eIDAS 2021 : Review Affecting Lawyers ?

One consequence of the lockdown is that electronic contracts are the new applicablerule. These e-agreements will continue to be used for quite some time as organisations realize the practical and operational benefits of being able to contract electronically.

eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. The Electronic Identification, Authentication and Trust Services Regulation (eIDAS) sets out the framework for the legality of electronic signatures in the EU.

In particular, eIDAS defines, and regulates the use of, qualified electronic signatures (QES) and provides a single set of rules across the EU. Qualified Electronic Signature is the highest standard of electronic signature, providing the greatest level of assurance.

The Commission has announced that it will review the eIDAS Regulation to improve its effectiveness, extend its application to the private sector and promote it. The initiative will build on the results of the ongoing review of the eIDAS Regulation, which is linked to the regulatory obligation for review included in Article 49 of the Regulation.

As part of the Review, the Commission has published an inception impact assessment, which concluded that the potential of electronic identification and authentication under eIDAS remains underexploited. The European Council has asked the Commission to introduce the EU-wide digital ID system by 2021, to secure the identification for the use of public and private online services.

What is an eID?

An electronic identification (« eID ») is a digital solution for proof of identity of citizens or organizations. They can be used to access benefits or services provided by governments, authorities, banks or other companies, for mobile payments, etc. Apart from online authentication and login, many electronic identity services also give users the option to sign electronic documents with a digital signature.

What is an European Digital Identity Wallet?

The EU Digital Identity Wallet, which will be offered by Member States to their citizens at national level, will allow Europeans to store identity-related data and official documents – such as driving licences, COVID-19 vaccination details and educational qualifications – in electronic format. These documents can then be used as digital proof of identity across the European Union to enable people to access public and private services in all kinds of situations, ranging from paying taxes to renting a car. The EU Digital Identity Wallet will enable people to choose which aspects of their identity they share with third parties, and to keep track of what is shared with whom. In other words, it will put them in control of their data.

The European Commission, Member States and private sector are said to be collaborating closely on the development of the necessary common standards for the EU Digital Identity Wallet. The aim is to test these standards in pilot projects from October 2022 onwards. This harmonized approach should avoid further fragmentation and divergent national solutions and maximise the applicability and interoperability of the EU Digital Identity Wallet throughout the European Union.

The European Commission’s proposal to create a unified, trusted and secure European electronic identity (eID) looks very ambitious, in terms of both its requirements related to privacy, security and usability and its timelines. The ambition to give people and businesses control over their data is a very worthy one and would represent a major step forward. However, by making this a public-first initiative, Europe runs the risk of overlooking the mature Digital Identity market and its specialised Digital Identity solution providers. They should play a key role in driving the much-needed usability and mass adoption of trusted digital identities across Europe as certified Digital Identity Wallet providers.

How does the eDIAS 2021 Review Affect Lawyers ?

However, this settlement has excluded lawyers from this regulation given that they are renouned persons and are subjected to an obligation of identification. This lack of precision toward lawyers requires an analysis.

  1. Incovenients of the eIDAS regulation
  2. An exclusion of lawyers : Who is concerned by the eIDAS Regulation?

The Regulation involves the citizens, the companies, the public sector bodies and the trust services providers established in the European Union. It covers in particular the exchanges between the users and the administrations. Mechanisms of mutual recognition of electronic identification means and electronic signatures, detailed

The private sector is less affected by eIDAS than public services and government agencies. Regardless of that fact, most businesses blame their late entrance on other obstacles.

However, the Regulation does not apply to trust services used only in closed systems that have no direct impact on third parties, resulting from national law or agreements within a group of defined participants. For instance, an administrative authority which sets up a public key infrastructure to cover its internal needs would not be subjected to the requirements of the eIDAS Regulation applicable to trust services.

  1.  The legal impacts and characteristics of the eIDAS Regulation

An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.

On October, 2019, two security flaws in eIDAS-Node (a sample implementation of the eIDAS Profile provided by the European Commission) were discovered by security researchers; both vulnerabilities were patched for version 2.3.1 of eIDAS-Node.

Beside its particular effects regarding electronic identification and trust services, the Regulation has the following impacts :

It repeals Directive 1999/93/EC on electronic signature ; it grants a legal effect to electronic document, specifying that it cannot be denied legal effect as evidence in legal proceedings solely on the grounds that it is in an electronic form.

ANSSI’s role in the eIDAS Regulation : ANSSI is doubly involved in the implementation of the regulation: as a security guarantor for the “electronical identification” part, as the supervisory body for the “trust services” part, as the certification body of qualified electronic signature/seal creation devices, and finally as the body in charge of the trusted list.

II-             Advantages of the eIDAS regulation

  1. The importance of eIDAS for lawyers as users

The pros of qualified signatures are that it guarantees to be recognized and accepts across the EU for all purposes (national security excepted) and that, in some markets, qualified may be a ticket to trade. The cons are the price level and the potential lack of fit between the process at hand and qualified services/mechanisms. For non-qualified, the actors involved must agree what is sufficient for the process, which requires judgement but may lead to cost savings and smoother processes. A non-qualified trust service may well be recognised across the EU ; the market decides but the recognition is not guaranteed.

All Member States required to issue within 12 months at least one eID scheme (any level), European Digital Identity Wallet (validation, online authentication …).

   2. The advantages of using attribute certificate

As an EU regulation, eIDAS applies in all EU Member States, overriding national law in case of conflict. Since eIDAS is “of EEA relevance”, eIDAS also applies to Norway, Liechtenstein and Iceland.

In addition, since it is a Regulation, it benefits from direct application which means that it does not need to be mediated into national law by means of implementing measures and that it overrides all national laws dealing with the same subject matter.

eIDAS is a result of the European Commission’s focus on Europe’s Digital Agenda. With the Commission’s oversight, eIDAS was implemented to spur digital growth within the EU.

The intent of eIDAS is to drive innovation. By adhering to the guidelines set for technology under eIDAS, organisations are pushed towards using higher levels of information security and innovation. Additionally, eIDAS focuses on the following:

Interoperability: Member States are required to create a common framework that will recognize eIDs from other Member States and ensure its authenticity and security. That makes it easy for users to conduct business across borders.

Transparency: eIDAS provides a clear and accessible list of trusted services that may be used within the centralised signing framework. That allows security stakeholders the ability to engage in dialogue about the best technologies and tools for securing digital signatures.

Database information has to be linked to some kind of identity number. To certify that a person has the right to access some personal information involves several steps. Connecting a person to a number, which can be done through methods developed in one country, such as digital certificates. Connecting a number to specific information, done in databases.

For eIDAS it is needed to connect the number used by a country having information, to the number used by the country issuing the digital certificates. eIDAS has as minimum identity concept, the name and birth date. But in order to access more sensitive information, some kind of certification is needed that identity numbers issued by two countries refer to the same person.

If attribute is incorporated into the public key infrastructure, any changes requires revocation of public key instrafructure certificate, Therefore not up to date, lawyer is no longer a lawyer, no right to represent legal entity any longer, short validity period can ensure reliability in many attributes outside identity.

One consequence of the lockdown is that electronic contracts are the new applicablerule. These e-agreements will continue to be used for quite some time as organisations realize the practical and operational benefits of being able to contract electronically.

eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. The Electronic Identification, Authentication and Trust Services Regulation (eIDAS) sets out the framework for the legality of electronic signatures in the EU.

In particular, eIDAS defines, and regulates the use of, qualified electronic signatures (QES) and provides a single set of rules across the EU. Qualified Electronic Signature is the highest standard of electronic signature, providing the greatest level of assurance.

The Commission has announced that it will review the eIDAS Regulation to improve its effectiveness, extend its application to the private sector and promote it. The initiative will build on the results of the ongoing review of the eIDAS Regulation, which is linked to the regulatory obligation for review included in Article 49 of the Regulation.

As part of the Review, the Commission has published an inception impact assessment, which concluded that the potential of electronic identification and authentication under eIDAS remains underexploited. The European Council has asked the Commission to introduce the EU-wide digital ID system by 2021, to secure the identification for the use of public and private online services.

What is an eID?

An electronic identification (« eID ») is a digital solution for proof of identity of citizens or organizations. They can be used to access benefits or services provided by governments, authorities, banks or other companies, for mobile payments, etc. Apart from online authentication and login, many electronic identity services also give users the option to sign electronic documents with a digital signature.

What is an European Digital Identity Wallet?

The EU Digital Identity Wallet, which will be offered by Member States to their citizens at national level, will allow Europeans to store identity-related data and official documents – such as driving licences, COVID-19 vaccination details and educational qualifications – in electronic format. These documents can then be used as digital proof of identity across the European Union to enable people to access public and private services in all kinds of situations, ranging from paying taxes to renting a car. The EU Digital Identity Wallet will enable people to choose which aspects of their identity they share with third parties, and to keep track of what is shared with whom. In other words, it will put them in control of their data.

The European Commission, Member States and private sector are said to be collaborating closely on the development of the necessary common standards for the EU Digital Identity Wallet. The aim is to test these standards in pilot projects from October 2022 onwards. This harmonized approach should avoid further fragmentation and divergent national solutions and maximise the applicability and interoperability of the EU Digital Identity Wallet throughout the European Union.

The European Commission’s proposal to create a unified, trusted and secure European electronic identity (eID) looks very ambitious, in terms of both its requirements related to privacy, security and usability and its timelines. The ambition to give people and businesses control over their data is a very worthy one and would represent a major step forward. However, by making this a public-first initiative, Europe runs the risk of overlooking the mature Digital Identity market and its specialised Digital Identity solution providers. They should play a key role in driving the much-needed usability and mass adoption of trusted digital identities across Europe as certified Digital Identity Wallet providers.

How does the eDIAS 2021 Review Affect Lawyers ?

However, this settlement has excluded lawyers from this regulation given that they are renouned persons and are subjected to an obligation of identification. This lack of precision toward lawyers requires an analysis.

  1. Incovenients of the eIDAS regulation
  2. An exclusion of lawyers : Who is concerned by the eIDAS Regulation?

The Regulation involves the citizens, the companies, the public sector bodies and the trust services providers established in the European Union. It covers in particular the exchanges between the users and the administrations. Mechanisms of mutual recognition of electronic identification means and electronic signatures, detailed

The private sector is less affected by eIDAS than public services and government agencies. Regardless of that fact, most businesses blame their late entrance on other obstacles.

However, the Regulation does not apply to trust services used only in closed systems that have no direct impact on third parties, resulting from national law or agreements within a group of defined participants. For instance, an administrative authority which sets up a public key infrastructure to cover its internal needs would not be subjected to the requirements of the eIDAS Regulation applicable to trust services.

  1.  The legal impacts and characteristics of the eIDAS Regulation

An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.

On October, 2019, two security flaws in eIDAS-Node (a sample implementation of the eIDAS Profile provided by the European Commission) were discovered by security researchers; both vulnerabilities were patched for version 2.3.1 of eIDAS-Node.

Beside its particular effects regarding electronic identification and trust services, the Regulation has the following impacts :

It repeals Directive 1999/93/EC on electronic signature ; it grants a legal effect to electronic document, specifying that it cannot be denied legal effect as evidence in legal proceedings solely on the grounds that it is in an electronic form.

ANSSI’s role in the eIDAS Regulation : ANSSI is doubly involved in the implementation of the regulation: as a security guarantor for the “electronical identification” part, as the supervisory body for the “trust services” part, as the certification body of qualified electronic signature/seal creation devices, and finally as the body in charge of the trusted list.

II-             Advantages of the eIDAS regulation

  1. The importance of eIDAS for lawyers as users

The pros of qualified signatures are that it guarantees to be recognized and accepts across the EU for all purposes (national security excepted) and that, in some markets, qualified may be a ticket to trade. The cons are the price level and the potential lack of fit between the process at hand and qualified services/mechanisms. For non-qualified, the actors involved must agree what is sufficient for the process, which requires judgement but may lead to cost savings and smoother processes. A non-qualified trust service may well be recognised across the EU ; the market decides but the recognition is not guaranteed.

All Member States required to issue within 12 months at least one eID scheme (any level), European Digital Identity Wallet (validation, online authentication …).

   2. The advantages of using attribute certificate

As an EU regulation, eIDAS applies in all EU Member States, overriding national law in case of conflict. Since eIDAS is “of EEA relevance”, eIDAS also applies to Norway, Liechtenstein and Iceland.

In addition, since it is a Regulation, it benefits from direct application which means that it does not need to be mediated into national law by means of implementing measures and that it overrides all national laws dealing with the same subject matter.

eIDAS is a result of the European Commission’s focus on Europe’s Digital Agenda. With the Commission’s oversight, eIDAS was implemented to spur digital growth within the EU.

The intent of eIDAS is to drive innovation. By adhering to the guidelines set for technology under eIDAS, organisations are pushed towards using higher levels of information security and innovation. Additionally, eIDAS focuses on the following:

Interoperability: Member States are required to create a common framework that will recognize eIDs from other Member States and ensure its authenticity and security. That makes it easy for users to conduct business across borders.

Transparency: eIDAS provides a clear and accessible list of trusted services that may be used within the centralised signing framework. That allows security stakeholders the ability to engage in dialogue about the best technologies and tools for securing digital signatures.

Database information has to be linked to some kind of identity number. To certify that a person has the right to access some personal information involves several steps. Connecting a person to a number, which can be done through methods developed in one country, such as digital certificates. Connecting a number to specific information, done in databases.

For eIDAS it is needed to connect the number used by a country having information, to the number used by the country issuing the digital certificates. eIDAS has as minimum identity concept, the name and birth date. But in order to access more sensitive information, some kind of certification is needed that identity numbers issued by two countries refer to the same person.

If attribute is incorporated into the public key infrastructure, any changes requires revocation of public key instrafructure certificate, Therefore not up to date, lawyer is no longer a lawyer, no right to represent legal entity any longer, short validity period can ensure reliability in many attributes outside identity.

Comment nous contacter ?

Nos horaires

Du lundi au vendredi

9h00 – 19h00

Notre numéro

0761822153

Notre mail

hayek.valerie@hasperakavocats.com​

Notre adresse

167 bis, avenue Victor Hugo
75116 Paris

 

Site web réalisé par Upswing Engineering

Logos & visuels réalisés par Maria.Na Design