the eID must be made available at no charge for private individuals. Private individuals may link their eID with other official documents, such as driving licences and higher education diplomas, if they choose to. Notably, health-related information is not allowed to be linked – at least for now.
Every citizen and business inside the European Union will have the right to obtain the digital identity, and all public services and large private platforms will be obliged to accept it. Having 447 million citizens under a common eID scheme is second only to China.
The new eID will not replace pre-existing national IDs, but will provide citizens and organisations with an additional tool that they can use across borders within the whole European Union – both online and offline. The goal is to create a unified European framework that enables citizens to prove their identity in all of the member states– easing everyday tasks such as renting a car, checking in at a hotel, opening a bank account and filing taxes.
What about eIDAS?
Rome wasn’t built in a day and neither did the upcoming legislation pop out of thin air. It has its roots in the 2014 eIDAS regulation (short for electronic IDentification, Authentication and trust Services), which laid the groundwork for EU-wide cross-border electronic identification and authentication services. However, as of this writing, only 14 out of the 27 member states have an eIDAS-compliant eID scheme, as eIDAS lacked provisions to force all national systems to be compatible with each other. In addition, it excluded the use of private services and didn’t foresee the ubiquity of, and integration with, smartphones.
The new proposal will mandate each nation to define at least one eIDAS-compliant strong authentication method within twelve months of passing the legislation. In order to further boost adoption, large service/platform providers must accept authentication via the eID wallet app if they accept any other strong digital identities.
Security and privacy
While personal smart devices such as smartphones and watches have enabled us to be more connected with our friends and families, storing strong digital identities on them requires careful security considerations. Security and privacy are an integral part of the new framework and mobile eID wallet design – not least due to the bloc’s strict General Data Protection Regulation (GDPR). Like the GDPR, the European Digital Identity will be underpinned by a regulation, which means all member states will have to adopt the eID wallet under the same conditions to avoid any discrepancies between the member states. To further decrease the number of discrepancies, the draft legislation mentions changes in regulation regarding digital signing and timestamping services, as well as how web browsers parse and present any identity data stored in TLS certificates.
If data is the new oil, then strong digital identities are gold nuggets. This new gold rush is currently underway throughout the world, and the Commission believes the digital identity framework can be up and running just one year after its entry into force, with technical details finalised no later than six months before the new legislation will take effect. This places very high demands on the national governments alongside the private sector.
Like all other EU directives, the actual design and implementation of the eID wallet app and its APIs are up to each of the member states. Ubisecure’s active participation in the related national workgroups hosted by the Ministry of Finance and the Finnish Transport and Communications Agency gives us a front seat view of the evolving APIs, and enables building and thorough testing of our implementation in parallel, as implementing the directive will evolve within very strict timeframes.
Ubisecure – our involvement
We have gained deep insights from working with the Finnish Trust Network, which has already presented both Ubisecure and the other Finnish members with many of the same challenges that the new EU legislation faces – interoperability, trust, security and privacy. The European Union has been criticised for lagging behind on digitalisation when compared to, for example, the Silicon Valley innovation cluster, so it is very welcome to see the EU take the lead on strong digital identities.
As the leading European Identity and Access Management (IAM) specialist, Ubisecure is ideally placed to support European organisations’ digital identity objectives. Get in touch to learn about this initiative, or to discuss your own digital identity management project.